commvault backup as a service (self-service)...backup media (disk, cloud, tape). note: in the data...
TRANSCRIPT
Commvault Backup as a Service (Self-Service) Quick Start Guide 4th August 2020
2
Contents
Getting Started with Commvault ........................................................................................3
Step One – Initial application setup.................................................................................. 9
Step Two – Configuring your Service Catalog ............................................................... 11
Step Three – Onboarding your first tenant ................................................................... 16
Step Four – Adding a tenant Hypervisor ........................................................................ 21
Post Setup................................................................................................................................. 25
Generating your first tenant usage report .................................................................... 31
3
Getting Started with Commvault
This Quick Start Guide will enable you to set up a simple Data Center – Backup as a Service
(BaaS) offering and perform data protection, recovery and billing operations.
This guide is intended for service providers that provide Self-Service Infrastructure as a Service
(IaaS) or dedicate an entire hypervisor host to an individual customer. If you provide IaaS
resources from a shared pool, see – Quick Start Guide (Fully Managed) for quick start setup.
The Data Center – Backup as a Service is intended to protect Virtual Machines, Servers and a
limited set of applications, located within your data center. There are three (3) Service Levels –
Essential, Standard and Premium. This guide will also cover the creation of additional backup
copies (i.e. offsite Disaster Recovery copies).
Note: This guide provides a starting point for your BaaS service. You are free to extend or modify
your service levels in accordance with your customer needs.
DATA CENTER BACKUP AS A SERVICE
- Application Aware refers to Microsoft Volume Snapshot Service (VSS) supported applications.
- Full application agents refers to Commvault Backup agents installed in guest VM or server.
- RPO refers to Recovery Point Objective, the frequency by which backups are run.
Protected workloads will reside on VMware or Hyper-V hypervisors only, with limited use of
filesystem and application agents where customer required.
Before we begin, let’s start with a quick understanding of the Commvault components.
4
KEY COMPONENTS
Command Center: The Commvault Command Center™ is the HTML5-based administration portal
for all Commvault operations. Command Center allows you, the MSP to manage your environment
and offer self-service capability to your end-users (tenants).
CommServe® (CS): The CommServe is the central management component of the data
management environment (basically the brain). It coordinates and executes all CommCell
operations, maintaining Microsoft SQL Server databases that contain all configuration, security,
and operational history for the CommCell environment.
MediaAgent (MA): The MediaAgent is responsible for data movement (Backup and Restore). It
provides high-performance data movement and manages the data storage libraries. The
CommServe server coordinates MediaAgent tasks. For scalability and resiliency, there can be
more than one MediaAgent in a CommCell environment.
Virtual Server Agent (VSA): The Virtual Agent is a software module that is installed on a computer
to protect a specific type of data (i.e. A Hypervisor). Different agent software is available to
manage different data types on a client. Software agents are not required on virtual machines
when using the VSA.
Downloading the Commvault Software
To get started, you can download the Commvault software trial before your final account and
license details are generated. Point your browser at learn.commvault.com/trials > and click the
START YOUR 30-DAY TRIAL BUTTON (link >).
NOTE: The reason you are asked for contact details is so that Commvault can provide you
support during your trial. Rest assured Commvault keeps your privacy secure and will not release
these details or use them for anything other than facilitating your trial support activation (see
Commvault Privacy Policy >).
Commvault documentation is available at the link below, but this guide Is structured to get you
up and running quickly by linking you to the relevant information in Commvault documentation -
documentation.commvault.com >
5
Once you submit your information with the Download my trial button you will receive credentials
to store.commvault.com > where you can download the Commvault Express installer >. This
small bootstrap installer will be used to quickly download the latest Commvault software onto
your server (sizing details for your server are included in this guide below).
NOTE: The bootstrap installer will need a functioning Internet connection to perform the
installation. If you do not have an Internet connect, execute the installer on a PC that has
connectivity and choose Download package to install on a different computer, then copy the
files to your trial server.
See information below to size your environment before beginning your install.
For trial assistance, you can:
• Consult the Trial Quick Start Installation > (pdf)
• Email [email protected] >
• Call Commvault (Telephone-Based Support >) ye s you c an c al l du r in g you r t r ial se tu p
Your BaaS environment may range from an initial incubation trial to a planned large-scale
Production footprint. There are two (2) configurations provided below:
• Small to minimize your initial costs and infrastructure requirements to get
your BaaS platform running. Use this if your compute platform is new and still
growing.
• Large to start with a 100TB of c lient data in an already established compute
platform to be protected.
Small Environment Requirements for up to 15 TB of Client Data
Commvault recommends you start with a system that can handle your initial 6 month expected
workload, so get started with a virtual or physical server, with:
• Microsoft Windows Server 2019 (all editions) or 2016 (all editions)
• 4 CPU/vCPU cores
• 16GB RAM
• 100GB Diskspace for CommServe software and MS SQL database (E: \)
This will handle up to 25 physical servers, 100 virtual machines, and 200 laptops.
You will also need at least one Media Agent to perform backup and restoration operations from
backup media (disk, cloud, tape).
NOTE: In the Data Center – Backup as a Service (BaaS) catalog all backups are held on disk-
based devices in either the Primary or the Secondary data center. If you are implementing a
6
Hybrid Cloud BaaS service, head to partners.commvault.com > for an equivalent Build Guide for
Cloud solutions.
To get started quickly – you can install the Media Agent on your CommServe, you simply need to
ADD the following components to the specification (above): Your media agent will be performing
data movement, deduplication, and storing index caches.
• 2 CPU/vCPU cores
• 16GB RAM
• 10GB Diskspace in software_installation_directory (E:\)
• 200GB Diskspace for storing Job Results (F:\)
• 200GB Diskspace for storing Deduplication Database (DDB) (G:\)
• 400GB Diskspace for storing Index Cache (H:\)
This will permit protection of 5-15TB of client data before requiring a scaling up of resources.
NOTE: Please review the I/O requirements for the Deduplication Database and Index Cache drives
(Hardware Specifications >). These I/O requirements are mandatory and directly impact the
performance of your backup solution.
