SALES: 1-800-867-1380

Configure Azure Backup vaults

Updated: April 7, 2014

Windows Azure Backup is supported for Data Protection Manager (DPM) in System Center 2012 Service Pack 1 (SP1) or System Center 2012 R2. Configuring Windows Azure Backup consists of the following steps:

  1. Step 1 – Configure a certificate—Certificates are used in Windows Azure Backup to encrypt communication between servers and the Windows backup service.

  2. Step 2 – Create a backup vault—In Windows Azure Backup, create a new Backup vault.

  3. Step 3 – Upload the certificate—In Windows Azure Backup, upload the management certificate you created to the vault.

  4. Step 4 – Download and install the Windows Azure Backup Agent —From Windows Azure Backup, install the agent on each DPM server you want to back up online.

Configuring a certificate consists of the following steps:

  • Obtain a certificate—A management certificate (.cer) must be uploaded to the vault. For this purpose, you can do either of the following:

    • Create a self-signed certificate using the Makecert tool.

    • Use any valid Secure Sockets Layer (SSL) certificate issued by a certification authority (CA) trusted by Microsoft, whose root certificates are distributed through the Microsoft Root Certificate Program. For more information about this program, see the Microsoft article Windows Root Certificate Program members.

  • Export the certificate (.pfx) —On the server on which the certificate was created, you export the .cer file as a .pfx file (containing the private key). This .pfx file will be uploaded to servers when you install the provider on those servers, and it is used to register the servers with the vault.

  • Import the certificate (.pfx) —After export of the .pfx file is complete, you import it to the Personal certificate store on each server you want to back up.

If you want to use a self-signed certificate, create one as follows:

  1. Obtain the Makecert tool as described in MakeCert. Note that when you are installing the Windows Software Development Kit (SDK), you can install makecert.exe only by selecting the option Tools under .Net Development and leaving everything else unchecked.

  2. Open Command Prompt (cmd.exe) with Administrator privileges and run the following command, replacing CertificateName with the name of your certificate and specifying the actual expiration date of your certificate after -e:

    makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku -len 2048 -e 01/01/2016 CertificateName.cer

On the server on which you ran makecert.exe, complete the steps in this procedure to export the .cer file in .pfx format.

  1. From the Start screen, type mmc.exe to start the Microsoft Management Console (MMC).

  2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

  3. In Available snap-ins, click Certificates, and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, and then click Finish.

  6. In the MMC, in the console tree, expand Certificates, and then expand Personal.

  7. In the details pane, click the certificate you want to manage.

  8. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears.

  9. Click Next.

  10. On the Export Private Key page, click Yes, and export the private key. Click Next. Note that this is required only if you want to export the private key to other servers after the installation.

  11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

  12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

  13. Follow the pages of the wizard to export the certificate in .pfx format.

After you export the certificate, copy it to the server you want to register, and then import it as follows. Note that if you ran MakeCert.exe on a server, you do not need to import the certificate on that server.

  1. Copy the certificate .pfx file to a location on the local server.

  2. From the Start screen, type mmc.exe to start the MMC.

  3. In Available snap-ins, click Certificates, and then click Add.

  4. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

  5. In the Certificates MMC snap-in, select Computer account, and then click Next.

  6. Select Local Computer, and then click Finish. You are returned to the Add/Remove Snap-ins dialog box. Click OK.

  7. In the MMC, expand Certificates, right-click Personal, point to All Tasks, and then click Import to start the Certificate Import Wizard.

  8. On the Certificate Import Wizard Welcome page, click Next.

  9. On the File to Import page, click Browse, and then locate the folder that contains the .pfx certificate file that contains the certificate you want to import. Select the appropriate file, and then click Open.

  10. On the Password page, in Password, type the password for the private-key file that you specified in the previous procedure, and then click Next.

  11. On the Certificate Store page, select Place all certificates in the following store, click Browse, select the Personal store, click OK, and then click Next.

  12. On the Completing the Certificate Import Wizard page, click Finish.

After the import, you will be able to select the certificate when you run the Register Server Wizard as part of the provider setup.

