You can install System Center Data Protection Manager (DPM) 2010 on a domain controller. The following steps are required to install DPM 2010 on a domain controller.

Note
To install DPM on a read-only domain controller (RODC), perform only steps 1 and 3 (Creating groups and accounts required for SQL Server 2008 and DPM) on the primary domain controller (PDC). Allow time for the groups to replicate to the RODC, and then complete steps 2 and 4 (Installing SQL Server and DPM).

Step1: To create the security groups and user accounts required for SQL Server 2008

  1. On the primary domain controller, create the following security groups for SQL Server 2008For each group, accept the default values for Scope: Global and Group type: Security.

    • SQLServerSQLBrowserUser$<Computer Name>

    • SQLServerMSSQLServerADHelperUser$<Computer Name>

    • SQLServerMSSQLUser$<Computer Name>$<Instance Name>

    • SQLServerReportServerUser$<Computer Name>$<Instance ID>.$<Instance Name>

    • SQLServerSQLAgentUser$<Computer Name>$<Instance Name>

    • SQLServerMSASUser$<Computer Name>$<Instance Name>

    • SQLServerDTSUser$<Computer Name>

    • SQLServerFDHostUser$<Computer Name>$<Instance Name>


    Where:

    • <Computer Name> is the computer name of the domain controller on which SQL Server 2008 will be installed.

    • <Instance Name> is the name of the SQL Server instance that you plan to create on the domain controller. The instance name can be any name other than the default DPM instance name (MSDPM2010).

    • <Instance ID> is assigned by SQL Server Setup for the Reporting Services of the SQL Server instance on the domain controller. If you have no other SQL Server instances on the domain controller, this value will be MSRS10.

  2. On the primary domain controller, create the domain user accounts that the SQL Server services will run under. If you are installing DPM on a RODC, allow time for these accounts to replicate to the RODC.

    Note
    It is a best practice to create user accounts with the lowest possible privileges for running SQL Server services and to use strong passwords for all user accounts.On a domain controller, we recommend that you use dedicated domain user accounts for each SQL Server service instead of using the built-in service accounts (Local System, Local Service or Network Service). However, the SQL Reporting Services service can be configured to run under the Network Service account.
  3. On the primary domain controller, do the following:

    • Add the domain user account that you will use to run the SQL Server Reporting Services service to the following group:

      SQLServerReportServerUser$<ComputerName>$MSRS10.<InstanceName>

    • Add the domain user account that you will use to run the Analysis Services service to the following group:

      SQLServerMSASUser$<MachineName>$<InstanceName>

Step2: To install SQL Server 2008

  1. For step-by-step instructions for installing SQL Server 2008 SP1, see Installing SQL Server 2008.

  2. After the installation of SQL Server is complete, return to this article and proceed to the next step.

Step3: To create the security groups and user account required for DPM

  1. Create a domain user account, set its password to not expire, and then add it to the local Administrators group. You will add this account to some of the DPM groups that you create later in this step and when installing DPM in a later step.

    Note
    To install DPM, the user account must be a member of the local Administrators group on the domain controller. After DPM is installed, you can remove the user account from the local Administrators group but do not delete it.
  2. On the primary domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Create the following security groups under Domain\Builtin. For each group, accept the default settings for Scope: Global and Group type: Security.

    • DPMDBReaders$<Computer Name>

    • DPMDBAdministrators$<Computer Name>

    • DPMRADCOMTrustedMachines$<Computer Name>

    • DPMRADmTrustedMachines$<Computer Name>

    • MSDPMTrustedMachines$<Computer Name>


    Where <Computer Name> is the computer name of the domain controller on which DPM will be installed.

  4. Add the user account that you created for the installation of DPM to the DPMDBReaders$<Computer Name> group.

  5. Add the user domain account that you created for installing DPM and the DPMDBReaders$<Computer Name> group to the DPMDBAdministrators$<Computer Name> group.

  6. Add the <Computer Name> (the machine account for the domain controller) to the MSDPMTrustedMachines$<Computer Name> group.

Step 4: To install DPM 2010

  1. For step-by-step instructions for installing DPM, see Installing DPM 2010.

    In the DPM Setup Wizard, use the following settings on the specified wizard pages:

    1. On the Installation Settings page, in the SQL server settings section, click Use an existing instance of SQL Server 2008.

    2. On the SQL Server Settings page, in the Instance of SQL Server box, type the name of the SQL Server instance created in step 2 on the domain controller, and then type the credentials for the user domain account created in step 1.


      Note
      The user account must be a member of the local Administrators group on the domain controller where the remote instance is installed. After setup is complete, you can remove the user account from the local Administrators group.
    3. On the Security Settings page, enter the same password as the one that you used when creating the domain user account in step 3.

  2. After the installation of DPM is complete, do the following:

    1. On the DPM server, open DPM Management Shell, and then type the following command:

      C:\Program Files\Microsoft DPM\DPM\bin> Set-DPMGlobalProperty -AllowLocalDataProtection $TRUE

    2. To enhance security, DPM Setup creates the following low-privileged local user accounts:

      • MICROSOFT$DPM$Acct to run the SQL Server and SQL Server Agent services.

      • DPMR$<computer name> to generate DPM reports by using by SQL Server Reporting Services.

      On the domain controller where the SQL Server instance is installed, add these user accounts to the following group:

      DPMDBReaders$<Computer Name>

See Also