Large Environment Requirements for up to 100 TB of Client Data
Commvault recommends you start with a system that can handle your initial 6 month expected
workload, so get started with a virtual or physical server, with :
• Microsoft Windows Server 2019 (all editions) or 2016 (all editions)
• 12 CPU/vCPU cores
• 64 GB RAM
• 300 GB Disks for CommServe software (E:\), MS SQL database (F:\), and logs
(G:\)
This will handle up to 2500 physical servers, 5000 virtual machines, and 10000 laptops.
See Hardware Specifications for the CommServe Server >
You will also need at least one Media Agent to perform backup and restoration operations from
backup media (disk, cloud, tape). Commvault recommends deploying at least two (2) Media
Agents to provide resiliency and continued service when one MA is unavailable (Deduplication
Two Partitioned Mode >).
In this configuration you will need to build out two (2) separate (physical or virtual) Media Agent
with the following specs:
• 12 CPU/vCPU cores
• 64 GB RAM
7
• 400GB Diskspace for Commvault software + Job Results (E:\)
• 1.2TB Diskspace for hosting Deduplication Database (DDB) (F: \)
• 1TB Diskspace for hosting Index Cache (G:\)
NOTE: Please review the I/O requirements for the Deduplication Database and Index Cache drives
(Hardware Specifications >). These I/O requirements are mandatory and directly impact the
performance of your backup solution. All disk requirements above require SSD backed disks.
This configuration will permit protection of 160TB of front-end client data before requiring a
scaling up of resources.
For custom sizing please reach out to your local Commvault account representative.
NOTE: Commvault defines a front-end TB (FETB) as a TB of written client data, prior to
Commvault compression or deduplication. FETB is measured at the client, before Commvault
moves it from the client to backup store.
Installing the Commvault Software
You may follow the Trial Quick Start Guide for installation instructions. The instructions below
are identical but will continue to build out your services catalog. To get started it is
recommended to have a 100GB dedicated volume (i.e. E:\) to install the Commvault software and
database.
1. Log on to your CommServe as an Administrator (local or domain)
2. Copy the CommvaultExpress_R80_SP20_ddMonthYY.exe file to a local folder
3. Execute install file, read EULA, and select I Agree then > to continue
4. Select Install packages on this computer then > to continue
5. Change installation path as E:\Program Files\Commvault\Contentstore then > to
continue
Note: If you do not have a separate volume you may leave the default installation path on C:\ for
your initial trial deployment.
Installation will now begin. As an indicator, installation on an Amazon m5a instance (4 x vCPU,
16GB RAM) takes 35 mins to complete. Once complete – click the
https://commserve/adminconsole URL to launch your default browser and complete initial
setup, and then click Finish to close the installer.
NOTE: You have not yet installed SSL certificates in your CommServe, so accept any browser
warnings related to unsecure communications. You can correct this error after install by following
Configuring Secured Access for Web Applications (Command Center) >
8
Creating a default administrator account.
After installation, a default CommServe-local Commvault administrator account is automatically
created, enter the required information for your Commvault administrator (Note: per-user
administrative accounts are recommended for traceability):
1. Enter an Email address
(NOTE: This will create an account on the Cloud Services > website)
2. Enter a Password
3. Click Create account button
Note: If you already have a Commvault Cloud Services account, please use your existing
username and password.
Your password will need to comply to these conditions:
• Be at least 8 characters long
• Include at least one number
• Include at least one lower-case character
• Include at least one upper-case character
• Include at least one special character
Once the software has registered, you will be redirected to the Commvault Command Center™
login page. Enter the credentials you used to register the CommCell and click Login.
Note: Your username is admin -or- the email address used during registration...
The remaining steps will take place in the Commvault Command Center.
Click OK to accept the Commvault trial warning.
9
Step One – Initial application setup
When you log into the Command Center for the first time, a wizard will guide you through the
initial application setup. After you complete this core setup, you can complete quick start setup
specific to the applications you protect (e.g. Hypervisors, Databases). See Completing the Core
Setup Wizard (Command Center) for more detail.
Note: It is recommended to have a default backup library ready before commencing application
setup. You will need:
• A local drive (*attached to CommServe) -or- Network Attached Storage (NAS) share for
your backup data with no more than 15TB of client data to protect (Small environments).
• A dedicated local SSD drive (*attached to CommServe) with 600GB free size for DDB and
Index Cache (see Hardware Requirements >)
* during initial platform setup below, it is assumed that you only have one data mover or
MediaAgent, which is the CommServe itself. As your platform scales the data movement function
will normally reside on a separate server.
Performing initial Setup
1. Click Let’s get started > button
2. Add storage by supplying the following information and click Save
• Name: _SystemDefault (prefix is used to indicate system usage)
• MediaAgent: (select your CommServe)
• Type: Select Local or Network
• Backup location: select/create a folder to store data when it is backed up
(e.g. G:\_SystemDefault)
10
• Deduplication DB location: select/create a folder to store the Deduplication
Database (e.g. F:\_SystemDefault-DDB)
3. Create a default server backup plan by supplying the following information and clicking
Save
• Plan name: _Default (prefix is used to indicate system usage)
• Copies (backup copies that will be held)
i. Primary _SystemDefault 1 Months retention
• RPO - Runs every 1 Days
• Start time – 09:00 PM
Note: This is a default server backup plan used to protect your Commvault infrastructure. You will
configure your customer-facing backup plans separately.
You have now finished initial setup – click Dashboard (left) to view your configured CommCell.
Get notified of critical events
At a minimum, the platform administrator should be notified of any critical events requiring
attention. To provide email server information for Commvault alert delivery, perform the following:
1. Click Guided setup (left-pane)
2. Click Configure email quick task (right)
3. Supply your company SMTP server, port and authentication details
(if required in your organization)
4. Click Test email and confirm you receive the test email (see status in top of window)
5. Click Save button
Commvault will notify the administrator of critical and anomalous events by default.
(Alerts and Notifications – Predefined Alerts >)
Alternatively, you can forward alerts from the Commvault system to your centralized Event
Management system using SYSLOG > or SNMP >.
Downloading the latest software
While you perform further setup, the Commvault system can download the latest software onto
your CommServe, from your Guided setup page:
1. Click the Download/copy software quick start
2. Leave default as ‘Download software using – Internet’
3. Leave default as ‘Latest hotfixes for the service pack’
4. If you have Linux systems to protect, add Unix – Linux X86_64 to your download
5. Click the Download button
The latest software will be useful if you have a need to push application agents to clients to be
protected. This is covered below in Installing Application Agents on Clients (optional) >.
11
Running your first DR backup
While the software downloads, let’s run your first Disaster Recovery backup.
1. Type Disaster into the top-bar search box, click Manage > System > Maintenance
2. Click the DR backup (Daily) tile
3. Click theicon to perform a DR backup to default location C:\DR
4. Select Full (default) and Enable database backup compression (default) and click Run job
5. Click view job details to monitor backup progress real-time -or-
Type Jobs in left-pane search and select Jobs menu.
Configure offsite DR backups
When the initial DR backup is complete, it is recommended to navigate back to Manage >
System > Maintenance > DR backup (Daily) and click the icon to configure at least one of
the following:
• A network share location for the Backup metadata destination (not on CommServe)
• Upload backup metadata to Commvault cloud > (recommended)
• Upload backup metadata to a cloud library > (recommended)
Commvault will retain one (1) database copy for FREE in Commvault controlled cloud (Azure).
Commvault recommends configuring a Cloud library for retention of at least fourteen (14) days,
this allows recovery from an event that may go unnoticed for a period of 1-2 weeks.
Step Two – Configuring your Service Catalog
The next step in configuring your multi-tenanted Backup as a Service (BaaS) platform is
configuring your Service Catalog. Commvault implements your Service Catalog as Plans. A Plan
defines what to protect, how often and where to keep backup copies.
The table below summarizes the default Data Center Backup as a Service (BaaS) plans for
Essential, Standard, and Premium. Essential is the most basic offering with features and monthly
cost increasing with each service level.
Plans
Service Plan Primary copy, Retention Secondary copy RPO
Essential Primary-Site1, 15 days - 24 Hours
Standard Primary-Site1, 30 days - 24 Hours
Premium Primary-Site1, 15 days Secondary-Site1, 30 days 8 Hoours
Premium-Offsite Primary-Site1, 15 days Secondary-Site1, 30 days 8 Hours
Standard-Offsite Primary-Site1, 30 days Secondary-Site1, 30 days 24 hours
12
These Service Plans will be sufficient for protecting your Virtual Machine, Server and Application
workloads both on-premises and at remote sites (co-location facilities). Long Term Retention
options have been excluded from initial setup.
Adding your Storage
Before your service plans can be created, you will need your storage locations provisioned and
available to Commvault. You will require a Primary storage location in the same data center as
the protected workloads, and another at a Secondary or remote location.
These storage locations may be – Cloud >, disk >, or tape libraries.
Adding Disk Storage
1. Navigate to Storage > Disk menu
2. Click Add (right)
3. Enter a Name (i.e. Primary-Site1)
4. Select the CommServe as the MediaAgent
5. Select a Type (Local or Network)
6. Provide a Backup Location
7. Provide a Deduplication DB location
8. Click Save
Adding Cloud Storage
1. Navigate to Storage > Cloud menu
2. Click Add (right)
3. Enter a Name (i.e. Secondary-Site1)
4. Select a Type (i.e. S3 Compatible Storage)
5. Select the CommServe as the MediaAgent
6. Enter S3 endpoint hostname/address
7. Enter Bucket name to store backup data in
8. Provide Credentials
9. Provide a Deduplication DB location
10. Click Save
Commvault recommends leveraging disk-based libraries for all your data-center BaaS backup
copies and cloud (or tape) libraries for long-term retention or archival data only.
Tip: Your Cloud provider may provide a method to present access to their S3/Object service
inside your virtual cloud network vs. traversing the Internet, configure direct access if available
(e.g. Gateway VPC Endpoints >).
Follow the links above for the process to add your Disk and/or Cloud Storage.
NOTE: Each Storage location will require a dedicated SSD drive to locate the Deduplication
DataBase (DDB) and Index cache data. The size of the SSD drive is dependent on the amount of
13
client data being sent to the Storage Pools, see Hardware Specifications for Deduplication
Mode >.
In the example above, there is a Primary-Site1 disk backup stored locally and a Secondary-Site1
cloud copy created for offsite / Disaster Recovery retention.
You may now proceed to Plan creation (below).
Adding your Plans
You may now configure your Service Plans by performing the following:
1. Navigate to Manage > Plans
2. Click Create plan (right) > Server backup
3. Supply the Plan name (see table below)
4. Click Add to add backup destination copies as required by service (see table below)
a. You will need to perform an Add for both your Primary and Secondary copy.
5. Set the RPO – Backup Frequency
6. Click Save button
Repeat for each Service Plan detailed (below). Other options may be left as default.
14
Tip: Using a numeric prefix to each plan enables tracking of your services history
Plan
Name
Primary
Copy
Primary
Storage
Retention
Period
Secondary
Copy
Secondary
Location
Retention
Period
RPO
1_Essential Primary Primary-Site1 1 Months - - 1 Days
2_Standard Primary Primary-Site1 1 Months - - 1 Days
3_Premium Primary Primary-Site1 15 Days Secondary Secondary-Site1
1 Months 8 Hours
4_Standard (+Offsite)
Primary Primary-Site1 1 Months Secondary Secondary-Site1
1 Months 1 Days
5_Premium (+LTR_1y)1
Primary Primary-Site1 15 Days Secondary Secondary-Site1
1 Months 8 Hours
5_Premium (+LTR_7y)2
Primary Primary-Site1 15 Days Secondary Secondary-Site1
1 Months 8 Hours
1 Secondary copy - Extended retention rule: Monthly Fulls, retained for 12 months 2 Secondary copy - Extended retention rule: Yearly Fulls, retained for 7 years
Extended retention is configured by enabling the Extended retention rules for a backup
destination and selecting the required backup Type and Retention period (see below)
15
See Plans > for more details, including Setting Default Plans > for new infrastructure.
Tailoring the user experience
In our BaaS solution, we will offer Virtual Machine, File-Server and Database backup only. Perform
the following to disable the user interface options associated with other data types:
1. Navigate to Manage > Customization
2. Click the Navigation tile, under Navigation preferences
3. Uncheck the following menu items that are not required for your Self-Service IaaS BaaS
service, for the Tenant admin, Tenant user columns:
a. Guided setup
b. Protect – Laptops, Applications (all)
c. Activate
d. Orchestrate
e. Manage – Plans, Regions
f. Network
g. Web console – My data
h. My Apps
4. Click the initial landing tab, select Company dashboard for the Tenant admin
5. Select Virtual machines for the Tenant user.
6. Select Company dashboard for Restricted user
7. Click Save, click Yes to confirm save.
Plans visibility is only required if your tenants needs to see the backup filters and exclusions you
have configured.
Note: Be aware these changes affect all tenants that are consuming your service. If you would like
to make changes specific to a Company, use the Navigation preferences tile for a company.
Warning: Do not navigate away from the Navigation preferences page during configuration or
you will lose your customizations.
16
Step Three – Onboarding your first tenant
Commvault utilizes a virtual construct called ‘Companies’ to represent a tenant within the shared
Commvault platform. To onboard a new tenant for Backup as a Service (BaaS) you will create a
‘Company’ with an associated administrator and users.
Creating a company
To onboard your first tenant, perform the following:
1. Navigate to Manage > Companies menu
2. Click Add company (right)
3. Enter the following details and click Save
• Company name
• Email (of the tenant administrator)
• Contact name (of the tenant administrator)
• Plans (select all service plans tenant can
subscribe to)
• Company alias enter a short alias for the
tenant
• Associated SMTP enter the email domain for
tenant
• Send welcome email toggle, leave enabled
(default)
• Ensure Auto discover applications is
disabled (default)
Application auto-discovery: Auto discover applications will run a scan on all systems within the
tenant every twenty-four (24) hours. If a supported application is identified, its Commvault
software agent will be pushed installed on the host. This feature should be disabled, as only
Premium customers receive application-agent based protection.
Tenants are emailed a welcome email and one-time password setup link – if welcome email is
enabled. If you will be configuring Single Sign On (SSO) authentication > for your tenants, it is
recommended to disable Send welcome email, as the users will use a previously supplied
password.
You can customize the email template to customize branding and welcome information per
Company – see Adding an Email Template >.
Enabling tenant solutions
When your tenant admin logs into the Command Center, they will be prompted to enable
protection for one or many solutions. Customize which solutions will be displayed, as follows:
1. Click the Company name
17
2. Click Edit on Supported solutions General setting
3. Enable File server, Virtualization and Databases (to match your Service Catalog)
4. Click OK
Activating an authcode for client installation
Commvault recommends activating Authorization Code(s) or authcodes for client registration
for each tenant. Please see Enabling Authorization Code for a Company > to complete this task.
Click Requires authcode for installation within the Company General settings tile.
Setting a default plan
To set a default plan for new infrastructure, you will need to login as the Tenant Administrator.
You may temporarily login as a tenant admin by selecting the company name (top-right) in the
Command Center™. See below
1. Select a default Server Plan
2. Select Do not ask me again,
3. Click Save
NOTE: Default plans will automatically associate new infrastructure with the default plan, consider
whether you want newly registered systems to receive BaaS services without customer
acceptance of terms and conditions.
Creating a Virtual Server Agent
In order for your tenants to protect their virtual infrastructure, they will require a dedicated
Virtual Server Agent (VSA). Provision a virtual machine within the customer network with the
following specifications (VMware >, Hyper-V >)
• Microsoft Windows Server 2012 – 2019
• 2 x CPU/vCPUs
• 24GB RAM
See Hardware Specifications for Virtual Server Agent > for scaling-up this host to handle up to
120TB or front-end TB client data.
Commvault refers to this host as a Virtual Server Agent, Access Node and/or a Proxy Client
throughout its documentation. This host will require a Layer 3 network path to the Hypervisor
hosts that host the tenant workloads.
18
Note: For Hyper-V deployments, the Virtual Server Agent is installed directly onto the Hyper-V
Server (documentation).
Configuring one-way network communication from tenants
In most multi-tenanted configurations, tenant networks utilize RFC1918 addressing with Network
Address Translation (NAT) to a service provider services network. Commvault must be
configured to ensure that all client communications will be tunneled over a one-way tunnel from
the tenant network towards the CommServe (on port 8403) and associated infrastructure.
This is a one-time setup task and will automatically apply to all tenants automatically.
This configuration allows tenant infrastructure to have overlapping IP addressing without
affecting backup and recovery services.
To configure Commvault to only accept incoming connections from tenant infrastructure you will
create a network topology to inform Commvault of the underlying network design. This will
consist of two (2) groups:
– Network - All <Tenant> Infrastructure and
– All Infrastructure.
To setup these groups:
1. Type Groups in left-pane search box
2. Click Add
3. Name the group, for example MSP.IO - Infrastructure
4. Select Manual association
5. Select all infrastructure residing the the MSP ‘restricted’ (non-tenant) network space.
6. Click Save
7. Click Add
8. Name the group, for example Network – All <tenant> Infrastructure
9. Select Automatic association
10. Click Add rule
11. Select Package installed, any in, File System Core, click Save
12. Click Add rule
13. Select Associated client group, not equal to, MSP.IO - Infrastructure, click Save
14. Click Add rule
15. Select Company Client Provider Associations equal to <Tenant>, click Save
16. Click Preview to ensure all infrastructure (except CommServe) is listed.
19
17. Click Save
Next create the Network Topology to describes the permitted network flows between these
groups:
1. Type Network in left-pane search
2. Select Network Topologies tile
3. Click Add topology
4. Enter Ensure one-way traffic from
tenants name
5. Select Servers as the client type
6. Select One-way as the topology type
7. Select Network – All <Tenant>
infrastructure as group Servers
8. Select MSP. IO - Infrastructure as group
DMZ Servers
9. Click Save
10. Select Actions > Push configuration
Creating a custom package
Your tenants will most likely be isolated on their own network. It is common for most MSPs to
utilize private addressing (RFC 1918) addresses in these networks, and only permit tenant to MSP
network communication.
If this matches your configuration – you will need a create an Installation package for your
tenants to install the initial Virtual Server Agent software. Once a VSA is established, a Remote
Software Cache > may be established inside the customer network for subsequent agent
installations.
To create a VSA package:
1. Login to the CommServe as an Administrator
2. Locate the Installation Source you used to install the CommServe.
3. Rename install.xml to install.old
4. Run Setup.exe, choose Language, and click >
5. Enable I agree, and click >
6. Select Create a custom package to install on a different computer, and click >
20
7. Deselect, and reselect Windows > WinX64 (default), and click >
8. Select New Installations, and click >
9. Select Select Packages, and click >
10. Enter a new folder for the package to be stored (E:\VSAPackageLocation), and click >
11. Select Virtualization > Virtual Server, and click >
12. Select Include Third Party packages
13. Select Include .NET Framework 4.0 Installer
14. Select Create self-extracting executable, and click >
15. Click Finish
You will need to copy this file to your newly created Virtual Server Agent VM / host for
installation. Commvault provides a web-based Download Center > as a built-in file-share server
for making packages available to your tenants.
Installing the Virtual Server Agent
Your customer will need a VSA to connect to their Hypervisor for protection. To install the initial
Virtual Server agent:
1. Login to your newly provisioned Virtual Server Agent VM as an Administrtaor
2. Execute the WinX64.exe created in previous step
3. Accept the default Destination Folder (C:\Program Files\Commvault\installer), Extract
4. Choose Language, click >
5. Select I Agree, click >
6. Select Install packages on this computer, click >
7. Select Virtualization > Virtual Server, click >
8. Enter a Installation Path, click >, click >
9. Select Configure Comunication services
a. Select This machine can open connection to CommServe on tunnel port
10. Click >
11. Click > to accept Client Name, and Host Name
12. Enter your commserve client name and fully qualified hostname/IP name, click >
13. Leave the CommServe HTTP/HTTPS tunnel port number: as 8403 (default), click >
14. Click > to skip HTTP Proxy information (if there is no proxy to access commserve)
15. Click > to skip providing a per-client certificate
16. Select Enter Authcode, enter authcode from the tenant company configuration, click >
17. Click > to skip Plan selection
18. Click Finish
Note: These answers can be recorded in the VSA package to simplify tenant self-service VSA
installation (Creating a Custom Package for Windows Computers Using the Download
Manager >).
The VSA will be installed and registered with the CommServe as owned by the tenant.
21
Note: It is crucial to enter a authcode during install, this flags the VSA as dedicated to the tenant.
Enabling security roles for tenant use
Once you have workloads protected, your tenant administrators will want to grant self-service
management capability to individual users or user groups. In order to enable Commvault built-in
roles, you will need to publish roles to each of the tenants. To unlock standard roles for tenant
use:
1. Type Roles in left-pane search box, click Manage > Security > Roles
2. For VM End User role, click the role name, select Visible to all
3. Click Save
This is a one-time setup task and will apply to all tenants.
Step Four – Adding a tenant Hypervisor
Now that you have finished the core setup it’s time to setup for Infrastructure as a Service (IaaS)
platform protection. The following steps will enable the Virtualization solution and add a tenant-
dedicated Hypervisor host(s) for protection.
Note: In this setup, you will be protecting Self-service Infrastructure, each tenant has their own
Hypervisor infrastructure, Virtual Machines, and Applications. Restore requests are expected to
be performed by the customer or via tickets logged to your Service Desk.
Creating tenant hypervisors
In order for your tenants to onboard their own Hypervisor, they must have role-based access into
a shared hypervisor -or- dedicated infrastructure (i.e. Hyper-V physical host per tenant). The
steps below assume you tenant has been setup on a dedicated hypervisor host and role-based
access provided per the link below.
Configuration of vSphere User Accounts >
Onboarding your Hypervisor
The tasks below may be completed by Switching login to the Tenant Admin, or provided to the
customer so they can self-service onboard at their own leisure.
To add the tenant Hypervisor for protection:
1. Click Protect > Hypervisors > Add hypervisor button
2. Select vendor either VMware vCenter > or Microsoft Hyper-V > and supply the
following information and click Save
• Server name (of hypervisor access point)
• Hypervisor display name (i.e. MSP.IO – Fully Managed Infrastructure)
• Username (of hypervisor administrator)
22
• Password (of suitable administrator account on hypervisor)
• Access nodes (this is CommServe for initial setup)
3. Provide a VM group Name (i.e. Essential VMs) and matching Plan (i.e. 1_Essential), and
click Finish button
a. Select the specific VMs you would like to be protected on this plan
(if you have VMs already provisioned)
You will be redirected to your newly created VM group, click the Configuration TAB to view the
detailed configuration information. A backup will be started automatically for selected VMs, you
will be redirected to the Active jobs monitor to view the progress. Only the first VM group
creation will trigger an automated backup.
TIP: It is recommended that Infrastructure within your Hypervisor platform are grouped (by
Resource Group, VM Folder) or tagged to identify customer service plan (see below for VMware
vCenter tagging example).
If tags or grouping are utilized, Commvault can auto-discover new Virtual Machines and protect
them with appropriate service plan. Where tags are not available, Commvault has a broad
selection of metadata to auto-discover and map hosts to a plan (see Add rule options above).
Setting virtual machine backup type
Each of your service plans provides a differentiated method of protecting the underlying
application data. Configure the Virtual machine backup type by clicking Edit in the VM Group
Setting tile and selecting the following settings. Remember your Service Catalog provides a
staggered value approach:
• Essential plans receive crash consistent protection only.
• Standard plans receive AppAware protection (needs service account on host)
• Premium plans receive Application agent protection (needs agent install on host)
Plan Name Backup type
1_Essential Crash consistent
2_Standard Application Aware
3_Premium File system and application consistent (you will install a app. agent later)
23
4_Standard (+Offsite) Application Aware
5_Premium (+LTR_1y)1 File system and application consistent (you will install a app. agent later)
5_Premium (+LTR_7y)2 File system and application consistent (you will install a app. agent later)
Once configured, you should click the Backup button on each of your VM Groups to validate
successful backup execution, all Incremental backups will be converted to Full for first backup.
Best Practices
If utilizing storage array snapshot technology, it is recommended to place Virtual Machine (VMs)
in dedicated datastores or volumes aligned to their service level.
The reason for consolidating hosts on common service plans is that a storage array snapshot will
capture ALL VMs in a given datastore. Co-locating all VMs with common service levels will reduce
the size and overall footprint of the storage snapshot.
Onboarding a Virtual Machine to a user
Now that you have one or many virtual machines protected, you can assign self-service
permissions to tenant users. You will need to create additional users for your company, per
Creating a User > instructions.
1. Login as admin to Command Center.
2. Click Dashboard (left-pane)
3. Click VMs
4. Click the Name of the Virtual Machine you want to assign
5. Click the Configuration tab
6. Click Edit in the Security tile
Assign permission as one of the following. Permissions may be added to an individual user or a
group of users (recommended):
• <tenant>\<user> user as a Owner
• <tenant>\<user> user as a Tenant Admin role
• <tenant>\<user> user as a VM End User Role
Note: There is no need to assign <tenant>\Tenant Admin or <tenant>\Tenant Admin group as
these users/user groups have automatically been granted the Tenant Admin role.
Features Tenant Admin
Role
VM
Owner
VM End User
Role
View VM protection history, SLA ✓ ✓ ✓
Ad hoc Backup1, Suspend, Resume, Kill ✓ ✓
24
View jobs, job details, logs ✓ ✓ ✓
Restore – guest files (in-place, out of place) ✓ ✓ ✓
Restore – virtual machine files (vmdks, disks) ✓
Restore – attach disk to existing VM ✓
Restore – full VM (in-place, out of place2,3,4) ✓ ✓ ✓
Restore – download files (in browser) ✓ ✓ ✓
Restore – Live recovery ✓
Restore – Live mount ✓
View or change service plan ✓
Assign additional VM owners, associations ✓
1 Users may initiate Incremental only protection.
Full backup must be run the Tenant Admin or via MSP Service Desk request.
2 New VMs (restores) will not be visible until at least one backup has run on them.
3 New VMs (restores) will not inherit their source VM permissions, Tenant Admin will need to
grant self-service user permission/ownership after restoration. 4 New VMs (restores) will not be restored into ESX VM folders, MSP will need to migrate these
systems to their appropriate VM folder (if folders are used).
WARNING: As of Commvault v11.19 vCenter tags are not correctly restored. As vCenter tags are
used to assign VMs to Plans, the newly created VM will not be protected. The Tenant Admin will
need to manually assign the VM to a VM Group and request the application of the ‘Service Plan’
vCenter tag via Service Desk request.
Items marked with a cross will require the user to contact their Tenant Admin to complete -
or- log a Service Desk request to be actioned.
Note: If your commserve is utilizing internal DNS, you may need to edit the /etc/hosts file on your
ESX infrastructure and enter an entry from each of the Media Agents that will handle Live
Recovery, Live Mount VM restoration. Commvault will mount a temporary NFS datastore from the
Media Agent to the ESX host during recovery (ports 111, 2049)
Running an adhoc backup
Performing your first self-service data protection operation is simple. Follow the steps below to
complete a protection job.
Performing an ad hoc backup, as the MSP Administrator:
1. Navigate to Protect > Virtualization (or your solution of choice)
2. Select VM groups from the top menu and click the ellipses … and choose Back
up.
25
3. Click backup from the top right to select your desired backup type (Full,
Incremental, Synthetic).
4. Upon selecting your backup type click Ok .
5. Click view job details from the popup box that displays. You will be taken to
the Job Monitor.
You can monitor and control the status of the job from the Active Jobs page.
WARNING: At least one (1) backup must have been run from a Virtual Machine before it can be
assigned self-service permissions, like assigning owners / operators.
Post Setup
Registering your installation and activating Cloud Services
By now you have you trial Commvault software setup and you are running backups for a set of
test tenants and virtual machines.
When your MSP commercial agreement is completed with Commvault, register your CommServe
computer on the Cloud Services portal. For more information, see Registering a CommServe
Computer on the Cloud Services Portal >.
Once registered you may start using the value-add features of the Cloud Services Portal,
specifically:
• Downloads
• Reports
• Remote monitoring
For more information on registering your administrators for Cloud Services usage, see
Commvault Cloud Services – Register Your Product.
Enabling single file recovery for Linux hosts
By default, your initial installation will not allow single-file or folder recovery from Linux Virtual
Machine host backups. To enable the mounting of Linux file-systems and single-file recovery you
will need to:
• Provision a new virtual Linux Media Agent in the tenant network
• Install the Media Agent and Virtual Server Agent software on the host (docs >)
• Modify the Tenant Hypervisor definition to include the newly registered MA as a File
Recovery Enabler for Linux (Specifying the Default File Recovery Enabler >)
26
Enabling automatic software pushes to VMs
Where you will be providing Application Aware protection > for tenant VMs (i.e. Standard plans),
you will need to enable a remote software cache within the customer network. You will also
need to instruct Commvault to utilize the customer Virtual Server Agent (VSA) to hold copies of
the latest Commvault software for installation.
Note: this process is optional and may be avoided by provided installation custom installation
packages for the tenant to self-install (see creating custom install packages).
Setup a Remote Software Cache
1. Login to CommServe as an Administrator
2. Open Commvault CommCell Console
3. Right-click your commserve, All tasks > Add/Remove Software > Software Cache
Configuration
4. Navigate to the Remote Software Cache tab
5. Click Add (to add a new cache)
6. Select your tenant VSA as the Computer to host the cache.
7. Ensure Enable Remote Software Cache is checked (default)
8. Specify alternate cache directory if desired.
9. Click Configure Packages to Sync
a. Ensure Sync Packages is checked (default)
b. Select Customize Packages (default)
c. Select the OS, click + and select the packages
(Media Agent, File System Core, File System, VSS Provider, VSS Hardware
Provider, Virtual Server, SQL Server, Oracle)
10. Click OK, Click OK,
11. Click Add/Remove Clients
12. Select your Company (tenant) Client Computer Group, click Include All >>
13. Click OK
14. Click Sync Cache
15. Click OK
16. Right-click your commserve, All tasks > Add/Remove Software > Download Software
17. Click the Options tab, select Sync
18. Select your newly created Remote Software Cache, click OK
After each Commvault update is validated in your environment, you can selectively push the
updates to each of your tenant software caches to allow rolling patch upgrades.
Installing the Media Agent package on VSA
In order for Commvault to share out the software cache to your tenant systems, the Media
Agent package requires installation on your VSA.
1. Login to Command Center as admin
27
2. Navigate to Manage > Servers
3. Locate your search using the search box, click Actions, Add Software
4. Select Media Agent, click OK, click Install, click Ok
5. Once complete you will see the MediaAgent role appear on your server (Roles tile)
Configure use of vsa for package installation
Commvault must be told that application pushes within the tenant network must use the VSA as
ther software source. To instruct Commvault to use the VSA:
1. Login to CommServe as an Administrator
2. Open Commvault CommCell Console
3. Right-click your commserve, Properties
4. Choose Additional Settings tab
5. Click Add and add new setting called PushInstallThroughProxy, click Lookup
6. Set Value to 1, ensure Enable is checked (default)
7. Enter a comment (required to track why setting was applied)
8. Click Ok
For additional information see - Enabling Remote Installations from the VSA Proxy >
Warning: In order for Application Aware > backups to automatically push application agents –
the File System Core package must be installed on all hosts that may perform application
backups. It is recommended that infrastructure provisioning scripts perform a Unattended
Install > as part of initial VM provisioning.
Commvault recommends making a File System Core package available to tenants. Customers
can install the agents if required.
You may now perform an Application Aware enabled VM backup (i.e. Standard plan VMs) and
agents will be automatically pushed (e.g. MS SQL, Oracle) if the customer installs and configures
the application on the host.
Installing Application Agents on Clients (optional)
Premium services offer the ability for customers to activate application integrated backups by
installing Commvault software agents on their application server. The installation process may be
performed via a push method from the Command Center -or- supplied to the customer as an
installation file.
See Adding Commvault Software to an Existing Server (Command Center) >
More common in Managed Service Provider environments is a solution where a downloadable
executable is made available to the end customer to install at their own leisure.
Commvault recommends customer self-installation and activation using authcodes, see below
for the process:
28
1. Create a custom package with at least a File System agent, plus any
additional applications you would like to protect
Creating a Custom Package for Windows Computers Using the Installation Package >
Creating a Custom Package for UNIX Linux, and Macintosh Computers Using the
Installation Package >
2. Access the Web Console
Accessing the Web Console >
3. Add a new download repository
Adding a Repository to Download Center >
4. Add your package to Download Center
Adding a Package to Download Center >
NOTE: To ensure users can download packages without logging in. Ensure you have created a
CommCell group named Everyone and then make the package Visible To > Everyone.
Agent-based Onboarding
For host(s) that have Commvault software agents installed, during interactive or automated
installation a registration credential is supplied. This credential (either username/password or
authcode) will automatically assign the infrastructure to the associated tenant / company.
Additional owners may be added after registration by Adding an Owner to a Client >.
NOTE: In environments with firewall security, Commvault recommends the Readiness Check
Report > to validate basic network is functioning before further service activation.
Enabling tenant Single-Sign On (SSO)
In order to provide single sign on (SSO) access to the Commvault Command Center for a tenant
organization (Admins and User), you will need to configure an Identity Provider (iDP) for the
tenant (i.e. Company).
This activity is ideally performed by the Tenant Administrator, or as part of initial tenant
creation/onboarding.
Detailed instructions may be found at Set Up Authentication >, instructions for Active Directory
(AD) are provided below:
1. Navigate to Manage > Security > Identity servers
2. Click Add (top-right)
3. Enter the following information and click Save
• Select Directory Type = Active Directory
• NETBIOS name is the Domain name (pre-Windows 2000)
29
• Domain name is the fully qualified hostname of your Domain
Controller
• User name is a Domain account with at least read capability
• Password for the supplied Domain account
4. Select company/tenant in the ‘Created for company’ drop-down
5. Click Save
Note: You will require Layer 3 connectivity between your CommServe and the Active Directory
(AD) server for LDAP, DNS and KERBEROS protocols.
Note: there is the ability to utilize a proxy-host to access Active Directory but this method is not
yet supported via Commvault Command Center™.
Onboarding a tenant user
Once you have configured authentication for your tenant, you must onboard each user
individually as either a Tenant Administrator, User or Operator. To onboard a user, you create a
Commvault account entry with the required role.
1. Type User group in left-pane search box
2. Click Security > User groups
3. Locate the Group name for your Company. There are three (3) groups (roles)
created per tenant:
• <company>\Tenant Admin perform management of all company backups.
• <company>\Tenant Users perform backup & recovery for specific hosts.
• <company>\Tenant Operators perform management of multiple
companies.
4. Click the Group name
5. Click Add users
6. Click Add new user , select External user , enter the following and click Save
• Select the company configured External provider (AD server)
• Enter User name for user (matching AD user name)
• Enter Email for user (matching AD email address)
• User group will be pre-selected as Tenant Admin, Tenant User or Tenant
Operator
You can Perform a Bulk Import of Users (Command Center) > if multiple Tenant Admins or
Users are being added as part of the same change.
30
A note on multi-tenant personas
There are three (3) primary user types or user personas within a Commvault multi-tenanted
solution.
• Commcell admin is held by the Service Provider and has access to configure the shared
services platform and create (onboard) new tenants.
• Tenant Admins are created initially by the Service Provider, but then manage the
onboarding (creation, deletion, modification) of users, protected infrastructure and
integration with their company identity systems (i.e. Active Directory).
• Tenant User/Operators are created by the Tenant Administrator and given protected
infrastructure rights to perform self-service backup and recovery, in alignment with
subscribed services.
These map to specific role-based access controls via default ‘roles’ configured within
Commvault.
• Master role is held by the Service Provider (CommCell admin) and has access to
configure the shared services platform and create (onboard) new tenants.
• Tenant Admins are created initially by the Service Provider, but then manage the
onboarding (creation, deletion, modification) of users, protected infrastructure and
integration with their company identity systems (i.e. Active Directory).
• Tenant Users are created by the Tenant Administrator and given protected
infrastructure rights to perform self-service backup and recovery, in alignment with
subscribed services.
Upgrading SQL Server Express to SQL Server Standard
Once you have received your permanent license and credentials to cloud.commvault.com you
may download the full Commvault Enterprise installation (either bootstrap or full zip). To upgrade
your CommServe embedded database perform these steps.
1. Login to Command Center
2. Navigate to Manage > System > Maintenance > DR backup > run a ful l DR
backup
3. On the CommServe itself, open the software installation directory f rom your
full Commvault Enterprise download (you will need login via Remote Desktop)
4. Navigate to
DownloadPackageLocation_WinX64\ThirdParty\MSSQL\SQL_Standard_Editio
n directory and run the setup.exe binary
5. In SQL Server Installation Center, click Maintenance , click Edition upgrade
6. Click Next >
7. Click Next > (to accept supplied Product Key)
31
8. Click I accept the license terms and, then Next >
9. Click Next > to accept default feature selection
Generating your first tenant usage report
Note: You will require a Commvault Cloud Services > account to download this report.
In order to bill your customers for Backup as a Service (BaaS) consumption, you will need to
generate a Chargeback Report. Your MSP subscription comes with access to Premium
Operations Reporting which provides a specialized report for Billing purposes.
1. Login to Command Center
2. Navigate to the Reports menu (left-pane)
3. Click Actions > Connect to store (you will need
your commvault supplied credentials)
4. Search for ChargeBack (top right)
5. Click Install on the ChargeBack Details report
6. Navigate back to <commserve>/adminconsole > Reports and type Chargeback
into search box (top-right)
7. On each report, hover over report name, click on ellipses and choose Tag ,
enter Chargeback and click Save
8. Press <F5> to refresh the Reports via in Command Center
9. Click ChargeBack Details report, fi lter the Client Group to a company you
require a ChargeBack Report and click Apply
You may optionally Email a Report >, Export a report > (PDF, HTML, CSV) or Schedule
generation of a report > from the More actions menu.
The generated report will detail of the Front End TB protected data and the size of data on Media.
If you would like to configure Chargeback reporting to include Pricing across one or many
CommServe(s), see below.
Enabling Full Private Metrics
For environments that require long-term historical reporting and aggregation of multiple
CommServes, Commvault Private Metrics Server must be deployed. To enable Private Metrics
Server – follow Activating Private Metrics Reporting on the Command Center >, the process is
summarized below
1. Login to Command Center
32
2. Type Metrics in the topbar search box, choose Manage > System > Metrics
Reports
3. Toggle Commcell diagnostics and usage to on .
4. Enable Audit , Chargeback checkboxes
5. Select (at least) Daily frequency (Commvault recommends Daily, Weekly, and
Monthly)
6. Enter http://<commserve
hostname>.<domain>/downloads/sqlscripts/ in the Download URL
7. Enter http://<commserve hostname>.<domain>/webconsole/ in the
Upload URL.
8. Click Save
9. Click Upload now
10. Hit <F5> to refresh window until Last upload time reflects current date and
You will need to wait one (1) hour for the first Private Metrics collection to
occur.
You may optionally install the Metrics Upload > workflow to enable real-time metrics collection
and upload.
Generating a ChargeBack Details Report
Once Private Metrics is enabled and performing collection, you may access and configure your
ChargeBack Details report. ChargeBack details is slightly more detailed that the default
ChargeBack report and allows extraction of tenant consumption by Service Plan (Essential,
Standard, Premium)
1. Login to Command Center
2. Click Reports (left-pane)
3. Enter ‘Chargeback’ in search box (top -right)
4. Click the Chargeback Details report
33
Generate a per-tenant report
To generate a Chargeback Report for a specific tenant:
1. Select the time range for report (day, week, month)
2. Select the client group (tenant) by searching by tenant name (select all groups
for the tenant)
3. Click Apply
You will receive a Chargeback Summary with the following information
Features Definition
Front End Backup Size The amount of data in the largest full backup job from each subclient during the specified time period. If no full backup job completed during the specified time period, then it is the amount of data in the largest full
backup job from the previous time period.
For VMs, this is the largest guest size in the last full backup cycle for the selected time period.
For clients that have both VSA and other agents installed, we display only the front end size for VSA subclients.
Jobs that run on a VM are counted only once, regardless of the number of subclients used to back up the virtual machine.
This is Front End data measured at the client prior to compression or
deduplication.
Front End Archive Size Total Front End data on clients that was archived during time period.
This will be 0 for the catalog configured.
Primary App Size The amount of application data before compression and deduplication
that was written to primary copies, including aged data and pruned data,
during the specified time period.
For VMs, the application size is the backup size
Protected App Size The size of application data before compression and deduplication of all
active jobs, that ran during the specified time period, in all storage policy
copies, including aged data and pruned data.
34
Media Size The amount of data that was saved on storage media during the specified
time period, including aged and pruned data.
For storage policy copies with deduplication enabled, the media size for
each job is calculated based on the average deduplication ratio of the
copy. Where media size = application size * average deduplication ratio
per copy.
The average deduplication ratio of a destination copy is calculated by
(total size on disk)/(total protected app size) for the destination copy.
Total Protected App Size The size of application data before compression and deduplication of all
active jobs, that ran at any time, in all storage policy copies, excluding
aged data. For VMs, the application size is the backup size
Total Media Size The amount of all active data that is saved on storage media,
including all storage policy copies on all media types, and excluding
aged data.
For storage policy copies with deduplication enabled, the media
size for each job is calculated based on the average deduplication
ratio of the copy. Where media size = application size * average
deduplication ratio per copy.
The average deduplication ratio of a destination copy is calculated
by (total size on disk)/(total protected app size) for the destination
copy.
35
Commvault recommends that Front End Backup Size be used as the only meter for customer
metering and billing. Use of any meter that mentions Media Size in deduplication environments
should be discouraged as deduplication factors obfuscate accurate reporting.
Customers are adept at managing their consumed storage (or Front End TB) on their
infrastructure. This metrics is the most commonly adopted and understood metric for Backup as
a Service (BaaS) offerings.
A note on roles and responsibilities
The initial platform tasks covered in this document must be completed entirely by the Service
Provider with a Commvault user account and role of Master.
Once the Tenant Administrator account is created, the Tenant Admin may login and:
• Create additional ‘admins’ or ‘users’ for the tenant
• Onboard systems for protected to a specific plan
• Integrate company-specific identity servers with Commvault Command Center for
single-sign on.