  1. Sign in to the Management Portal.

    To use this feature and other new Windows Azure capabilities, sign up for the free preview.

  2. Click Recovery Services, click Create New, point to Backup Vault, and then click Quick Create.

  3. In Name, enter a friendly name to identify the backup vault.

  4. In Region, select the geographic region for the backup vault.

  5. In Subscription, enter the Windows Azure subscription that you want to use the backup vault with.

  6. Click Create Backup vault.

    It can take a while for the backup vault to be created. To check the status, you can monitor the notifications at the bottom of the portal. After the backup vault has been created, a message will tell you that the vault has been successfully created and it will be listed in the resources for Recovery Services as Online.

  1. Click Recovery Services, and then click the name of backup vault to which you want to upload a certificate. On the backup vault page, click the Quick Start icon to open the Quick Start page.

  2. On the Quick Start page, click Manage Certificate.

  3. In the Manage Certificate dialog box, click Browse Your Computer to locate the .cer file to use with this backup vault.

You can also upload and manage certificates from the Dashboard tab for the vault. To do this, click Recovery Services, and then click the vault name. On the Dashboard tab, click Manage Certificate.


If you will be using Windows Azure Backup with your DPM server, install the Update Roll up 2 for System Center Data Protection Manager SP1 before installing the Windows Azure Backup Agent.


Install the Windows Azure Backup provider agent on each DPM server you want to back up. Agents are accessed on the Windows Azure Download Center, and they have their own setup process. When Setup runs, the agent is installed and the DPM server is registered with the vault. Complete the following procedure from each DPM server you want to back up.

  1. Open the Windows Azure Management portal, and log in.

  2. On the Quick Start page, click Download Agent.

    You will be presented with a dialog box where you can choose which agent to download. Select Agent for Windows Server 2012 and System Center 2012 SP1 - Data Protection Manager. The application is downloaded from the Microsoft Download Center. Note the following:

    • Administrative permissions on the DPM server are required to install the agent.

    • If you are installing the agent on multiple DPM servers. you can place the installer file on a shared network resource, or use Group Policy or management products such as System Center Configuration Manager to install the agent.

    • A restart is not required in order to complete installation of the agent.

  3. Run Setup to start the installation wizard.

  4. On the Supplement Notice for the Service page, click Accept the service agreement terms and conditions, and then click OK to continue the installation.

  5. The Prerequisites Check page is displayed, and any missing prerequisite software is selected for installation. Click Next to approve the installation of the prerequisite software and continue the installation.

  6. The Installation Settings page is displayed. On this page, you choose the Installation Folder and Cache Location for Windows Azure Backup.

    By default, the installation folder will be <system drive>:\Program Files\Windows Azure Backup Agent. If you click Browse, you can navigate and choose a new location in which to create the Windows Azure Backup folder.

    By default, the cache location folder will be <system drive>:\Program Files\Windows Azure Backup Agent. In the cache location, the installation process will create a folder named Scratch within the Windows Azure Backup Agent folder. The cache location must have at least 2.5 gigabytes (GB) of free space. Only local system administrators and members of the Administrators group have access to the cache directory to prevent denial-of-service attacks.

    Click Install when you have identified the folders that you want the Windows Azure Backup Agent to use. Note that if you are reinstalling the Windows Azure Backup Agent, using the same cache location as the previous installation is recommended.

  7. If you have not enabled automatic updates on your server, the Microsoft Update Opt-In page is displayed to give you the opportunity to enable Microsoft Update for Windows Server 2012. The Microsoft Update settings are for all Microsoft product updates, and they are not exclusive to the Windows Azure Backup Agent. Click Next to continue.

  8. The Installation page is displayed. A progress indicator displays when the installation begins, and it shows the progress of the installation. When the installation is complete, you will receive a message that the Windows Azure Backup Agent was installed successfully. At this point, you can choose to check for updates. We recommend that you allow the updates check to occur.

  9. Click Finish. If you selected to check for updates, Internet Explorer will automatically start and the updates check will be performed. After any updates have been installed, you are ready to start configuring the Windows Azure Backup Agent.

After the agent installation is complete, you can register the DPM server with the vault.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft