table of contents - learnvmware.online · welcome to the best practices guide for veeam backup...

1.1

1.2

1.3

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.8.1

2.9

2.10

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.5.1

2.10.5.2

2.11

2.12

2.13

2.13.1

2.13.2

2.13.3

TableofContentsVeeamBackup&ReplicationBestPractices

Introduction

ContactingVeeamSoftware

ArchitectureOverviewDNSResolution

VeeamBackupServer

DeploymentMethod

BackupServerPlacement

SizingandSystemRequirements

VeeamBackup&ReplicationDatabase

ProtectingVeeamBackup&ReplicationConfiguration

VeeamEnterpriseManager

vCloudDirectorSelfServicePortal

SearchServerandIndexing

ProxyServers

TransportModes

DirectStorageAccess

VirtualApplianceMode

NetworkMode

BackupfromStorageSnapshots

NetAppDataONTAPintegration

NimbleStorageintegration

SelectingaTransportMode

SizingaBackupProxy

BackupRepository

RepositoryTypes

SMB

DeduplicationAppliances

2

2.13.4

2.13.5

2.14

2.14.1

2.14.2

2.14.3

2.15

2.15.1

2.15.2

2.15.3

2.15.4

2.15.5

2.15.6

2.16

2.16.1

2.16.2

2.16.3

2.16.4

2.16.5

2.16.6

2.16.7

2.17

2.18

2.19

3.1

3.2

3.3

3.4

3.5

3.6

3.7

Integrationspecifics

WindowsServer2012Deduplication

RepositoryPlanning

Sizing

PerVMBackupFiles

Scale-outBackupRepository

WANAcceleration

AnaysingWanAccelerationWorkload

ComparingWANAccelerationModes

SizingForWANAcceleration

SizingTargetsforWANAccererationRelationship

DeploymentsForWANAcceleration

IsWANAccelerationRightForme

TapeSupport

TapeSupportDeployments

TapeSupportMediaInformation

TapeSupportConfigRequirements

TapeSupportParallelProcessing

TapeSupportVirtualFull

TapeSupportWritingtoTape

TapeSupportRestores

VeeamExplorers

InteractionwithvSphere

Hyper-VConcerns

OperationalGuidelinesJobConfiguration

BackupMethods

Encryption

DeduplicationandCompression

BackupJob

BackupCopyJob

ReplicationJob

3

3.8

3.9

4.1

4.2

4.3

4.4

4.5

4.6

4.7

4.8

4.9

5.1

5.1.1

5.1.2

5.1.3

5.1.3.1

5.1.3.2

5.1.3.3

5.2

5.3

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

Application-AwareImageProcessing

DataVerificationUsingVirtualLabs

ApplicationsOverviewofApplicationsSupport

ActiveDirectory

MicrosoftExchange

MicrosoftSQLServer

MicrosoftSharePointServer

OracleDatabase

MySQL

IBMNotes/Domino

SAPHANA

ProofofConceptGuidelinesPOCGuide

Assessment

AcceleratedEvaluation

EnhancedEvaluation

WorkshopExample

Preparation

Automation

InfrastructureHardening

Backup&ReplicationAnatomy

Backup

VMRestore

InstantVMRecovery

WindowsFile-LevelRestore

Replication

Appendices

4

6.1

6.2

6.3

6.4

6.5

6.6

6.7

6.8

6.9

SizingSummary

NetworkingDiagrams

BackupServer

ProxyServer

RepositoryServer

StorageIntegration

DataValidation

Application-awareImageProcessing

EnterpriseManager

5

VeeamBackup&ReplicationBestPracticesVersion9.5Update1

Build9.5.0.823.

Bookgenerationtime:ThuJan11201815:15:27GMT+0000(UTC)

Allrightsreserved.Alltrademarksarethepropertyoftheirrespectiveowners.

Important!PleasereadtheEndUserSoftwareLicenseAgreementbeforeusingtheaccompanyingsoftwareprogram(s).UsinganypartofthesoftwareindicatesthatyouacceptthetermsoftheEndUserSoftwareLicenseAgreement.

VeeamBackup&ReplicationBestPractices

6

https://www.veeam.com/kb2222

https://www.veeam.com/eula.html

IntroductionWelcometotheBestPracticesguideforVeeamBackup&Replication.

AboutThisGuideThisguideisdevelopedbyVeeamarchitects,anditscontentisalsovalidatedbysupport,developersandQAdepartmentstoensurehighestpossiblequality.Ifyouhaveanyquestionsorcomments,pleasereachouttheauthorsdirectly,orviayourlocalVeeamSoftwarerepresentative.

Asyoupossessadownloadedversionofthise-book,youwillnoticemanyreferencestoexternalresourcesforadditionalinformation.

Thee-bookisoptimizedfordigitalconsumption,andthemostrecentcopyisalwaysavailableat:

bp.veeam.expert

IntendedAudienceThisguideisintendedforbackupadministratorsorconsultantsmanagingVeeamBackup&Replicationonadailybasis.

MostsectionsofthisguideassumeyoualreadyhavehandsonexperiencewithBackup&Replication,andwillserveasan"advanceduserguide",meaningthatmorebasicusageinformation,systemrequirementsandthelikemustbefoundinUserGuideinVeeamHelpcenter.

ServiceprovidersdeliveringBaaSandDRaaSwithVeeamCloudConnectshouldrefertothecorrespondingVeeamCloudConnectReferenceArchitecture.

AuthorsPrebenBerg(@poulpreben)AndreasNeufert(@AndyandtheVMs)TomSightlerPascaldiMarco

Introduction

7

http://bp.veeam.expert

https://www.veeam.com/documentation-guides-datasheets.html

https://www.veeam.com/wp-cloud-connect-reference-architecture-v9.html

https://twitter.com/poulpreben

https://twitter.com/AndyandtheVMs

StanislavSimakov(@ssimakov)PaulSzelesi(@PSzelesi)LucaDell'Oca(@dellock6)EdwinWeijdema(@viperian)

Introduction

8

https://twitter.com/AndyandtheVMs

https://twitter.com/PSzelesi

https://twitter.com/dellock6

https://twitter.com/viperian

ContactingVeeamSoftwareAtVeeamSoftwarewevaluethefeedbackfromourcustomers.Itisimportantnotonlytohelpyouquicklywithtechnicalissues,butitisourmissiontolistentoyourinput,andbuildproductsthatincorporateyoursuggestions.

OnlineSupportIfyouhaveanyquestionsaboutVeeamsolutions,youmayusethefollowingresources:

VeeamHelpcenterathelpcenter.veeam.comVeeamCommunityForumsatforums.veeam.com

CustomerSupportShouldyouhaveanytechnicalconcerns,suggestionsorquestions,pleasevisittheVeeamCustomerPortalatcp.veeam.comtoopenacase,searchourknowledgebase,referencedocumentation,manageyourlicensesorobtainthelatestproductrelease.

CompanyContactsForthemostup-to-dateinformationaboutcompanycontactsandofficelocations,pleasevisitwww.veeam.com/contacts.html.

ContactingVeeamSoftware

9

https://helpcenter.veeam.com

https://forums.veeam.com/

https://cp.veeam.com/

http://www.veeam.com/contacts.html

DNSResolutionDomainNameSystem(DNS)resolutioniscriticalforVeeamBackup&Replicationdeployment(VBR)andconfiguration.Allinfrastructurecomponentsshouldberesolvablethroughafullyqualifieddomainname(FQDN).ThisisespeciallyimportantforvSphere/Hyper-Vhostsandclusters.resolvablemeansthatcomponentsareaccessiblethroughbothforward(A)andreverse(PTR)lookups.

EnsurethattheVeeamBackup&Replicationserverisinstalledonamachinethathasaresolvablefullyqualifieddomainname(FQDN).TocheckthattheFQDNisresolvable,typenslookupyour-vbr-server-fqdn.domain.localatacommandlineprompt.IftheFQDNisresolvable,thenslookupcommandreturnstheIPandnameoftheVeeamBackup&replicationserver.

OnlyifDNSresolutionisnotavailableyoumayaddtheinfrastructurecomponentslikee.g.VMwarevCenter,ESXiandmanagedVeeamserverstothelocalhostsfileonallmanagedVeeamservers.Whenusingthisworkarounditisrecommendedtoaddbothshortnameandfullyqualifieddomainnameinthehostsfile.

WhenESXihostsareaddedtovCenteritisrecommendedtouseFQDN.WhenbackingupthroughthenetworkwiththeNetworkBlockDevice(NBD)transportmode,theFQDNisreturnedviaVMwareAPIforDataProtection(VADP)sothebackupproxyservermustbeabletoresolvetheFQDNviaDNS.UsingthehostsfilethedatatransportpathcanbealteredforNBDtransfers.

Pleaseseetheexamplebelow.

Examplehostsfile

10.0.4.10vcentervcenter.example.com

#10.0.4.21esx1esx1.example.com#commentedoutmanagementinterface

#10.0.4.22esx2esx2.example.com#commentedoutmanagementinterface

10.255.4.21esx1esx1.example.com#dedicated10GbEbackupnetwork

10.255.4.22esx2esx2.example.com#dedicated10GbEbackupnetwork

Toexplicitlyalterthedatatransportpath,thehostsfilemustbedeployedonallbackupproxyservers.Foreasiermanagement,pleaseseetheCarbonmoduleandSet-HostsEntrybyAaronJensen.

DNSResolution

10

http://get-carbon.org

http://get-carbon.org/Set-HostsEntry.html

DNSResolution

11

BackupServerVeeamBackup&Replicationisamodularsolutionthatletsyoubuildascalableavailabilityinfrastructureforenvironmentsofdifferentsizesandconfigurations.TheBackupServeristhecorecomponent.Features&componentrequirementswillaffectyourdecisionhowyouinstallthebackupservere.g.onedatacenterormultiplelocations.Itcouldmeanthatyouchoosetoinstalladditionalbackupserversorservicesinremotelocationstooptimizethedatastreams.

BeforeinstallingtheVeeamBackup&ReplicationserveritisimportanttounderstandthedifferentdatastreamsgeneratedbytheVeeamBackupServer(VBR)Services.

VeeamBackupServer

12

DeploymentMethodYoumaydeploytheVeeamBackup&Replicationserveraseitheraphysicalorvirtualserver.ItwillrunonanyserverwithWindowsServer2008R2orhigherinstalled(64-bitonly).InstallVeeamBackup&Replicationanditscomponentsondedicatedmachines.Backupinfrastructurecomponentrolescanbeco-installed.Thefollowingguidelinesmayhelpindecidingwhichdeploymenttypeisthebestfitforyourenvironment.

VirtualdeploymentFormostcases,virtualistherecommendeddeployment.AsitprovideshighavailabilityforthebackupservercomponentviafeatureslikevSphereHighAvailability,vSphereFaultToleranceorHyper-VFailoverClustering.Italsoprovidesgreatflexibilityinsizingandscalingastheenvironmentgrows.

TheVMcanalsobereplicatedtoasecondarylocationsuchasaDRsite.Ifthevirtualmachineitselfshouldfailorintheeventofadatacenter/infrastructurefailure,thereplicatedVMcanbepoweredon.Bestpracticeinatwo-siteenvironmentistoinstalltheBackupserverintheDRsite,intheeventofadisasteritisalreadyavailabletostarttherecovery.

PhysicaldeploymentInsmall-mediumenvironments(upto500VMs)itiscommontoseeanall-in-onephysicalserverrunningtheBackup&Replicationserver,backupproxyandbackuprepositorycomponents.Thisisalsoreferredtoasan"ApplianceModel"deployment.

Inlargeenvironments(over2,500VMs)installingBackup&Replicationservicesonseparateserverseithervirtualorphysicalwillprovidebetterperformance.Whenrunningmanyjobssimultaneously,consuminglargeamountsofCPUandRAM,scalingupthevirtualBackup&Replicationservertosatisfythesystemrequirementsmaybecomeimpractical.

AnadvantageofrunningtheVeeamBackup&Replicationserveronaphysicalserveristhatitrunsindependentlyfromthevirtualplatform.Thismightbeanidealsituationwhenrecoveringthevirtualplatformfromadisaster.Shouldthephysicalserveritselffail,thereareadditionalstepstotakebeforereestablishingoperations:

1. Installandupdatetheoperatingsystemonanewserver2. InstallVeeamBackup&Replication

DeploymentMethod

13

3. Restoretheconfigurationbackup

Inanenterpriseenvironment,youmaychoosetoinstallanadditionalbackupservertospeeduptherecoveryprocessduringadisaster.Youmayre-useexistingavailabilitycomponentssuchasaproxyorrepositoryserverforthestandbyBackup&Replicationserver.Duringadisastertheconfigurationbackupcaneasilyberestoredtothisserver.

Tip:Itisrecommendedtostoretheconfigurationbackup,usingafilecopyjob,inalocationthatisalwaysavailabletothisstandbyBackup&Replicationserver.

DeploymentMethod

14

BackupServerPlacementTheBackupserverrunsanumberofprocesses,e.g.theBackupService,BackupManagerservicesandinsomescenariosaMountServeraswell.InthischapterwewillevaluatehoweachofthosecomponentsareaffectedbyplacementoftheBackup&Replicationserver.

Byevaluatingtherolesandunderstandingthedataflowbetweentheservicesitispossibletooptimizeoverallbackupperformanceandrestorethroughputsignificantly.

HostandStorageDiscoveryTocollectinformationaboutthevirtualinfrastructureallmanagedvCentersandtheirconnectedhostsanddatastoresareperiodicallyrescanned.ThisrescanprocessisvisibleintheHistorytab>SystemsectionintheVeeamBackup&Replicationconsole.Asseenhere,theHostdiscoveryprocessrunseveryfourhours.Allthecollectedinformationisstoredwithintheconfigurationdatabase.

TheamountofcollectedinformationistypicallyverysmallhowevertheHostdiscoveryprocessmaytakelongerorevenexceedthedefaultscheduleinhighlydistributedenvironments .IfhostsorclustersareconnectedtovCenteroverahigh-latencylinkyoumayconsiderdeployingaBackupserverlocallyontheROBO,thenyoucancreateavCenterserviceaccountwithalimitedscopetothatparticularlocationinordertoreducethewindowoftheHostdiscoveryprocess.IftheROBOusesastand-alonehostitispossibletoaddthehostasamanagedserverdirectlyinsteadofthroughvCenter.

Note:AvoidaddingindividualhoststothebackupinfrastructureifusingsharedstorageinavSpherecluster.

1


15

Ifstoragewithadvancedintegration(HPE,NetApp,EMC,Nimble)areaddedtotheStorageIntegrationtabtherewilladditionallybeaStoragediscoveryprocessperiodicallyrescanningstoragehourly.ThisprocesschecksallsnapshotsforvirtualmachinerestorepointsforusagewithinVeeamExplorerforStorageSnapshots.TheVeeamBackup&ReplicationserveritselfwillnotperformtheactualscanningofvolumesbutitwillusethemanagementAPI'softhestoragecontrollertoreadinformationaboutpresentsnapshots.Onlyproxyserverswithrequiredstoragepathsavailablewillbeusedfortheactualstoragerescanningprocess .

Thefollowingtableshowsthethreedifferentscanningworkflows:

2


16

Addingnewstoragecontroller Creatingnewsnapshot Automaticscanning

1.Collectspecificstorageinformation 1.CreatingnewSnapshot 1.StorageMonitorrunsin

background

2.Listofvolumes,snapshots,LUNsandNFSexports

2.Listsinitiators 2.Detectingnewvolumes

3.Checkinglicenses,FCandiSCSIserver

3.TestingiSCSI,NFSandFCfromproxies

3.Scanningvolumesforsnapshotsevery10minutes

4.Listsinitiators 4.SearchingstorageexportsinVMware 4.Listsinitiators

5.SearchingstorageexportsinVMware

5.MappingdiscoveredVMsfromdatastorestosnapshots

5.TestingiSCSI,NFSandFCfromproxies


6.Exportandscanthesnapshotswithproxies

6.SearchingstorageexportsinVMware

7.Exportandscanthesnapshotswithproxies

7.Updateconfigurationdatabase



8.Exportandscanthediscoveredobjectswithproxies


Thescanofastoragecontrollerperforms,dependingontheprotocol,severaltasksonthestorageoperatingsystem.Thereforeitisrecommendedtohavesomeperformanceheadroomonthecontroller.Ifyourcontrollerisalreadyrunningon>90%CPUutilization,keepinmindthatthescanmighttakesignificanttimetocomplete.

Thescanningintervalof10minutesand7dayscanbechangedwiththefollowingregistrykeys.

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:SanMonitorTimeoutType:REG_DWORDDefaultvalue:600DefinesinsecondshowfrequentweshouldmonitorSANinfrastructureandrunincrementalrescanincaseofnewnewinstances

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplication


17

Key:SanRescan_Periodically_DaysType:REG_DWORDDefaultvalue:7DefinesindayshowfrequentweshouldinitiateperiodicfullrescanafterVeeamBackupservicerescan

PerdefaultVeeamwillscanallvolumesandLUNsonthestoragesubsystem.Duringrescan,eachpresentsnapshotproducesasnapshotclone,mountstoaproxyserver,scansthefilesystem,lookupfordiscoveredVMsandunmounts.Thisisrepeatedforeverypresentsnapshot.

Example:Astoragesystemwith50volumesorLUNswith10snapshotsforeach.Scanningtheentiresystemmeans500(50x10)mountsandclonesareperformed.Dependingontheperformanceofthestoragesystemandtheproxyserver,thiscantakesignificanttime.

TominimizethescantimeitisrecommendedtoselectthevolumesusedbyVMwarewithinthesetupwizardtoavoidtheoverheadofscanningunuseddatavolumes.

File-levelRecoveryDataFlowToperformfile-levelrestoresforaWindows-basedorotherOSVMVeeammountsallVMdiskfilesfromthebackupfiles(storedontherepositoryserver)toaMountService.

Whenfile-levelrecoveryisperformedfromtheVeeambackupconsole,twomountsareinitiated:

1. Theremoteconsole-fordisplayingrestorepointcontents2. Themountserver-forperformingactualrestoretraffictothetargetVM

Note:ForVMsnotrunningaWindowsoperatingsystem,aLinuxbasedFLRhelperappliancemountsthebackupfileforreadingthefilesystem.


18

Between50-400MBofdataistransferredbetweentheconsoleandbackuprepository.Ifthefirstfilemountisperformedoveraslowconnectionitmaytakeconsiderabletimetoloadthefile-levelrecoverywizard.Ifthereissignificantlatencybetweenthebackuprepositoryandconsole,itisrecommendedtodeployaninstanceoftheconsoleonorclosertotherepositoryserver.


VeeamEnterpriseManagerisaself-serviceportalwhereadministratorsorservicedeskrepresentativescaninitiaterestoresforVMs,files,e-mailitems,OracleandSQLdatabases.

Itispossibletoavoidthefirstmountentirelybyusing"guestfilesystemindexing" .Whenguestfilesystemindexingisenabled,thecontentoftheguestVMisstoredintheVeeamCatalogandpresentedthroughVeeamEnterpriseManager.VeeamEnterpriseManagerwillinitiatethefile-levelrestorewiththemountserverwithoutrequiringthefirstmount.

Note:IfguestfilesystemindexingisdisabledrestoresmaystillbeinitiatedthroughEnterpriseManagerhowevertheywillstillrequirethefirstmounttobeperformedwithsimilarperformanceimplicationsaspreviouslydescribed.

VeeamExplorers

VeeamExplorersareinstalledaspartofthebackupserverandbackupconsolewheninstalledremotely.Whenperformingitem-levelrecoveriesthefile-levelrecoveryengineisleveraged.Pleaseseetheprevioussectionfordeploymentconsiderations.

TheVeeamExplorerforSQLServer,SharePointandOraclealluseastagingservertoallowselectingaspecificpointintimeforpoint-in-timerestore.Thisintroducesanadditionalconnectionasillustratedbelow.

3


19

DisasterRecoveryOptimizationWhenusingVeeamforreplicatingVMstoadisasterrecovery(DR)site,itisrecommendedtokeeptheBackup&ReplicationserverintheDRsitealongsidethereplicas.WhenthebackupserverislocatedintheDRsiteitenablestrue"1-ClickFailover"bybeingabletostartFailoverPlansimmediatelyandthuseliminatemanualreconfigurationbeforethefailoverprocesscanbeinitiated.

Properplanningdictatesthattoget1-ClickFailoverworkingitrequiresthatthevSphereclustersineachlocationareconnectedtoseparatevCenterservers.IntheeventofanoutageintheprimarydatacenteritisonlypossiblefortheBackup&ReplicationserverintheDRsitetoinitiatefailoverifthevCenterserveritselfisavailable.

IncaseswhenitisimpossibletohavemultiplevCenterinstancesacrosssites(e.g.MetroClusterorsimilaractive-activeconfigurations),therecommendedsolutionistousevCenterServerandfollowingthesestepsineventofadisaster:

1. ReplicatevCenterfromprimarysitetosecondarysitewithlowRPO2. ConfigureVMwareDRSaffinityrules forpinningreplicavCenterVMtoaspecifichost3. ConnecttospecifiedhostandmanuallypoweronreplicatedvCenterVM4. VerifyvCenteravailabilitythroughVeeamBackup&Replication5. InitiateFailoverPlans

4


20

ExamplesInthissectionwewilloutlinetwoexamplesbasedontwoenterpriseswith50remote/branchoffices(ROBO).Theyhavethefollowingcommoncharacteristics:

OnevCenterServerinHQmanagingallROBOsitesLocalbackupjobsforfastbackupandrestoreperformanceOffsitecopiesfromtheROBOconsolidatedatHQforD/Rprotection

Example1:CentralizedJobConfiguration

ITrequiresonecentralmanagementconsolefortheentirebackupinfrastructure,administrationandjobscheduling.Thebackupadministratorcanfollowtheseguidelines:

1. InstallandconfigureVeeamBackup&ReplicationinHQ

2. AddthevCenterServerviatheVeeamBackup&Replicationconsole

3. AddtheROBObackupserverasManagedServerintheBackupInfrastructuretab

4. ConfiguretheHQbackupserverwiththerolesBackupRepositoryandoptionallyWANaccelerator

5. ConfiguretheROBObackupserverwiththerolesBackupProxy,BackupRepositoryandoptionallyasWANaccelerator

6. ConfigureoneormoreBackupJobsforeachROBOpointingtoitslocalbackuprepository

7. AtHQconfigureoneormoreBackupCopyJobsforeachROBOpointingtothebackuprepository

8. InstallVeeamBackupConsoleontheROBObackupserverforfasterrestoreviathelocalMountServer

Note:TheremoteconsoleinstallationfilesareonthesameinstallationmediaasVeeamBackup&Replication(\Backup\Shell.x64.msi)

Constraints

Pleaseconsiderthefollowingconstraint:

IfaWANlinkbetweenHQandaROBOsfails,nobackupjobswillrun,asthebackupserverwillnotbeabletocommunicatewiththeremoteESXihostsviathecentralizedvCenterServer

5


21

Whenperformingfile-levelrestorefornon-indexedvirtualmachinesattheROBOviaVeeamEnterpriseManagertherestorepointwillbemountedovertheWANlinktoHQfordisplayingthecontentsoftherestorepoint.Thusitisrecommendedtouseindexingforsuchvirtualmachines

Example2:DistributedJobConfiguration

ITrequireslocalbackupjobsandbackupcopyjobs(withoptionalWANacceleration)arecreatedattheROBO.Forsecurityconsiderations,eachROBOisprovidedwithdelegatedaccesstoVMwarevCenter.RestorecapabilitiesfrombackupcopyjobsshouldbeconfiguredandmanagedatHQaswellasdelegatedrestoreandlicensemanagementforallsitesviaVeeamEnterpriseManager.Thebackupadministratormayfollowtheseguidelines:

1. InstallEnterpriseManageratHQ

2. InstallandconfigureVeeamBackup&ReplicationoneachROBO

3. OnvCenterServer,createseparateserviceaccountsperROBOwithalimitedscopefordisplayingonlyrelevanthostsorclusters

4. AttheROBO,addvCenterServerviatheBackupInfrastructuretabusingthescopedserviceaccount

5. Optional:AttheROBO,configurealocalWANacceleratorandcreateorre-useanexistingWANacceleratoratHQ(pleasenotemany-to-oneconfigurationsaresupported)

6. AttheROBO,addandconfiguretheRepositoryServeratHQ(pleasenotemany-to-oneconfigurationsaresupported)

7. ConfigureoneormoreBackupJobsateachROBOpointingtoitslocalbackuprepository

8. ConfigureoneormoreBackupCopyJobsateachROBOpointingtothecentralizedbackuprepositoryatHQ(useWANaccelerationasneeded)

9. InstallVeeamBackup&ReplicationConsoleatHQ.Whenusingtheremoteconsoleforconnectingtoremoteinstances,itispossibletoleveragefasterfile-leveloritem-levelrestoresatHQviatheconsole'sbuilt-inMountServer

Note:Ascomponentsaremanagedbymultiplebackupservers,alwaysensurethatthesamepatch/update/versionlevelisusedfortheentireVeeambackupinfrastructure.

.Inverylargeorextremelydistributedenvironments,itispossibletoextendtheschedulefrequencybyalteringregistrykeyVolumesDiscover_Periodically_Hours(REG_DWORD,default:4)↩

1

2


22

.Storagerescanprocedure>Re-ScanningStorageSystems↩

.MoreinformationaboutguestfilesystemindexinginVeeamHelpcenter>Guestfilesystemindexing↩

.VMwareDistributedResourceScheduler>VM-HostAffinityRules↩

.Remembertoaddsufficientresourcesifallthreerolescanrunontheremotebackupserver.↩

2

3

4

5


23

https://helpcenter.veeam.com/docs/backup/vsphere/storage_rescan.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/indexing.html?ver=95

https://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.resmgmt.doc/GUID-2FB90EF5-7733-4095-8B66-F10D6C57B820.html

SizingandSystemRequirementsInthissection,wewilldescribehowtoconfigureandsizetheVeeambackupserver.

SizingwithVeeamiscumulativeinrespecttoconfigurations,ifyouwanttocreateanall-in-oneappliance(ApplianceModel)addalltheresourcerequirementstogether(CPU+Memory)tounderstandwhatintotalyouwillneed,thesamegoesifyouonlywishtohaveproxyandrepositoryinonehost.

ComputerequirementsRecommendedVeeambackupserverconfigurationis1CPUcore(physicalorvirtual)and5GBRAMper10concurrentlyrunningjobs.Concurrentjobsincludeanyrunningbackuporreplicationjobsaswellasanyjobwithacontinuousschedulesuchasbackupcopyjobsandtapejobs.(Concurrentjob–ajobthatprocessesasingleVMwithasinglevirtualdisk)

Theminimumrecommendationis2CPUcoresand8GBRAM.

Itisrecommendedtogroupmultiplevirtualmachinesintoasinglejobforbetterefficiencyandresourceusage.WithdefaultconfigurationitisrecommendedtoconfigureatminimalaVMwithasinglediskuptoaround30VMsperjob.Therecommendationcanbeincreasedbyover10x(300+VMs)byleveragingadditionalfeaturessuchasperVMbackupfiles.PleaserefertotheJobConfigurationsectionofthisguidetolearnmoreaboutjobdesign.

Allconfigurationandsessioninformationisstoredintheconfigurationdatabase.InlargerenvironmentstheloadontheSQLServerhostingtheconfigurationdatabasemaybesignificantandishighlydependentontheamountofconcurrentlyrunningjobs.FormoreinformationpleaseseetheBackupServerDatabasesectionofthisguide.

OperatingsystemTheVeeambackupserverrequiresMicrosoftWindows2008R2orlater(64-bitonly).ThelatestsupportedversionofWindowsOSisalwaysrecommended(currentlyMicrosoftWindows2016)asitwillalsosupportrestoringfromvirtualmachineswithReFSfilesystemsorWindowsServerDeduplicationenabled.

Forthefulllistofsupportedoperatingsystems,pleaserefertothecorrespondingSystemRequirementssectionoftheVeeamUserGuide.


24

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=95#backup_server

DiskspaceThissectionexplainswhatfoldersyoushouldplanforwhenpreparingforinstallationoftheVeeambackupserver.

Thefoldersaredetailedhereasfollows:

Installationfolder

DefaultlocationisC:\ProgramFiles\Veeam\BackupandReplication

Planfor40GB.Ifinstallinginavirtualmachine,thindisksmaybeused.Bydefaulttheinstallerwillchoosethedrivewithmostavailablefreespaceforthebuiltinbackuprepository.

Logfiles

DefaultlocationisC:\ProgramData\Veeam\Backup

LogfilegrowthwilldependonthenumberandfrequencyofjobsandtheVMcount.Considerthatthelogginglevelmayalsoaffectthelogsize,ifyouneedtochangethelogginglevelorlogfilelocationrefertothisVeeamKnowledgeBasearticle:http://www.veeam.com/kb1825.

Itisrecommendedtonotconfigurethelogginglevelbelow4,asitmaycomplicatetroubleshooting.Logginglevel6isveryintrusive,andshouldonlybeconfiguredforshortperiodsoftimewhenrequestedbyVeeamSupport.

Planfor3GBlogfilesgeneratedper100virtualmachines,witha24hourRPO.Forenvironmentswithmorethan500VMsitisrecommendedtochangethedefaultlocationtoadifferentfastaccessdisk.Manyconcurrentlyrunningjobsmayproducealotofwritestreamstologfiles,thancanslowdownoperationsfortheVeeamBackupServiceandBackupManagerprocesses.

VeeamBackupCatalogfolder

DefaultlocationisC:\VBRCatalog

ThisfolderisusedifVMguestindexinginbackupjobsisenabled.Formoreinformation,refertotheSearchServerandIndexingsectionofthisguide.Tochangethedefaultlocation,refertothisVeeamKnowledgeBasearticle:http://www.veeam.com/kb1453

vPowerNFSfolder


25

http://www.veeam.com/kb1825


DefaultlocationisC:\ProgramData\Veeam\Backup\NfsDatastore

WhenbootingVMswithInstantVMRecoveryorSureBackup,thisfolderisusedbydefaulttostoreallconfigurationfilesandredologsoftherunningVM.TooffloadthechangestoaspecificproductiondatastorerefertothecorrespondingpageoftheInstantVMRecoverywizard.

WerecommendinstallingvPowerNFSServicesoneachWindows-basedbackuprepository.ForSMB/CIFSbasedrepositoriesordeduplicationappliancesitisrecommendedtoconfigurevPowerNFSonthegatewayserver.ForLinux-basedrepositoriesitisrecommendedtoconfigurevPowerNFSonamanagedWindowsmachineascloseaspossibletotheLinuxrepository(similartoselectingaGatewayServerforSMB/CIFSordeduplicationstorages).

ThevPowerNFSserverisboundtobackuprepositoriesandthefolderlocationisdefinedperserver.ToachievebestperformanceforVMsrunningoffofvPowerNFSpleaseconfigurethefastestpossiblestorageonthebackupserverorbackuprepository.Tochangethefolderlocationpleaseseethefollowingsteps.

1. IntheBackupInfrastructure,selecttherepositoryyouwishtochange.2. Rightclicktherepositoryandgotoproperties3. WhenthewizardopensnavigatetotheMountserversettings4. UsingthebrowserbuttonslocatethenewlocationforyourvPowerNFSstorage5. Finishthewizard

Itisrecommendedtoreserveatleast10GBspaceforthisfolder.IfyouplantostartasignificantnumberofVMsorrunVMsoveralongerperiodincreasethespaceaccordinglytofittheproduced/estimatedamountofchangesgeneratedbytherunningVMs(conservativeaveragechangeratecanbedefinedas100GBper1TBVMper24hours-or10%).AdditionaldiskspaceisconsumedwhenusingQuickMigration.Seemoreinformationhere>VeeamHelpCenter>PerformingInstantVMRecovery>BeforeYouBegin.

Important!MakesurevPowerNFSisconfiguredcorrectlyontheVeeambackupserveritselfasitwillbeusedwhendeployingVirtualLabforSureBackuporwhenperformingfile-levelrecoveryforLinux-basedVMs.

ForinformationonfoldersrequiredforEnterpriseManager,backupproxyandrepositoryservers(backuptargets)andWANaccelerators,aswellasforrecommendationsontheirsizingpleaserefertothecorrespondingsectionsofthisguide.

Othersoftware


26

https://helpcenter.veeam.com/docs/backup/vsphere/instant_recovery_before_you_begin.html?ver=95

Itisstronglyrecommendedthatnohighly-transactionalandbusiness-criticalsoftwareisdeployedonthesamemachineastheVeeambackupserver.Thiscouldbe(butnotlimitedto)softwaresuchasActiveDirectory,ExchangeServerorotherintensiveproductiondatabasesontheSQLserverinstance.IfpossibleitwouldbepreferabletohavenoothersoftwareatallrunningontheVeeamBackupServer.

ItisrecommendedtofollowantivirusexclusionguidelinesasexplainedinVeeamKB1999.

IfitisnotpossibletoconnecttoaremoteSQLstagingserverforVeeamExplorersyoucaninstallStandardorEnterpriseversionsofSQL(dependingonyourlicensing)locallyforstagingdatabasesforitem-levelrestoresonthebackupserver.ThisinstallationcanalsobeusedtostoretheVeeambackupdatabaseifrequiredaslongassufficientresourcesareassignedtothehostmachine,howeverdonotrunanyinstancesinproductionfromthisinstallationthatmayaffecttheoperationofthebackupsorrestoreprocesses.SQLexpressisincludedinthedistributionbutislimitedtoa10GBdatabase.

Note:RemoteSQLServerforstagingissupportedfromv9.0

OthersoftwaresuchasMicrosoftOutlook(64-bit)formailexporttoPSTfilesviaVeeamExplorerforExchange,oraPDFviewerforreadingVeeamdocumentationareconsiderednon-disruptive.

InstallingVeeamBackup&ReplicationupdatesNewVeeamreleasesandupdatesareinstalledontheVeeamEnterpriseManagerandVeeambackupserversbythesetupwizardorbyusingtheunattendedinstallationmethod(alsoreferredtoas“silentinstallation”).Fordetailedinstructionscheckthelatestreleasenotes.

Note:VeeamBackupEnterpriseManagermustbeupdatedbeforeupdatingVeeambackupservers.

AfterinstallingupdatesopentheVeeamBackup&Replicationmanagementconsole.TheUpdatescreenwillbedisplayedandwillguideyouthroughupdatingdistributedcomponentsonotherVeeammanagedservers(likeproxyandrepositoryservers,vPowerNFSservers,WANacceleratorsandtapeservers).

Note:AsVeeamdeploysnoagentsonthevirtualmachines,youdonotneedtoupdateanysoftware(agents)ontheVMs.


27


VeeamBackup&ReplicationDatabaseVeeamAvailabilitySuite,whichincludesVeeamBackup&Replication,VeeamONEandEnterpriseManager,storesallinformationaboutbackupinfrastructure,jobssettings,jobhistory,sessionsandotherconfigurationdatainanSQLserverinstance.

WhenplanningtheVeeamBackup&Replicationdeploymentyoumustchoosetheplacementoftheconfigurationdatabase.ItmaybeeitheralocalorremoteSQLServerwithseverallicensingoptionsavailable.PleaseseethefollowingrecommendationstoensureyourBackup&Replicationsetupwillscaletothesizeofyourinfrastructure.

SQLServerEditionMicrosoftSQLServer2012SP3ExpressEditionisincludedintheVeeamBackup&Replicationsetupwhichisaconvenientoptionformostsmallerdeployments.Itdoeshoweverhaveseverallimitations whichmayaffectperformance:

Eachinstanceusesonlyupto1GBofRAMEachinstanceusesonlyupto4coresofthefirstCPUDatabasesizecannotexceed10GB

ItisrecommendedtoinstallStandardorEnterpriseEditionifanyofthefollowingapply:

Whenprotectingmorethan500VMs.ItisrecommendedtouseStandardorEnterpriseversionsofMicrosoftSQLServer.ThemaxdatabasesizeallowedbyExpressEditionisusuallysufficient,sodonotconsiderthisaconstraint.VeeamBackup&ReplicationconsoleandjobprocessingmayhoweverslowdownasaresultofCPUandRAMconstraintsontheSQLServerExpressinstance.WhenusingFilestoTapejobsextensively,thedatabasemaygrowsignificantly,andthe10GBlimitationmaybeexceededquickly.Whenunabletoconfigureanexternalstagingserver.ForVeeamExplorerforMicrosoftSQLServerorVeeamExplorerforMicrosoftSharePoint.Whenworkingwithdatabaseslargerthan10GB,SQLServerExpresscannotmountthedatabases.WhendatabasesareusingadvancedfeaturesofMicrosoftSQLServer.Suchasencryptionortablepartitioning,thelicensinglevelofthestagingserver(localorremote)mustmatchtheleveloftheoriginalinstance.

IfnoneoftheaboveapplyitisrecommendedtouseMicrosoftSQLServerExpressEditionforthesakeofsimplicity.

1


28

Tip:VeeamBackup&ReplicationsupportsMicrosoftSQLServer2008orhigher.ToleverageMicrosoftSQLServer2014enhancements(cardinalityestimatorhasprovedtoshowsignificantimprovementsforlargequeries),itishighlyrecommendedtoupdatethedatabaseservertoMicrosoftSQLServer(Express)2014orhigher.

DatabasePlacementItispossibletoleveragearemoteSQLServerasstagingserverduringrestoresinVeeamExplorerproducts.TherearenospecificeditionrequirementsforneitherSQLExpress,StandardorEnterpriseinstanceofSQLServerinstalledlocallyonthebackupserver.ItisstillrecommendedtoruntheSQLServerlocally(whenresourceandplanningallow)onthebackupserverforlowestlatencyandhighestperformance.

TheremaystillbescenarioswherearemoteSQLServeristhebetterchoice:

HighAvailability-SQLClusteringandAlwaysOnAvailabilityGrouponexternalSQLServerscanbeusedforconfigurationdatabasehighavailability

FastRecovery-Failovertoastandbybackupservercanbesimplifiedbyconnectingtotheconfigurationdatabasedirectlywithouttheneedforrestoringfromaconfigurationbackup

Licensing-SomeenterpriseshavededicatedvirtualclustersforSQLServerduetolicensingconstraints.Insuchcases,youmayplacetheVeeamconfigurationdatabaseonexistinginstancestolowertheoverallTCO

SizingVeeamBackup&ReplicationmayconsumehighamountsofCPUandRAMwhileprocessingbackuporreplicationjobs.ToachievebetterperformanceandloadbalancingitisnecessarytoprovidesufficientRAMandCPUresourcestoVeeamcomponents.Remembertoaddadditionalresources,ifthebackupserverisresponsibleformultipleroles,suchasrepositoryserverorbackupproxy.

Pleasefollowtheseguidelines:

Numberofconcurrentlyrunningjobs CPU RAM

Upto25 2 4GB

Upto50 4 8GB

Upto100 8 16GB


29

Note:ConcurrentlyrunningjobsincludeanyjobtypewithacontinuousschedulesuchasBackupCopyJobs.

Whenrunningmorethan100jobsconcurrentlyincreasecomputeresourcesinlinewiththetableabovetomeettheresourceneedoftheworkload.

Itisrecommendedtoplacetheconfigurationdatabaseonfast,resilientstoragesubsystem.Performantstorageforbackingtheconfigurationdatabasewillresultinoverallincreasedprocessingperformance.JobswithalotofmetadatasuchasverylargeSharePointfarmswiththousandsofsites,SQLServerinstanceswithmanydatabasesorFilestoTapejobsmayincreasetheI/Orequirementsfortheconfigurationdatabase.

SQLServerConfigurationTipsVeeamBackup&Replicationdoesnotrequireanyspecificsettings ontheSQLServerinordertoutilizethecapabilitiesofVeeamExplorerforSharePointorSQL.BothlocalandremoteSQLServerscanbeusedforstagingpurposes,thecorrespondingrequirementsaredetailedonVeeamHelpcenterandcanbefoundthroughthefollowinglinks:

VeeamExplorerforMicrosoftSharePointVeeamExplorerforMicrosoftSQLServer

Tip:

Enableandconfigureallfeaturesusedbyproductiondatabases.WhenpossibleusethehighestlicenselevelandlatestversionandcumulativeupdatelevelinstalledinanyVM.UsinganolderversionofSQLServerfortheconfigurationdatabasethanrunninginaprotectedVMmayresultinwarningsinjobsessionlogswhensuchVMsareprocessed.

IfyouplantorestoreencrypteddatabaseswithVeeamExplorerforMicrosoftSQLServerorSharePointyouwillneedavalidencryptioncertificateonthestagingMicrosoftSQLServer .

FollowMicrosoftgeneralrecommendationsforoptimalSQLperformance,forexample,placetheSQLtempdbonthefastestdisksforbestperformance .

ModifyingDatabaseConnectionSettingsTomodifydatabaseconnectionsettingsorconnecttoanotherVeeamconfigurationdatabaseusetheDBConfigutilityasdescribedintheproductdocumentationathttps://helpcenter.veeam.com/docs/backup/vsphere/dbconfig_utility.html?ver=95.

2

3

5


30

https://helpcenter.veeam.com

https://helpcenter.veeam.com/docs/backup/explorers/vesp_staging_microsoft_sql_server.html?ver=95

https://helpcenter.veeam.com/docs/backup/explorers/vesql_systemreqs.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/dbconfig_utility.html?ver=95

IfusingSQLauthenticationconsiderthatallVeeamUIandVeeamPowerShellchangesarecommunicatedusingthisauthentication.

MigratingVeeamDatabaseTomigrateVeeamconfigurationdatabasetoanotherSQLServerfollowtherecommendationsprovidedintheseVeeamKnowledgeBasearticles:

http://www.veeam.com/kb1250http://www.veeam.com/kb1448

.FeaturesSupportedbytheEditionsofSQLServer2012https://msdn.microsoft.com/en-us/library/cc645993(v=SQL.110).aspx#CrossBoxScale↩

.GenericrequirementsforSQLServercanbefoundhere:https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=95↩

.Forrestoringencrypteddatabases,pleasesee:http://www.veeam.com/kb2006↩

.SQLServertempdbBestPractices:http://blogs.msdn.com/b/cindygross/archive/2009/11/20/compilation-of-sql-server-tempdb-io-best-practices.aspx↩

1

2

3

5


31



https://msdn.microsoft.com/en-us/library/cc645993(v=SQL.110).aspx#CrossBoxScale

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=95


http://blogs.msdn.com/b/cindygross/archive/2009/11/20/compilation-of-sql-server-tempdb-io-best-practices.aspx


ProtectingtheVeeamBackupServer

AsrecommendedbybestpracticefordisasterrecoveryyoucanplaceVeeamBackup&Replicationinstallationonavirtualmachineandprotectitwithbackupsorreplicas.Out-of-theboxVeeamautomaticallycreatesconfigurationbackupsonthedefaultbackuprepository.

TheseconfigurationbackupscontainalltheinformationaboutVeeamBackup&Replication,likeBackupInfrastructurecomponentsandobjects,Backupjobs(passwordsarenotstoredbydefault),SessionsandTapesetup.TheconfigurationbackupcanbeusedtoautomaticallyrebuildtheVeeamBackup&Replicationserverwithallobjects,sessionsandjobs.

Torestorealljobsandtheirmetadata(youwillbeaskedforallrequiredpasswordsduringtherestoreprocess).PleaserefertotheVeeamBackup&ReplicationUserGuideforfurtherdetails:https://helpcenter.veeam.com/docs/backup/vsphere/vbr_config.html?ver=95

Tip:Ifencryptionisenabledforconfigurationbackupthepasswordsarealsostoredintheconfigurationbackupfiles.

PlanningforDisasterRecoveryofVeeamBackupServer

Havingasoliddisasterrecoverystrategyforyouravailabilitycomponents,likethebackupserver,iskeytoasuccessfulrecovery.Forallsituationsfollowthesebasicguidelines:

1. Makesurethedailyconfigurationbackupisnotplacedinthedefaultlocationonthebackupserveritself

2. Modifythebackupconfigurationbackupsettingstopointtoasecurebackuprepositoryonadifferentlocation/site

3. Scheduletheconfigurationbackuptorunwhenthebackupserverisleastoccupied;4. Makesuretheconfigurationbackupisencryptedtoprotecttheconfigurationdetails.

Alsoallpasswordsarethanstoredintheconfigurationbackupfiles5. Checkthatyoureceivenotificationsaboutthestatusoftheconfigurationbackupjob

results6. Thinkaboutplacementofthebackupserver,configurationbackupanddatabase.Thisis

highlydependedontheoverallinfrastructuredesignandDRstrategyofyourorganization


32

https://helpcenter.veeam.com/docs/backup/vsphere/vbr_config.html?ver=95

Bydefault,VeeamBackup&Replicationisconfiguredtocreateadailyconfigurationbackup.Theresultingconfigurationbackupfileisstoredinthe\VeeamConfigBackup\%BackupServer%folderonthedefaultbackuprepository.However,forsecurity’ssake,itisrecommendedthatyoudonotstoreconfigurationbackupsonthedefaultbackuprepositoryorinanyotherfolderonthebackupserver.Inthiscase,ifthebackupserverfails,itsconfigurationdatawillremain,andyouwillbeabletorecoverthefailedbackupserver.

WhenthebackupserverisintheprimarysiteitisrecommendedtoreplicatetheVeeambackupserverVMtothesecondarysite(verifynetworkandIPmappingsettingsbeforeyoubegin;refertohttps://helpcenter.veeam.com/docs/backup/vsphere/replica_job.html?ver=95fordetails).

NoteyoucannotIPmapareplicaVeeambackupserverifthecontrolofthereplicaisbythesameserverbeingreplicated,itcanonlybedoneusinganotherVBRservertocontrolthatreplica)

Alsocheckthelocationoftheconfigurationdatabase,whenthedatabaseisexternalensurethisserverisalsoreplicatedtothesecondarysite.Iftheserverisreplicatedsuccessfully,intheeventofadisaster,youmaystartitsreplicainthesecondarylocationwithouthavingtoreinstallVeeamBackup&Replication.ThiswillhelptoloweroverallRecoveryTimeObjective(RTO).

TipUseVeeam'sFileCopyJobtoplaceacopyoftheconfigurationbackupattheDRsite.Youcanconfigureanotherrepositoryforthatpurpose.

NoteAlldatarequiredforarestoreisdirectlyplacedwithinthebackupfile(whichVMsareinthebackupfileaswellasdeduplicationandencryptioninformation),evenintheeventthatconfigurationdatabaseislostordamagedyoucansetupanewVeeambackupserverandimportthebackupfilesthere,orevenusethestand-alone“Extract”utility(bothacommandlineandagraphicalversionareprovided).ThenyouwillbeabletorestoreVMs,filesandapplicationdatawithoutrestoringtheconfigurationdatabase.

Note:Backupcopyjobsdonotprocessconfigurationbackups.Rememberthatconfigurationbackupsarenotprocessedwithbackuptotapejobs;ifyouwanttostoreconfigurationbackupsontapeusefiletotapejobsinstead.

AntivirusonVeeamServers

Antivirussoftwaremonitorsall'write'operationsontheoperatingsystemandthisalsoextendstoVeeambackupfiles.Datathatisprocessedbyabackupproxyandrepositorycanoverloadtheantivirussystemsothatitblocksthebackupfiles,thiscanslowdownthebackupprocessorevenleadtobackupfilecorruption.Toavoidthisitisrecommendedto


33

https://helpcenter.veeam.com/docs/backup/vsphere/replica_job.html?ver=95

addthefollowingitemstothelistofantivirusexclusionsonallVeeamserversincludingVeeambackupserver,proxyserver,repositoryserver,WANacceleratorserver,tapeserver,andothers.

FoldersontheVeeamServer

C:\ProgramFiles\Veeam

C:\ProgramFiles(x86)\Veeam

C:\ProgramFiles\CommonFiles\Veeam

C:\ProgramFiles(x86)\CommonFiles\Veeam

VBRCatalog([HKLM\SOFTWARE\Veeam\VeeamBackupCatalog\]CatalogPathvalue)

NFS(Configuredineachrepository,storedin[HKLM\SOFTWARE\Wow6432Node\Veeam\VeeamNFS\]RootFoldervalue)

C:\VeeamFLR\*

C:\Windows\Veeam

FolderonGuestOSforVSS

C:\Windows\VeeamVssSupport

C:\Windows\VeeamLogShipper

FolderonVMwareBackupProxiesandCIFSRepositoryGateway


C:\Windows\Veeam

FoldersonWindowsRepositories


C:\Windows\Veeam

AllVeeamrepositoryfolders

FoldersonWANaccelerator


34


C:\Windows\Veeam

AllWANcachefolders

Files

VeeamAgent.exe

VeeamAgent64.exe

.vmdk.vbk.vlb.vib.vrb.vbm.vbo

Tip:Duetothecomplexnatureofantivirussoftwaresomeadditionalexclusionsmaybeneeded.IftheantivirushasaloggingorhistorysystemyoucanreviewitslogstodetectwhetherithastakenanyactionsthatmightaffectedVeeamBackup&Replicationoperations.

ConsiderthatotherservicesorprocessmaybeusingportsconfiguredfortheVeeamvPowerNFSService.ToavoidpossibleissuesitisrecommendedtostoptheVeeamvPowerNFSServiceifyoudonotplantouseit.MakesurethatnoneoftheNFSportsareusedbyothersoftware(includingantivirussystems).FormoreinformationpleaserefertothisVeeamKnowledgeBasearticle:http://www.veeam.com/kb1055.


35


VeeamBackupEnterpriseManager

WhethertoDeploy?EnterpriseManagerisintendedforcentralizedreportingandmanagementofmultiplebackupservers.Itprovidesdelegatedrestoreandself-servicecapabilitiesaswellastheabilityforuserstorequestVirtualLabsfrombackupadministrators.Itprovidesacentralmanagementpointformultiplebackupserversfromasingleinterface.EnterpriseManagerisalsoapartofthedataencryptionanddecryptionprocessesimplementedintheVeeamsolutionandbestpracticerecommenddeployingEnterpriseManagerinthefollowingscenarios:

ItisrecommendedtodeployEnterpriseManagerifyouareusingencryptionforbackuporbackupcopyjobs.Ifyouhaveenabledpasswordlossprotection(https://helpcenter.veeam.com/docs/backup/em/em_manage_keys.html?ver=95)fortheconnectedbackupserversbackupfileswillbeencryptedwithanadditionalprivatekeywhichisuniqueforeachinstanceofEnterpriseManager.ThiswillallowEnterpriseManageradministratorstounlockbackupfilesusingachallenge/responsemechanismeffectivelyactingasaPublicKeyInfrastructure(PKI).

IfanorganizationhasaRemoteOffice/BranchOffice(ROBO)deploymentthenleverageEnterpriseManagertoprovidesiteadministratorswithgranularrestoreaccessviawebUI(ratherthanprovidingaccesstoBackup&Replicationconsole).

Inenterprisedeploymentsdelegationcapabilitiescanbeusedtoelevatethe1stlinesupporttoperformin-placerestoreswithoutadministrativeaccess.

Fordeploymentsspanningmultiplelocationswithstand-aloneinstancesofEnterpriseManagerwillbehelpfulinmanaginglicensesacrosstheseinstancestoensurecompliance.

SearchingtheIndexescanalsobeusedtofindfilesthathavebeenbackedupandtheindexesstoredintheEnterpriseManagerdatabase.

EnterpriseManagerisrequiredwhenautomationisessentialtodeliveringITservices—toprovideaccesstotheVeeamRESTfulAPI.

IftheenvironmentincludesasingleinstanceofBackup&ReplicationyoumaynotneedtodeployEnterpriseManager,especiallyifyouwanttoavoidadditionalSQLServerdatabaseactivityandserverresourceconsumption(whichcanbeespeciallyimportantifusingSQLServerExpressEdition).


36

https://helpcenter.veeam.com/docs/backup/em/em_manage_keys.html?ver=95

Note:IfEnterpriseManagerisnotdeployed,passwordlossprotectionwillbeunavailable.

UsingEnterpriseManagerforRestoreOperations

1-ClickFile-levelRestore

WithEnterpriseManager,youcanrestoreVMguestfileswithasingleclick.TosupportthiscapabilitytheVMrestorepointmustbecreatedwithapplication-awareimageprocessingenabled.Additionally,ifguestfilesystemindexingisenabled,itispossibletosearchforfilesacrossVMbackups.

Note:ItispossibletorestoreVMguestfilesevenwhenapplication-awareimageprocessingorfileindexingisdisabled.Ifbotharedisabled,therestoreoperatormusttypeinguestOScredentialsduringafile-levelrestore.

ThebackupcatalogontheEnterpriseManagerserverwillbeusedtostoreindexingdatareplicatedfromthebackupcatalogonVeeambackupserver(s).Formoreinformationabouttheprocess,refertotheEnterpriseManagerUserGuide.TolearnmoreaboutVeeamBackupCatalogsizingrefertothe“SearchServerandIndexing”sectionofthisdocument.

1-ClickApplicationItem-levelRestore

YoucanrestoreitemsfromMicrosoftExchange,MicrosoftSQLServerandOracleDatabaseswithasingleclickusingVeeamBackupEnterpriseManager.Thesecapabilitiesweredevelopedtoelevatethe1stlinesupportengineers,enablingthemtorecovermailitemsandotherMicrosoftExchangeobjectswithoutanydirectvisibilityofthemailboxordatabasecontent.DatabaseadministratorsarenowabletorestoreMicrosoftSQLServerand/orOracledatabaseswithoutaddressingthebackupteam.

MicrosoftExchangeMailboxItemsRestore

TheprocessofrestoringanExchangemailboxisdescribedintheBackupandRestoreofMicrosoftExchangeItemssectionoftheVeeamBackupEnterpriseManagerUserGuide.

Tocreateanapplication-awareimagebackupofMicrosoftExchangedatabaseVMensureyoubackupatleastoneserverholdingtheClientAccessServer(CAS)role(ThiscanbeExchangeServerwiththeMailboxDatabaseroleoradedicatedserver.ContacttheExchangeadministratorifnecessary).AserverholdingtheCASroleisusedtodiscoverthemailboxlocationforthecorrespondinguser.YoushouldsupplycredentialsforauthenticationwiththeCASserverontheConfiguration>Settingspageasdescribedhere.


37

https://helpcenter.veeam.com/docs/backup/em/veeam_backup_catalog.html?ver=95

https://helpcenter.veeam.com/docs/backup/em/em_exchange_items_restore.html?ver=95

https://helpcenter.veeam.com/docs/backup/em/em_providing_access_rights_exch.html?ver=95

MicrosoftSQLServerDatabaseRestore

ToperformdatabaselevelrestoresofSQLServerdatabasesusingEnterpriseManagerensureyouenableapplication-awareimageprocessingforthecorrespondingbackupjob.Tousepoint-in-timerecoveryenablelogfilebackupsoftheMicrosoftSQLServerVM.FormoredetailsrefertotheBackupandRestoreofMicrosoftSQLServerDatabasessectionoftheVeeamBackupEnterpriseManagerUserGuide.

OracleDatabaseRestore

Toperformdatabaselevel,restoreofOracledatabasesusingEnterpriseManagerensureyouenableapplication-awareimageprocessingforthecorrespondingbackupjob.Tousepoint-in-timerecovery,enablelogfilebackupsoftheOracleVM.FormoredetailsrefertotheBackupandRestoreofOracleDatabasesectionoftheVeeamBackupEnterpriseManagerUserGuide.

YouhavetwooptionstorestorethroughEnterpriseManager:1-ClickRestoretoOriginalLocationorRestorewithCustomSettings.WhenrestoringwithcustomsettingsmakesurethattherestoreoperatorisenabledtoalsorestoreOracleDatabases.Formoreinformationseeprovidingaccessrights

Note:DatabaserestorefromstoragesnapshotsviaEnterpriseManagerisnotsupported.

Self-ServiceFileRestore

Inadditionto1-ClickFile-LevelRestoreBackup&ReplicationallowsVMadministratorstorestorefilesorfoldersfromaVMguestOSusingabrowserfromwithintheVMguestOS,withoutcreatingspecificusersorassigningthemspecificrolesattheVeeamEnterpriseManagerlevel.TodothisanadministratoroftheVMcanaccesstheself-servicewebportalusingthedefaultURL:"https://ENTERPRISE_MANAGER:9443/selfrestore".

Tip:ThisfeatureisavailableonlyfortheWindows-basedVMsandrequiresVeeamBackup&ReplicationEnterprisePluslicense.TheVMneedstobeinthesamedomainwiththeEnterpriseManagerorinatrustedone(forSIDresolution)

Theprocessgoesasfollows:

1. DuringthebackupofaVMwithguestprocessingenabled,VeeamdetectsuserswhohavelocaladministratoraccessrightstothatmachineandstoresthisinformationintheEnterpriseManagerdatabase.

2. Userenterstheself-servicewebportalURLinthewebbrowserandenterstheaccountnameandpasswordtoaccessthenecessaryVMguestOS.


38

https://helpcenter.veeam.com/docs/backup/em/em_sql_db_restore.html?ver=95

https://helpcenter.veeam.com/docs/backup/em/em_oracle_bu_restore.html?ver=95

https://helpcenter.veeam.com/docs/backup/em/em_providing_access_rights_sql.html?ver=95

https://ENTERPRISE_MANAGER:9443/selfrestore

3. AfterloggingintheuserispresentedwiththemostrecentrestorepointforthatVM(theonethisuserauthenticatedto)ontheFilestabofthewebportal.

Note:ThisfeaturealsoworksforbackupsfromVeeamAgentsforWindowsstoredonaVeeamBackup&Replicationrepository.

FormoreinformationonusingthisfeaturerefertotheSelf-RestoreofVMGuestFilessectionoftheVeeamBackupEnterpriseManagerUserGuide.

Self-ServiceBackupPortalforvCloudDirector

EnterpriseManagerinversion9.5alsosupportsaVeeamSelf-ServiceBackupPortalthatprovidesvCloudDirectororganizationadministratorswithaUIforself-serviceoperationsonVMsprotection.Forthat,avCloudDirectororganizationadministratorcanaccesstheself-serviceportalusingthedefaultURL:"https://enterprise_manager_host_name:9443/vCloud/OrgName".

RESTfulAPIServiceTheRESTfulAPIserviceisinstalledaspartofVeeamBackupEnterpriseManager.ToprovideaccesstotheAPIconsiderthatauthenticationwilltakeplacethroughEnterpriseManager.EnterpriseManageruserroleassignments(PortalUser,RestoreOperator,PortalAdministrator)andtheiraccessscopesaccesswillbeinheritedbytheRESTfulAPIservice.FormoreinformationonroleassignmentseetheConfiguringSecuritySettingssectionoftheVeeamBackupEnterpriseManagerUserGuide.


39

https://helpcenter.veeam.com/docs/backup/em/em_self_restore.html?ver=95

https://enterprise_manager_host_name:9443/vCloud/OrgName

https://helpcenter.veeam.com/docs/backup/em/configuring_security_settings.html?ver=95

VeeamvCloudDirectorSelf-ServicePortalvCloudDirectorSelf-ServicePortalisdesignedforserviceprovidersrunningVMwarevCloudDirectorandwillingtoofferself-servicecapabilitiestotheirtenants.Withtheportal,userscanconfiguretheirownbackupjobs,andrestorevirtualmachinesandsinglefileswithoutanyinterventionfromtheserviceprovider.Fromatechnicalpointofview,theportalisanadditionalcomponentofVeeamEnterpriseManager,andassuchitisinstalledduringtheEnterpriseManagerinstallation.

Requirementsandlimits

SupportedversionsofvCloudDirectorare:8.10,8.0,5.6,5.5.onlyonevCloudDirectorinstallation(singlecellorcellcluster)canbemanagedbyasingleEnterpriseManager.IfaserviceproviderhasmultiplevCloudDirectorinstallations,theywillrequirethesameamountofEnterpriseManagerstoprotectallofthem.vCloudDirectorSelf-ServicePortalcannotbeinstalledonadifferentmachinethanEnterpriseManager.Forthisreason,plantheplacementandthesecurityofthePortalaccordingly.


40

InordertohardentheinstallationofthevCloudPortal,administratorscanworkontheIIS(InternetInformationServer)websitecreatedbyVeeaminstaller,andleverageallthesecurityfeaturesavailableinIISitself.

NOTE:BecausethevCloudPortalisasubfolderoftheEnterpriseManagerinstallation,inordertomodifyitssettings,thesamesettingsneedtobeeditedfortheentireinstallation.

FileLevelRestoreforWindowsVMs

WhenafileneedstoberestoredforaWindowsVM,atenantusestheSelf-ServiceBackupPortaltomountandbrowseabackupset(orhecanusethesearchfunctiontolookforthesamefile):

Themountoperationoftheindexisinstantaneous,andatenantcanbrowsethecontentofthebackupsettolookforthefile(s)heneeds.Oncethefilehasbeenidentified,therearethreedifferentoptions:

tenantcandownloadthefilelocallyintohisownworkstationfromtheSelf-ServiceBackupPortaltenantcanrestorethefileinitsoriginallocationinsidetheguestVM,overwritingthepreviousversion


41

tenantcanrestorethefileinitsoriginallocationinsidetheguestVMwithanewname,sothatboththenewandthepreviousversionsarekept

Option2and3usethesamerestoremechanism:VeeamfirsttriestoconnecttotheGuestVMviathenetwork,butsincethisisusuallyanisolatednetworkinsidevCloudDirectorandthereisnodirectconnectivitybetweenthevCloudOrganizationNetworkandthemanagementnetworkwhereVeeam(actually,themountserver)isdeployed,VMwareVIXAPI(uptovSphere6.0)orVMwarevSphereGuestInteractionAPI(startingfromvSphere6.5)areusedtocompleteanetworklessrestore.

Thefileisrestoredintheoriginallocation,withthe“RESTORED-“prefix:

NOTE:vSphereAPIusedfortheseoperationsaremainlydesignedforexecutingcommandsinsidetheGuestOS,notforfiletransfers.Forthisreason,performanceoflargefilerestoreoperationsmaynotbeoptimal.Pleaseconsiderthe"Download"optionforsuchactivities.

FileLevelRestoreforLinuxVMs

WhenafileneedstoberestoredforaLinuxVM,someadditionalconfigurationneedstobecompletedbytheserviceprovider,otherwisethetenantwillnotbeabletoexecuteanyrestore.

VeeamBackup&ReplicationusesaMulti-OSFLRHelperAppliancevirtualappliancetorunfilelevelrestoresfornon-Microsoftfilesystems.ThisapplianceisconfiguredbyaVeeamadministratorbeforeitcanbeusedforanyfilerestore.Otherwise,thefirsttimeatenanttries


42

torestoreafileforoneifhisLinuxVMs,hewillreceivethiserrorintheSelf-ServiceBackupPortal:

AVeeamadministratorneedstoconfiguretheappliancefromtheVeeamConsole.ThiscanbeachievedbyinitiatingafileleverrestoreforanyLinuxVM:

TherestorewizardsaskstoconfiguretheHelperAppliance.ThewizardsuggeststhattheapplianceshouldbeconnectedtothesamenetworkwheretheguestVMislocated,butitmissestheotherimportantinformation,thattheFLRapplianceneedstoconnectfirstofalltotheVeeammountserverviaportTCP/6170.


43

Inthisexample,dvp-prodVMisamanagementnetworkwherethedifferentVeeamcomponentsarerunning.OncetheFLRapplianceisconfiguredfromtheVeeamBackupServer,itsconfigurationcanbeusedalsofromtheSelf-ServiceBackupPortalbyatenanttomountthebackupinthewebinterface:


44

Thetenanthasthethreedifferentoptionstorestoreoneormorefilesfromthebackupset.WhiletheDownloadoptionisimmediatelyconsumablebythetenant,thetwoRestoreoptionsrequireevenmorenetworkingconfigurations,astheVeeamBackupServerwouldtrytoconnecttotheGuestVMtostarttherestoreprocessfromwithintheguest,butsincethere’snonetworkconnectivitybetweenthetwo,itwillfail:


45

Forthisreason,whenVeeamBackup&Replicationisusedincompletelyfencedenvironments,wesuggesttoleveragethedownloadoptionsofthevCloudSelf-serviceportal,andlettenantconsumethisportaltoretrievethefilestheyneed.Toavoidadoubleoperationofdownloadingthefiletotheirworkstationsandthenuploadingthemagaintothelinuxmachine,wesuggestasabestpracticetoaccesstheportalfromavirtualmachinealreadyrunninginsidethevCloudvirtualdatacenter.Ifthemachineusedtoretrievethefilesisnotthefinaldestinationoftherestoredfiles,atenantwilljustneedatoollikeWinSCPtotransferthefiletothelinuxmachine,butboththedownloadandthescpcopywillhappeninalocalnetwork,withthefilesnotevenleavingtheserviceproviderdatacenter.

Multipleconcurrentrestores

Iftheserviceproviderisofferingtheself-servicecapabilitiesoftheVeeamvCloudPortal,itcouldnotbesouncommonthatmultipletenantswillstartarestoreoperationatthesametime.

Customer1ownsasinglelinuxvirtualmachinecalledlinux,insidethelinux_vappvcloudapp.Hewantstorestoreafilefromthelatestbackup,sohestartstheprocedurefromtheself-serviceportalasdescribedbefore;thecustomerselectstherestorepointandasksthesoftwaretoinitiatethemountoperation.

Thecustomercanbrowsethecontentofthebackup,dosearches,anddownloadanyfilehemayneed.Inthebackend,VeeamBackup&ReplicationisusingtheFLRAppliancetomountthebackupandreadthelinuxfilesystemusedbythelinuxvirtualmachine.

Themachineisautomaticallydisposed(poweredoffanddeletedfromthevSphereenvironment):

After15minutesofinactivityfromthevCloudPortalIftherestoreoperatorlogsoutfromthevCloudPortal

Fortheentiredurationoftherestoreprocess,theFLRwillbepoweredonandusedbythetenant.

TheconfigurationoftheFLRappliancecanbedoneintwoways,byassigningafixedIPaddressorbyleveragingaDHCPserver.Astheapplianceisoftenmanagedasaregularserver,andtobesureitalwayshaveanIPaddresstostartandexecutetherestores,manyadministratorsconfigureitwithastaticIPaddress.TheIP10.2.50.126inourexampleisastaticIPaddressasyoucanseefromthepreviousscreenshot.

Duringafilerestorefromtheportal,VeeamBackup&ReplicationusestheexistingconfigurationoftheFLRappliance,sincethereisnopossibilitytochangetheconfigurationfromtheportalitself.Thisworksperfectlyforonesinglerestoreoperation,butifanother


46

tenanttriestodoafilerestoreforoneofhislinuxmachinesafterthefirstcustomerisalreadyperformingarestore,anerrorwillbereturned:

Customer2hastowaituntilCustomer1hasnorestoreoperationrunninganymore,beforehecanstarthisownrestore.ThisisdoneonpurposetoavoidmultipleFLRappliancestobespinupusingmultipletimesthesameIPaddress,thusleadingtounexpectedresults.

Toallowsmultipleconcurrentrestores,thesolutionistoconfiguretheFLRappliancewithadynamicIPaddress,onceaserviceproviderhasverifiedthataDHCPserverisavailableintheportgroupwheretheappliancewillbeconnected:


47

Withthisconfiguration,multiplerestoreoperationscanbesupported:


48

Indexing

IndexingandSearchOverview

VeeamBackup&Replicationperformsbackupsattheimage-levelusingAPIsavailablefromtheunderlyinghypervisor.Ithasnodirectvisibilityofthefilestructureafterbackupisfinished.ItispossibletoUseFileLevelRecovery(FLR)wizardorEnterpriseManagertomountVMsfromwithinabackupfileandaccess/restoreVMguestfiles.IfauserwantstoperformfilerestorefromthecentralEnterpriseManageritisnotpossiblewithinanacceptabletimeframetomountallbackupfilesandVMsinittofindafilethattheEnterpriseManageruserwantstorestore.Tosupportadvancedfile-levelrestorescenariosVeeamoffersthecapabilitytoindexfilesonVMsbeingbackedup.IndexingisavailableforbothWindows&LinuxVMsallowingusersofEnterpriseManagertobrowseandsearchforthenecessaryfilesandtoperformone-clickfilerestores.

Thesectionsbelowwilloutlinesomespecificusecasesforindexinganddescribebestpracticesandguidelinesforsizing.

WhentoUseIndexing?

File-levelindexingshouldbeenabledonlyifyouplantoutilizeadvancedfilesearchandone-clickfilelevelrestorecapabilitiesofEnterpriseManager(includingdelegatedrestore).Whileindexingisajob-levelsettingyoucanusefilterstoindexonlyasubsetoffiles.ItispossibletoexcludespecificVMsfromindexingasdescribedforexampleinThissectionoftheVeeamBackupEnterpriseManagerUserGuide

HowVeeamIndexingWorks

Veeamindexingcreatesaseparateindexfileinthecatalogforeachrestorepoint.TheseindexfilesareusedbyVeeamEnterpriseManagertosupportfilebrowsingorsearchingwithoutaneedtomounttherestorepointtothemountserver.Userscanquicklysearchforfilesacrossmultiplerestorepointsviewingtherequiredfilehistorywhenlookingforaspecificversionofadocument.TheycanalsoselectaspecificVMandbrowsethefilesystemtorestoreguestfiles.

EnterpriseManagerallowsforfile-levelrestorefunctionstobedelegatedtoasubsetofusersbyleveragingtherole-basedaccesscontrol.

DuringtheVMbackupjobrunthefollowingoperationsareperformedIfconfigured:


49

https://helpcenter.veeam.com/backup/em/indexing_hiw.html

1. VeeamaccessestheguestOS(usingcredentialsspecifiedinthejobsettings)andinjectsasmallrun-timeprocesstocollectthelistoffiles.

ForMicrosoftWindows-basedVMstheprocessgathersfilemetadatabyreadingtheMFTdataofthesupportedfilesystem(NTFSandReFS).

ForLinux-basedVMstheprocessleveragestheexisting“locate”databasethatiscommonlyinstalledonmostLinuxdistributions.Veeamusesthefollowingsoftwarepackagesforit:mlocate,gzipandtar

Theseoperationstakeplaceinparallelwiththebackupanddonotincreasethedurationoftheprocess.FormoredetailsontheindexingprocessrefertotheVeeamBackupEnterpriseManagerUserGuide.

1. VeeamBackup&Replicationcreatesacatalog(index)oftheVMguestOSfilesandstoresindexfilesontheVeeambackupserverintheC:\VBRCatalog\Index\Machines\{vm_name}folder.CreationoftheindexisextremelyfastandhasminimalimpactonnetworkandVMwareenvironment.

2. OncetheindexiscreatedandstoredonVeeambackupservers,theindexingserviceonVeeamBackupEnterpriseManagerperformsindexcopy—itaggregatesindexdataforallVMimagebackupsfrommultiplebackupserverstotheEnterpriseManagerdatabasewhiletheoriginalindexfilesinthebackupserversaredeletedtoconservespace.TheconsolidatedindexesarestoredontheEnterpriseManagerserverintheC:\VBRCatalog\Index\Catalogandareusedforsearchqueries.

ImportantToNote!

TosearchwithintheindexcatalogitisnecessarytodeployVeeamBackupEnterpriseManager,thiscomponentisinchargeofcatalogdatareplicationandretention(seethissectionoftheUserGuideformoredetails).IfyouenableindexingwithoutconfiguringEnterpriseManagertheindexesintheVBRCatalogfolderofthebackupserverwillneverbecollectedordeletedandwilleventuallyfillupthediskdrive.

TemporaryVMDiskUsage

DuringtheindexingprocessindexinginformationistemporarilystoredonthelocalVMguestrequiringadditionalfreespaceonthesystemdrive.

WindowsVM

TemporaryspacerequiredonthefirstdriveintheVM(С:\drive):


50

https://helpcenter.veeam.com/docs/backup/em/introduction.html?ver=95

https://helpcenter.veeam.com/docs/backup/em/veeam_backup_catalog.html?ver=95

100MBperonemillionfiles

Thiswastestedwithonemillionfileswith20characterslongfilenamesinonedirectory.Dependingonthesavedmetadataandfolderstructureofthefiles,thevaluecanbelowerorhigher.

LinuxVM

Temporaryspacerequiredin/tmp:

50MBperonemillionfiles

Linuxindexesrequirearound50%lessspacebecausemlocatedoesnotindexmetadatasuchastimestampsandownership.

SizingEnterpriseManagerCatalog

TheVeeamCatalogServiceisresponsibleformaintainingindexdata.Whenrunningonthebackupserverthiscatalogservicewillmaintainindexdataforalljobsthatrunonthatspecificserveraslongasthebackupdataremainsondisk.WhenrunningontheEnterpriseManagerservertheservicewillmoveindexdatafromallmanagedbackupserversintotheEnterpriseManagerlocalcatalogdeletingthefilesfromtheoriginatingbackupservercatalog.SoitshouldbesizedappropriatelytoholdalldatafromtheremoteVeeamservers.

WhenusingaStandardlicense,EnterpriseManagerwillonlykeepindexdataforrestorepointsstillinrepositories.

ForEnterpriseandEnterprisePluslicenses,youcanconfigureEnterpriseManagertokeepindexesevenlonger,withthedefaultbeing3months.Thiscansignificantlyincreasetheamountofspacerequiredforthecatalog.

Estimatedusedspaceofthefinalindexfileaftercompressionisapproximately2MBper1,000,000filesforasingleVMrestorepointontheEnterpriseManagerserver.Theindexesarealsostoredinthebackupfilesandtemporaryfoldersonthebackupserver.

Example

Belowisanexamplethatsummarizestheinformationabove.TheexampleisgivenperindexedVMcontaining10,000,000files.

2MB*10millionfiles*60restorepointspermonth*3monthsindexretention=3.5GB

RecommendedSettings


51

FollowtheserecommendationswhensettingupVeeamindexing:

Placethecatalogonadedicatedvolumeofhighperformancedisk.TochangethedefaultVeeamCatalogfolderlocationrefertothisVeeamKnowledgeBasearticle:http://www.veeam.com/kb1453.

YoucanenableNTFScompressiononthecatalogfolder.Thiscanreducethespacerequirementsbywellover50%.Forverylargecatalogs(with100sofVMsand10'sofmillionsoffiles)itcanbemorebeneficialtouseaWindows2012R2volumewithDataDeduplicationenabled.Thisvolumeshouldbededicatedtoindexfilesandconfiguredtorundeduplicationfunctionsoutsideofthenormalbackupwindow.

ItisrecommendedtoenableindexingonlyonVMswheretheadvancedsearchcapabilitiesarenecessary.Usefilterstoexcludeunnecessaryfilesfromindexing(Windowssystemfolder,ProgramFilesandothersystemdirectoriesareexcludedbydefault).FortheLinuxsystemstobeindexed,makesuretheyhavemlocateoranothercompatiblelocatepackageinstalled.

Itispossibletolowertheretentionofindexesforofflinemedia(e.g.tapearchives)inordertoreducespacerequirements.TheretentionisconfigurableinVeeamBackupEnterpriseManager,anditisrecommendedtoconfigureitfortheminimumnecessarytomeettheITpolicyrequirements.IndexretentionsettingisavailableintheEnterpriseManagerwebconsoleunderConfiguration>Settings>GuestFileSystemCatalog.

Toenhancesearchperformance,SSDscanbeused.IfyouplantoindexaverylargenumberofVMsitisrecommendedtolimitthesearchscopeatrestoretoasingleVMbeforeyouclickthesearchbutton,thiswillbringfasterresults.

Notes:

TotakeadvantageofindexingonSUSELinuxEnterpriseServer(SLES)youmustberunningversion12orabove.InlowerversionsthatdonotcontainbydefaultthemlocatepackageyoumaytrythisOpenSUSEpackagehttp://software.opensuse.org/package/mlocate

VeeamBackupEnterpriseManagerSQLdatabase(VeeamBackupReporting)willnotgrowmuchwhileusingindexingfunctions,asthisdatabasewillonlystorethecorrespondingmetadata.

UsingVeeamBackupSearch(OptionalComponent)

InitsearlyversionsVeeamdidnothaveitsownindexingengine,insteaditusedtheVeeamBackupSearchcomponenttoconnecttotheMicrosoftSearchServer2010thatprovidedsearchcapabilities.NowVeeamhasitsownbuiltinindexingenginedevelopedspecifically


52

http://www.veeam.com/kb1453.

http://software.opensuse.org/package/mlocate

forthispurpose.

ItisnolongerarequirementtohaveaVeeamBackupSearchconfiguredasVeeamIntegratedindexingenginecanbemoreperformant.

IfyouneedtousethatVeeamBackupSearchcomponent(andMicrosoftSearchServer)forindexingconsiderthefollowingnotes:

MicrosoftSearchServerExpressEditioncanbeusedasithasnolimitationsforthenumberofindexedfiles.

OthereditionsofMicrosoftSearchServerdeliverhigherscalabilitybecauseSearchServercomponentscanbeseparatelyinstalledonmultipleservers.IfyouareusingEnterpriseManagerconsiderthatitcanspreadtheloadbetweenmultipleMicrosoftSearchServersExpressautomatically.

MicrosoftSearchServerfunctionalityisusedtoscancontentinthesharedVBRCatalogfolderontheVeeamBackupEnterpriseManagerserverandtocreateacontentindexontheSearchServer;thiscontentindexisusedtoprocesssearchqueries.Formoredetails,refertotheVeeamBackupSearchsectionoftheUserGuide.

Note:ThoughusingcontentindexstreamlinesthesearchprocesstheindexitselfcanrequiresignificantspaceondiskinC:\VBRCatalog\Journal\[YYYY_MM]\[search-server].

SearchServerrequiresanSQLdatabaseforitsoperation.ConsiderthatMicrosoftSQLServerExpressEditionleveragesonlyoneCPUwhichlimitstheSearchServerperformance.Thedatabasesizesupportedbythiseditionisalsolimited(inparticular,10GBforMicrosoftSQLServer2008R2ExpressEditionorlater).


53

https://helpcenter.veeam.com/docs/backup/em/em_appendix_b_install_search.html?ver=95

ProxyServerWithbackupproxiesyoucaneasilyscaleVeeambackupinfrastructurebasedontheorganizationdemands:

InasimpledeploymentscenarioforsmallerenvironmentsorPOC,thebackupproxyisautomaticallyinstalledontheVeeambackupserveraspartoftheVeeamBackup&Replicationinstallation.

Inadvanceddeployments,thebackupproxyroleismanuallyassignedtooneormoreWindowsservers.ThisapproachallowsforoffloadingtheVeeambackupserver,achievingbetterperformanceandreducingthebackupwindow.

Backupproxiescanbedeployedbothintheprimarysite,wherethebackupserverislocated,orinaremotesitewhereadditionalinfrastructureneedsbeingbackedup.AproxyserverisinstalledonanymanagedMicrosoftWindowsserveraddedtothebackupinfrastructure.Dependingonwhethertheproxyserverisinstalledonaphysicalorvirtualmachine,differenttransportmodesareavailable.

AbackupproxyhandlesdatatrafficbetweenthevSphereorHyper-VinfrastructureandBackup&Replicationduringbackup,replication(atsourceandtarget),VMcopy,VMmigrationjobsorVMrestore.TheyarealsousedtodetectandscansnapshotstoenableVeeamExplorerforStorageSnapshotsfeatureswhenanysupportedprimarystorageisaddedtothebackupserver.

Backupproxyoperationsincludethefollowing:

RetrievingVMdatafromproductionstorage

In-linesourcesidedatadeduplicationtoskipwhitespaceandredundantblocksreportedbyvSphereChangeBlockTracking(CBT)orVeeamFileChangeTracking(FCT)forHyper-V.

Performingin-linecompressionanddeduplicationbeforesendingittothebackuprepository(forbackup)oranotherbackupproxy(forreplication)

BitLooker:AppliestoVMsrunningWindowsOSandusingNTFS.Formoreinformation,seethecorrespondingsectionofthisguide>DeduplicationandCompression-BitLooker

AES256encryption,ifenabled.

ProxyServers

54

Technicallyabackupproxyrunsalight-weighttransportservicethattakesafewsecondstodeploy.WhenyouaddaWindows-basedservertoVeeambackupmanagementconsoleassigningtheproxyroletoit,Backup&Replicationinstallsthenecessarycomponents,andstartstherequiredservicesonthatserver.AnyhostinaHyper-Vclusterisautomaticallyenabledasproxyserver,whenitisaddedtotheinfrastructure.Whenajobisstartedthebackupservermanagesdispatchoftaskstoproxyserversusingitsbuilt-inIntelligentLoadBalancer(ILB).

LikeanybackupvendorusingVMwarevStorageAPIforDataProtection(VADP),Backup&ReplicationintegratesVMwareVirtualDiskDevelopmentKit(VDDK)intheVeeamTransportService.ThisisnecessaryformanagementinteractionwithvCenterandESXihosts,whileinsomescenarios,VDDKisbypassedinfavorofVeeamAdvancedDataFetcherforperformancereasons.

Storageoptimizations

StockVDDKtransportmodeshavesomelimitations,suchasbeingunabletoprocessmultipledisksinparallel,whenusingvirtualappliancetransportmode(hot-add),introducingexcessiveVMFSmetadataupdates,whenperformingreplication,orbeingunabletobackupfromNFSbaseddatastores.Toovercometheselimitations,VeeamintroducedlogictobypassVDDK,whenitismoreoptimaltodoso.

VeeamAdvancedDataFetcher(ADF)addsincreasedqueuedepthfor>2xreadperformanceonenterprisestoragearrays.ADFissupportedforBackupfromStorageSnapshots,DirectNFSandvirtualappliancemode.

Otherenhancementsinclude:

aproprietaryNFSclientforbackingupVMsonNFSdatastoresparallelprocessingofmultipleVMdisks,whenbackingupviahot-addparallelprocessingofmultipleVMdisksduringrestorebypassVDDKwhenperformingreplicationorVMrestoresviahot-add,toavoidexcessiveVMFSmetadataupdatesallowrestoreviaDirectSAN

IntelligentLoadBalancing

TospecifythethresholdforproxyloadanadministratorusestheMaxconcurrenttasksproxysetting(whereataskstandsforasingleVMdisk),Backup&Replicationusesauniqueloadbalancingalgorithmtoautomaticallyspreadtheloadacrossmultipleproxies.Thisfeatureallowsyoutoincreasebackupperformance,minimizebackuptimewindowandoptimizedataflow.

ProxyServers

55

Thedefaultproxyserverisconfiguredfor2simultaneoustasksatinstallation,whereassubsequentlyaddedproxyserversanalyzetheCPUconfiguration.Theproxyserverautomaticallyproposesconfiguring1taskperCPUcore.Duringdeployment,itisdeterminedwhichdatastorestheproxycanaccess.Thisinformationisstoredintheconfigurationdatabase,andisusedatbackuptimetoautomaticallyselectthebesttransportmodedependingonthetypeofconnectionbetweenthebackupproxyanddatastore.

FirstBackup&Replicationchecksifdataprocessingcanbeassignedtoabackupproxywiththefollowingpreference:

1. DirectStorageAccess(whichincludesVDDKbasedDirectSANorVeeamproprietaryDirectNFS).

2. Virtualappliancemode(hot-add)3. NetworkBlockDevice(NBD)

Formoredetails,seetheTransportModessectionofthisguide.

Afterthealgorithmidentifiesallexistingbackupproxiesitdistributestasksviathebuilt-inReal-timeScheduler(RTS):

1. Itdiscoversthenumberoftasksbeingprocessedatthemomentbyeachproxyandlooksfortheserverwiththelowestloadandthebestconnection.

2. Alltasksareaddedtoa"VMstoprocess"queue.Whenaproxytaskslotbecomesavailable,RTSwillautomaticallyassignthenextVMdiskbackuptasktoit.

3. PrioritygoestothediskthatbelongstoanalreadyprocessedVM,afterthatVMsofalreadyrunningjobshavenexthigherpriority.

Tip:Attherepository,whichwritesthebackupdata,onlyonethreadiswritingtothebackupstorageperrunningjob.IffewjobswithahighnumberofVMsareprocessedsimultaneously,youmayexperiencethatthesethreadsarecannotfullyutilizetheavailablebackupstorageperformance.IfthroughputperI/Ostreamisabottleneck,considerenablingperVMbackupfiles.

Tip:Defaultrecommendedvalueis1taskpercore/vCPU,withatleast2CPUs.Tooptimizethebackupwindow,youcancautiouslyoversubscribetheMaxconcurrenttaskscount,butmonitorCPUandRAMusagecarefully.

ParallelProcessing

VeeamBackup&ReplicationsupportsparallelprocessingofVMs/VMdisks:

ItcanprocessmultipleVMswithinajobsimultaneously,increasingdataprocessingrates.

ProxyServers

56

IfaVMwascreatedwithmultipledisks,VeeamwillprocessthesediskssimultaneouslytoreducebackuptimeandminimizeVMwaresnapshotlifetime.

RTSgivesprioritytocurrentlyrunningparallelprocessesforVMdiskbackups.

Toachievethebestbackupwindowitisrecommendedtoslightlyoversubscribethetasksslots,andstartmorejobssimultaneously.ThisallowVeeamtoleveragethemaximumofthetaskslotsandleadintoanoptimalbackupwindow.

Note:Parallelprocessingisaglobalsettingthatisturnedonbydefault.Ifyouhadupgradedfromolderversionspleasecheckandenablethissetting.

BackupProxyServicesandComponents

Veeambackupproxyusesthefollowingservicesandcomponents:

VeeamInstallerService-AservicethatisinstalledandstartedontheWindowsserveronceitisaddedtothelistofmanagedserversintheVeeamBackup&Replicationconsole.Thisserviceanalysesthesystem,installsandupgradesnecessarycomponentsandservices.

VeeamTransportService–Aserviceresponsiblefordeployingandcoordinatingexecutablemodulesthatactas"datamovers".ItperformsmainjobactivitiesonbehalfofVeeamBackup&Replication(communicatingwithVMwareTools,copyingVMfiles,performingdatadeduplicationandcompression,andsoon).

VeeamAgent.exeprocess-adatamoverwhichcanbestartedmultipletimes(ondemand)foreachdatastreamontheproxy.Theseprocessescanoperateineitherreadorwritemode.Whenusedonaproxyserverforbackup,theyareonlyperformingreadoperations,while"write"modeisusedforwritingdataonatargetbackupproxy(replication).Veeamagentsinwritemodearealsousedonallrepositorytypes,butwillnotbediscussedinthischapter.

ProxyServers

57

TransportModesJobefficiencyandtimerequiredforitscompletionarehighlydependentonthedatatransportmode.TransportmodeisamethodusedbytheVeeamproxytoretrieveVMdatafromthesourcehostandwriteVMdatatothetargetdestination.

DirectStorageAccessInthismode,thebackupproxyserverhasdirectaccesstothestoragevolumesonwhichVMsreside.Whenconfigured,thebackupproxywillretrievedatadirectlyfromthestorage,bypassingtheESXiinfrastructure.

Dependingonstorageprotocolsutilized,theproxycanbedeployedasfollows:

OnaphysicalserverforFibreChannel,FCoE,iSCSIorNFSOnavirtualmachineforiSCSIandNFS

BothoptionscanbeusedforBackupfromStorageSnapshots.WhenusedwithNFSdatastoresorBackupfromStorageSnapshots,DirectStorageAccessmodewillalsoutilizetheAdvancedDataFetcher.

VirtualappliancemodeAsthedisksarehot-added,youmayfindthevirtualappliancemodereferredtoashotaddindocumentationandlogs.

ToworkinthismodethebackupproxymustbedeployedasaVM.Forsmallerdeployments(e.g.,severalbranchofficeswithasingleESXihostpereachoffice)youcandeployavirtualbackupproxyonaESXihostthathasaccesstoallrequireddatastores.WhenbackuporreplicationtakesplaceandaVMsnapshotisprocessedthesnapshotteddisksaremappedtotheproxytoreaddata(atbackup)andwritedata(atrestore/replication);latertheyareunmapped.

NetworkmodeYoumayfindnetworkmodereferredtoasnbdindocumentationandlogs.

TransportModes

58

Themostwidespreadbackupmethodisnetworkmode,whichtransportsVMdatathroughtheVMkernelinterfacesoftheVMwareESXihostonwhichtheVMresides.

ThebenefitofusingNBDisthefactthatitrequiresnoadditionalconfiguration,andissupportedregardlessofphysicalorvirtualproxydeployments,orstorageprotocolsused(includinglocalstorage,VMwareVirtualVolumesorVMwarevSAN).ThisisalsothereasonNBDisusedasthefallbackmethod,incaseBackupfromStorageSnapshots,DirectStorageAccessorVirtualAppliancebackupmodesfail.

TheonlyrequirementisfortheproxytobeabletoaccessESXihostsonport902/tcp.NBDbackupthroughputistypicallylimitedtousingupto40%ofthebandwidthavailableonthecorrespondingVMkernelinterfaces.IfNBD-SSLisenabled,thethroughputistypically10%slowerthanregularNBD.NBD-SSLisenforcedforESXi6.5hosts.ReadmoreaboutthisinVirtualApplianceModesection-vSphere6.5andencryption.

Thefollowingsectionsexplaintransportmodesindetail.

TransportModes

59

DirectStorageAccessDirectStorageAccesscoverstwotransportmodes:VDDKbased"DirectSAN",and"DirectNFS"whichutilizesaproprietaryVeeamNFSclient.DirectNFSalsoutilizesAdvancedDataFetcher(ADF).

TheDirectSANmodeusesadirectdatapath(FibreChanneloriSCSI)betweentheVMFSdatastoreandthebackupproxyfordatatransfer.TheproxyrequiresreadaccesstothedatastoressoFibreChannelzoningoriSCSIinitiatorconfigurationandLUNmaskingonthestoragearraymustreflectthis.Inmostcases,theVeeambackupproxiesareaddedtothesame"hostgroup"onthestorageastheexistingESXihosts,inordertoensureallLUNsaremaskedcorrectly.

TouseDirectNFSbackupmode,theproxiesneedaccesstotheNFSnetworkandmustbeaconfiguredintheNFSserver's"exports"forreadand/orwriteaccess.AsNFSbasedstorageusesIP,thereal-timescheduler(RTS)willensuretoalwaysusethebackupproxywithfewestnetwork"hops".Thisisespeciallyuseful,iftheNFSnetworkhappenstoberoutable.

Ifwriteaccessisprovided,VeeamwillautomaticallyperformfullVMrestoreviaDirectStorageAccessforthickprovisionedVMs.

ProsDirectStorageAccessmodeprovidesveryfastandthemostreliablepredictablebackupperformance(typically,using8GbFibreChannelor10GbEforiSCSIandNFS).

ProduceszeroimpactonvSpherehostsandVMproductionnetworksforbackupdatatransport.

ItispossibletoperformfullVMrestoreusingDirectStorageAccess.Thismodewillbeusedautomaticallyifeligiblebackupproxiesareavailableinthebackupinfrastructure,andtheVMdisksarethickprovisioned.

DirectStorageAccessisthefastestbackupandrestoremodeforNFSdatastores.ItusesmultipleconcurrentreadandwritestreamswithanincreasedqueuedepthviaADF.

DirectStorageAccessforNFSdatastoreswillmitigatethe"VMstun"issuesthatmaybecausedbyVirtualApplianceMode(hot-add).

DirectStorageAccess

60

DirectStorageAccessforFCandiSCSIcanbeusedforreplicationatthetargetfortheinitialreplication(withthickprovisioneddisks)only.ForNFSdatastores,DirectStorageAccesscanbeusedforinitialandincrementalreplicationpasses.Therearenodifferencesonthesourcereplicationproxy.

ConsTypically,DirectStorageAccessrequiresaphysicalserverforFibreChannel,iSCSIorNFSconnection.Forvirtualonlydeployments,DirectStorageAccessforiSCSIandNFSispossible,butwouldtransportthedatathroughnetworksoftheESXihosts,typicallymakinghot-addthemoreefficientchoice.

RestoreviaDirectStorageAccessusingFibreChanneloriSCSIispossibleonlyforthick-provisionedVMdisks.AtrestorethedatastreamneedstobecoordinatedinthebackgroundwithvCenteroranESXihostwhichcanslowdowntherestorespeed.Consideraddingadditionalhot-addproxyserversforrestore(FC/iSCSIonly).

DirectSANmode(FC/iSCSIonly)isthemostdifficultbackupmodetoconfigureasitinvolvesreconfiguringnotonlythestoragebutalsotheSAN,(FibreChannelzoning,LUNmasking,orreconfigurationofiSCSItargets)toprovidethephysicalproxyserver(s)withdirectaccesstotheproductionVMFSdatastores.WhensuchconfigurationhasbeenimplementeditisextremelyimportanttoensurethatHBAs,NICdriversandfirmwaresareup-to-dateandthatmultipathdriversoftware(e.g.MPIO)isproperlyconfigured.

FormoreinformationaboutconfiguringDirectStorageAccessrefertoFAQatVeeamCommunityForums:DirectStorageAccessMode

ExampleIfdatastoresorvirtualrawdevicemapping(vRDM)LUNsareconnectedviasharedstorageusingFibreChannel,FCoEoriSCSI,youmayaddabackupproxyasamembertothatsharedstorageusingLUNmasking.Thiswillallowforaccessingthestoragesystemforbackupandrestore.

Ensurethataconnectionbetweenthestorageandbackupproxycanbeestablished.VerifyFCHBAs,zoning,multipath,driversoftwareandiSCSIconfigurationsincludinganynetworkchanges.Totesttheconnection,youmayreviewvolumesvisibleinWindowsDiskManagement,addingonediskperstoragesystematatime.Oncetheinitialconnectionhasbeenverified,addtheremainingvolumesforthatstoragearray.

DirectStorageAccess

61

http://forums.veeam.com/vmware-vsphere-f24/vmware-frequently-asked-questions-t9329.html#p39948

RecommendationsUsethemultipathdriversoftwareofthestoragevendorschoice(preferredintegrationintoMicrosoftMPIO)toavoiddiskorclusterfailoversatstoragelevel.Thiswillalsopreventthewholestoragesystemfrombeingaffectedbypossiblefailoversifwrongdatapathsareused.Itishighlyrecommendedtocontactthestoragevendorforoptimalsettings.

Ifyouattachalargenumberofvolumestothebackupproxy,considerthatloggingfortheprocessofsearchingforthecorrectvolumeduringthejobruncanrequireextraprocessingtimeperVMdisk(aswellasforoverallvolumecount).ToavoidVeeamloggingbecomingabottleneckyoucandisableloggingforthisparticulartaskthiswiththefollowingregistrysetting:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:VDDKLogLevelType:REG_DWORDValue:0Default:1

Note:Asthisreducestheamountofinformationindebuglogs,remembertoenableitagainwhenworkingwithVeeamsupport(tofacilitatedebuggingoftheDirectStorageAccessrelatedchallenges).

Toachieveperformance/costoptimum,considerusingfewerproxieswithmoreCPUcoresavailable.ThiswillhelptofullyutilizetheHBAorNICcapacityofeachproxyserver.A2CPUSystemwith2x12coresisconsideredagoodconfigurationbalancedbetweenthroughputandcosts.

SecurityConsiderationsforDirectSANDuringdeploymentoftheproxyroletoaWindowsVM,Backup&Replicationusesthefollowingsecuritymechanismstoprotectthem:

ChangestheWindowsSANPolicyto"Offline(shared)".ThispreventsWindowsfromautomaticallybringingtheattachedvolumesonlineandalsopreventsWindowswriteoperationstothevolumes.DuringDirectSANrestore,ifthedisksareoffline,theproxywillattemptbringingthevolumeonline,andverifythatitiswriteable.Incasetheoperationfails,restorewillfailovertousingNBDmodethroughthesameproxy.

VeeamdeploysVMwareVDDKtothebackupproxy.Inmostcases,VDDKcoordinatesreadandwriteoperations(DirectSANrestore)withVMwarevSphereallowingVMware'sSoftwaretocontrolthereadandwritestreamsinareliablemanner.

DirectStorageAccess

62

Ifnecessaryyoucantakeadditionalmeasuresasfollows:

Disableautomount.Openanelevatedcommandpromptanddisableautomountusingthefollowingcommands:

diskpart

automountdisable

DisableDiskManagementsnap-inwith:

GroupPolicy\UserConfiguration>AdministrativeTemplates>Window>Components>MicrosoftManagementConsole>Restricted/Permittedsnap-ins>DiskManagement.

Restricttheamountofuserswithadministrativeaccesstoproxyservers.

PresentLUNsasread-onlytothebackupproxyserver.Thiscapabilityissupportedbymostmodernstorage.Whenpossible,implementread-onlyLUNmaskingonthestoragesystemorread-onlyzoningontheFibreChannelswitches(possibleonmostBrocadevariants).

IfaVMFSdatastoreismanuallybroughtonlineinWindowsDiskManagementbymistake,anddiskresignaturingisinitiated,thedatastorewillbecomeunavailable,andVMswillstop.PleasecontactVMwareSupportforassistancewithrecreatingtheVMFSdisksignature.FormoreinformationonWindowsre-signaturingprocessandVMwaredatastorespleaserefertoVMwareKB1002168:UnabletoaccesstheVMwarevirtualmachinefilesystemdatastorewhenthepartitionismissingorisnotsettotypefb

SummaryUseDirectStorageAccesswheneverpossibleforfastbackupsreducedloadontheESXihosts.Considerusinghot-addproxies,asthesetypicallyrestorefasterthanDirectSANrestores.DirectSANusesVDDK,whichcancauseexcessivemetadataupdateswhilehot-addrestorebypassesVDDK.

ForNFSdatastores,DirectNFSisthebestchoiceforbothbackupandrestore.Itdeliversthehighestpossiblethroughput,withoutanynegativesideeffects.Youcanuseitforvirtualandphysicalproxydeployments.

DirectStorageAccess

63

http://kb.vmware.com/kb/1002168

VirtualApplianceModeAsthedefaultsetting,virtualappliancemode(hot-add)hasbecomequitepopularforall-in-onedeploymentsofVeeamBackup&Replicationwithinvirtualmachines(fordetails,seetheDeploymentScenariossectionoftheUserGuide).Itisalsooftenused,whenVeeamisdeployedinbranchofficeconfigurations(ROBO).

Thismodesupportsa100%virtualdeployment,andusestheVMwareESXistorageI/Ostack,providingveryefficientbackupsandhavingverylittleoverheadintermsofthroughput.Duringbackuporreplication,whiletheoriginalVMisrunningoffofaVMsnapshot,theoriginalvirtualmachinedisks(VMDK)aremountedviaSCSIhot-addtothebackupproxyserver.Oncethebackuporreplicationjobfinishes,thedisksareunmountedfromtheproxyserver,andtheVMsnapshotiscommitted.

Note:Formoreinformationonhowitworks,refertothesection"DataBackupandRestoreinVirtualApplianceMode"inVeeamHelpCenter.

Asanexample,virtualappliancemodeisagoodchoiceforhighlydynamicenvironments,whereitcanbedifficultforbackupadministratorstomaintainaccesstonewlycreateddatastoresforDirectStorageAccess.Prerequisitesforusingvirtualappliancemodearedescribedinthefollowingknowledgebasearticle:ApplianceMode(Hotadd)RequirementsandTroubleshooting

WhenplanningfortheVirtualAppliancemodeforabackupproxyconsiderthetimerequiredforactualhot-addoperations(suchasaddingandremovingVMdisksfromthesourcevirtualmachine)itcanaddupto1-2minutesperVM.Forabackupjobcontaining100virtualmachinesthiscouldresultinmorethantwohoursofaddingandremovingdiskswithnoactualdataprocessing.Tomitigatetheissueenableparallelprocessingandprocessmultipledisksfromthesamevirtualmachinesimultaneously(usingthistransportmode).

Tip:ItisrecommendedtobenchmarkhowsuchoperationsaffectthebackupwindowbymonitoringatestjobinthevSphereconsole.

VeeamdevelopedDirectStorageAccessforNFSbaseddatastorestoovercometheproblemswithdiskhot-addandreleasewhichcausessignificantstunsforNFSbasedVMs).DirectStorageAccessshouldbeusedforallvirtualandphysicalproxydeploymenttobackupandrestoreNFSdatastorebasedVMs.

Pros


64

https://helpcenter.veeam.com/docs/backup/vsphere/deployment_scenarios.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/virtual_appliance_hiw.html?ver=95


UsingtheVirtualAppliancemodeforproxyserversenablesafullyvirtualdeployment.

Astheproxywillperformsourcesidedatadeduplicationandcompression,thismodewillprovidesatisfactoryperformanceinenvironmentsrunning1GbEconfigurations.

VirtualappliancemodeutilizesVeeamAdvancedDataFetcher(ADF),providingsignificantincreaseinthroughputforenterpriseclassstorage.

ConsIfworkinginthismodethebackupproxywilloccupythevirtualinfrastructureresourcesimpactingconsolidationratio.ThiscouldultimatelyrequireadditionalphysicalESXihostsandlicensing.

ThismoderequiresadditionalplanningandconfigurationintheenterpriseenvironmentsbecauseoftheadditionallargediskHot-AddprocessesinVMwarevSphere.

InsituationswithahighnumberofVMwareclusterswithindividualdatastoresaminimumofoneproxyperclusterisneeded,thiscanincreasemanagementoverhead.

ConsiderationsandLimitationsAdditionalloadisputonthevCenterServerandESXihostsaseachdiskismappedandunmapped(diskhot-add)atthebackupproxies.

Note:FormoreinformationseevCenterServerconnectionoverviewinthe"VeeamBackup&ReplicationServer"sectionofthisguide.

ItmayoccurthatVMwareAPIreportsthatunmapandsnapshotcommitweredonecorrectlybutasnapshotfilestillremainsondisk.These"orphanedsnapshots"willgrowovertimeandcanfillupthedatastoreleadingtodowntime.Tomitigatetheissue,Veeamimplementedthefollowingfunctionality:

VeeamSnapshotHunter.ThisfeatureautomaticallyinitiatesdiskconsolidationforVMsinthe"Virtualmachinedisksconsolidationisneeded"state.FormoreinformationpleaseseeSnapshotHuntersection

BypassingVirtualDiskDevelopmentKit(VDDK)processingtoovercomesomelimitationsandperformancechallenges,inparticular:

VeeamcanbackupmultipledisksofVMinparallelonsameproxy(defaultnumberis4).Typical"hot-addI/Obursts"duringhot-addoperationsaremitigatedbybypassing


65

VMwareVDDKduringrestoresandreplication.Whenperformingwritesviahot-addandVDDK,excessivemetadataupdatesontheVMFSdatastorewilloccur.Thissignificantlyimpactsperformanceforotherworkloadsonthedatastore,andslowsdownrestorethroughput.BypassingVDDKhelpsovercomingthislimitation

ToavoidsomeVMwareissuesrelatedtoNFSdatastoreandhot-addprocessing(describedathttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2010953)enableaspecificsettingthatwillprocessVMbackupsonlyonbackupproxiesthatrunonthesamehost.Fordetailsseehttp://www.veeam.com/kb1681.ToavoidthiscompletelywehighlyrecommendyoutousetheDirectNFSbackupmodeforbackupandrestoreofNFSdatastorebasedVMs.

Note:Foradditionaltipsrefertothe“ImpactofSnapshotOperations”sectionofthisguide.

vSphere6.5andencryptionVirtualappliancemodeistypicallythebestchoicetoensuredataavailabilityforvSphere6.5clusterswithencryptedvirtualmachines.Inordertosupportbackupofencryptedvirtualmachines,thevirtualbackupproxymustbeencryptedwithinthesameencryptiondomain(usingthesameKMIPserver).

BackupmodesDirectStorageAccessandBackupfromStorageSnapshotsareunavailableforencryptedvirtualmachines,andNBDwillnotbeasperformant.vSphere6.5alsoenforcesSSL/TLSencryptionfornetworkmode(NBD),renderingvirtualappliancemodeamuchmoreperformantalternative,andwillreducehostCPUusage.

RecommendationsVirtualappliancemodeshouldbeusedwhenitisnotpossibletoleverageDirectStorageAccess,forexampleinthecaseoflocaldatastores,VirtualVolumes(VVOL)orvSAN.

Youwillneedatleastonetypeof(virtual)SCSIcontrolleraddedtoProxyServerVMthatisusedsomewhereattheVMsinyourinfrastructuretoallowVMwaretoHotAddtheVMdisksatbackup.

AddanextraSCSIcontrollertoallowformoreVMdisksprocessinginparallel(checkthecorrespondingVeeamproxysettings,defaultvalueis4).ThelimitforasinglecontrolleristhemaximumnumberofdevicesperSCSIcontroller(15).MaxSCSI


66

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2010953


controllersperVMis4=60disksmax.AddingoneadditionalSCSIcontrollerisusuallysufficient.

Whendeployinghot-addbackupproxiesavoidcloningexistingVMsasthismayleadtoidenticalUUIDsandcausehot-addoperationstofail.

Youmayre-useanyexistingWindowsserverVM(tosaveonlicensing).TheVeeamdatamoverprocessrunswith‘belownormal’prioritybydefault.

Note:Changedblocktracking(CBT)willbedisabledforthesehot-addproxies.Considerthatitmayimpactthebackupwindowincasethesaidvirtualmachinesshouldbeincludedinbackuporreplicationjobs.

Usefullinks

SpecificclientOSlimitationsforHot-AddprocessingaredocumentedinVeeamBackup&ReplicationReleaseNotes,*ApplianceMode(Hotadd)RequirementsandTroubleshootingHowtotesthotaddmanually


67

https://www.veeam.com/veeam_backup_9_5_release_notes_en_rn.pdf



NetworkModeNetworkmodeisbyfartheeasiestbackupmodetoimplementasitrequiresnoadditionalconfiguration.VeeamusesthesameinterfacetobackupandrestoreVMwareconfigurationfilesandtoreadChangeBlockTracking(CBT)information,anddownloadvirtualmachineconfigurationfiles.

Inthismode,thebackupproxywillqueryvCenterforthenameoftheESXihostonwhichtheVMscheduledforbackupresides.Typically,hostsareaddedtovCenterusingFQDN,whichmeansNBDreliesheavilyonfunctioningDNS.RegardlessiftheESXihostsareconnectedtovCenterusingaVMkernelinterfaceonanisolatedmanagementnetwork,VADPbackupsolutionswillattempttoconnecttothissameinterface.PleaseseethesectiononDNSResolutionformoreinformationonhowtooverridethedefaultinterfaceusedforNBDbackups.

Astheonlyprerequisite,thebackupserverandproxyserverrequiresports443/tcpand902/tcpbeingopentotheESXihosts.

Note:ItishighlyrecommendedtomaintainagoodnetworkconnectionbetweentheVMwareESXiVMKernelportandVeeamBackup&ReplicationasitwillbeusedbymanyotherfeatureslikeInstantVMRecovery,VirtualLabandSureBackup,LinuxFLRappliance,configfilesbackupsetc.

ForloadbalancingVeeamusesaselectionofproxyserversbasedonthenetworksubnet:

BackupproxiesinthesamesubnetsastheVMKernelinterfacesareselectedifyouhavetheAutomaticSelectionproxysettingconfiguredinthebackupjobs.

NetworkMode

68

IfnoproxyserversareavailablewithinsamesubnetastheVMKernelinterfaceoftheESXihost,youmayhavetomanuallyselecttheproxiesthataremostsuitabletoprocessthebackupjob.IfAutomaticselectionisstillused,proxiesfromgoingthroughmanynetworkhops,eveninothersitesmaybeusedtotransportdata.Youcanmanuallyselectalleligibleproxiestoenableloadbalancing.

NetworkMode

69

Incaseyouworkwithseveralbranchesordatacenterenvironmentsitisalsorecommendedthatyoumanuallychoosetheproxies(persite)inthejobsettingstoreducethetimespentbytheRealTimeSchedulertodetermineeligiblebackupproxies.

ProsNetworkmodecanbeusedforbothbackupandrestorewithsamespeed.

Workswithbothphysicalandvirtualbackupproxies.

Beingthemostmatureofalltransportmodesitsupportsalltypesofstorage.

IsrecommendedforNFSbasedstorageincaseswhereDirectNFSisunavailable.UsingNBDwillminimizeVMstunning.Seealsothe"ConsiderationsforNFSDatastores"sectionofthisguide.

Performanceon10GbEVMkernelinterfacestypicallyprovidearound4-500MB/softhroughputperhost.

Asdatatransfersinitiateveryquickly,networkmodeispreferableforprocessingincrementalbackupsonrelativelystaticvirtualmachines(VMsgeneratingasmallamountofchange).

NetworkMode

70

Itcanbehelpfulwhendealingwithmanyclusterswithindividualstorageconfigurations(e.g.hostingproviders).Insuchdeployments,usingnetworkmodefordatatransfercanhelpreducingVeeamfootprintandcostsaswellastoincreasesecurity(ifcomparedtoothermodesandstorageconfiguration).

ConsTypically,networkmodeusesonlyupto40%oftheavailablebandwidthoftheexternalVMKernelinterfaceduetothrottlingmechanismsimplementedonthemanagementinterfaces.

Itcanbeevensloweron1GbEthernet(about10-20MB/s)duetothrottlingmechanisms,soespeciallyrestoresvianetworkmodecantakeverylong.

Tip:PleaseseethesectiononDNSResolutionforinformationonhowtooverridethenetworkinterfaceusedforNBDbackupse.g.whenboth1GbEand10GbEVMkernelinterfacesareavailable,itispreferredtoforceusageof10GbEforhighestpossiblethroughput.

RecommendationsWhenyouchoosenetworkmode(NBD),youentirelyavoiddealingwithhot-addvCenterandESXioverheadorphysicalSANconfiguration.NBDisaveryfastandreliablewaytoperformbackups.Inemergencysituationswhenyouneedfastrestorethefollowingtipscanbehelpful:

Considersettingupatleastonevirtualbackupproxyforhot-addbasedrestores.ThenitwillbepossibletoachievehigherthroughputandthuslowerRTO.

YoucanalsorestoretoathindiskformatandlaterusestandardVMwaremethodstochangethediskformattothickdiskifneeded.Thindiskrestoreshavetotransportlessdata.

AnotherwaytoovercomethislimitationistouseInstantVMRecoverywithStoragevMotion(iflicenseisavailable)asitisnotaffectedbythesamethroughputlimitationsastheVMkernelinterfaces.

WhenusingNBDforbackup,pleaseconsiderthefollowing:

Asthereisnooverhead(likeSCSIhot-add,orsearchfortherightvolumesinDirectStorageAccess)onbackupproxies,networkmodecanberecommendedforscenarioswithhigh-frequencybackupsorreplicationjobs,aswellasforenvironmentswithvery

NetworkMode

71

lowoveralldataandchangerate(VDI).

ToprotectVMware,VeeamreducesthenumberofpermittedNBDconnectionsto28.PleaseseethecorrespondingsectioninInteractionwithvSphereformoreinformationonhowtoaltertheconfigurationusingregistrykeys.

NetworkMode

72

BackupfromStorageSnapshotsVeeamBackup&ReplicationoffersintegrationwithcertainstoragearraysforVMsnapshotoffloading.Thefollowingstoragevendorsandarraysarecurrentlysupported:

HPEStoreVirtual(LeftHand)HPEStoreServ(3PAR)NetAppDataONTAP(FAS,V-SeriesandIBMNseries)EMCVNX,VNXeandUnityNimbleStorageCiscoHyperFlex

LicensingandsystemrequirementsaredescribedintheVeeamUserGuide:BackupfromStorageSnapshots.

ThestorageintegrationcoveredinthissectionisVMwareonlyanddoesnotapplyforHyper-V.AnyprotocolsupportedbyBackupfromStorageSnapshotswillutilizetheAdvancedDataFetchertooptimizeforretrievingdataonenterprisegradestorage.

BackupfromStorageSnapshots(BfSS)isafeatureincludedinthedeepstoragearrayintegrationsandawaytooptimizeandenhanceVMbackupsinaveryeasyway.ThemainobjectiveforimplementingBfSSistominimizethelifetimeofaVMsnapshot,whichreducesthetimeforVMsnapshotcommitandI/OthevSphereenvironment.

ForregularVADPbasedbackups,theVMsnapshotiscreatedandremainsopen(VMsnaplifetime)untiltheVMbackupiscompleted.EspeciallywithlargeorhighlytransactionalVMs,thatcanleadtolargesnapshotdeltafilesbeingcreatedduringthebackupfollowedbyhoursofsnapshotcommittaskswithinvSphereproducinghighI/Oontheproductionstorage.

123


73

https://helpcenter.veeam.com/docs/backup/vsphere/backup_from_storage_snapshots.html?ver=95

Ultimately,theselongsnapshotcommitsmayleadtounresponsiveVMs.FormoreinformationabouttheimpactofVMsnapshotspleaseseethe"InteractionwithvSphere"sectionofthisbook.

HowitworksByusingBfSS,theVMsnapshotlifetimewillbesignificantlyreduced.Inthissection,wewillgothroughthestepsperformed.

1. Application-awareprocessingensurestransactionalconsistencywithintheVM2. VeeamrequestsaVMsnapshotviaVMwareAPIs3. ImmediatelyaftercreatingtheVMsnapshot,astoragesnapshotrequestisissuedfor

savingtheVMincludingtheapplicationconsistentVMsnapshotwithinthestoragesnapshot.

4. Whenthestoragesnapshothasbeencreated,theVMsnapshotisdeleted5. (NetApponly-optional)Triggerareplicationupdatetosecondarystoragevia

SnapMirrororSnapVault6. MountstoragesnapshottotheVeeambackupproxyserver7. ReaddatafromthestoragesnapshotandwritetoaVeeambackuprepository

VMprocessinglimit


74

Whenaddingalargenumberofvirtualmachinestoajob,bydefaultsteps1and2(above)arerepeateduntilallvirtualmachineswithinthejobhavesuccessfullycompleted.OnlythenwillBfSSproceedtostep3andissuethestoragesnapshot.Ifadding100sofjobstoabackuporreplicationjob,thiscouldcauseaveryhighVMsnapshotlifetimeforthefirstVMsinthejoblist.

Whenconfiguringsuchlargejobs,itisadvisedtoconfigurethemaximumnumberofVMswithinonestoragesnapshot.ThesettingisavailableintheadvancedjobsettingsundertheIntegrationtab.

Example:Whencreatingajobwith100VMs,andsettingthelimitto10,BfSSwillinstructthejobmanagertoprocessthefirst10VMs(step1and2),issuethestoragesnapshotandproceedwiththebackup(step3-7).Whenstep7hassuccessfullycompletedforthefirst10VMs,thejobwillrepeattheaboveforthefollowing10VMsinthejob.

Asseenbelow,whenensuringproperconfigurationofBfSS,minimalVMsnapshotlifetimeisachieved,andreducesoverallI/OpenaltyontheproductionstorageforhighlytransactionalVMs.


75

ConfigurationEnablingBfSSrequiresminimalconfiguration,butunderstandingthetasksandresponsibilitiesofinvolvedcomponentsarekeywhentroubleshootingandoptimizingforhighperformanceandlowRTPO.

ThebackupserverisresponsibleforallAPIrequeststowardsvSphereandstoragearraysfordeterminingpresentvolumes,snapshotsandallnecessarydetailssuchasinitiatorgroups,LUNmappingsandwhichprotocolsareavailable.

Theproxyserver(s)areusedforreadingdatafromthestoragesnapshotandsendingittothebackuprepository.ToleverageBackupfromStorageSnapshots,thefollowingconfigurationrequirementsmustbemet:


76

Backupservermusthaveaccesstothemanagementinterfacesofthestoragearray.AlladditionalprerequisitessuchasLUNmappings,creationofinitiatorgroupsforiSCSI,alteringNFSexportsandsnapshotmanagementaresubsequentlyhandledviathisconnection.

Backupproxyserversmustbeabletodirectlyaccessthestoragearrayviathesameprotocolusedforconnectingtheproductiondatastore(FibreChannel,iSCSIorNFS).AsopposedtousingDirectStorageAccess,itisnotarequirementfortheproxyservertohaveaccesstotheproductiondatastoreitself,asitreadsdatablocksdirectlyfromtheclonedstoragesnapshot.

Asdescribedinprevioussections,thebackupserverandproxyservercanbedeployedononesingleserverorscaledoutondifferentservers.Inmostenvironments,whereBfSSisapplicable,thecomponentsareusuallyseparatedforscalabilityconsiderations.

WhentouseWhenusingBackupfromStorageSnapshots,overalljobsprocessingmaytakelonger,asadditionalstepsareperformedsuchasmappingvSphereChangedBlockTracking(CBT)tooffsetsofthestoragesnapshot,andthesnapshotmustbeclonedandmountedonthebackupproxyserver.ThemountoverheadcantakeseveralsecondsonblockprotocolsasHBAsorinitiatorsmustberescanned.ItmostlyaffectFCdeployments.

Withthisinmind,usingBfSSonsmallVMsorVMswithaverylowchangerateisnotadvised.AstheVMsnapshotlifetimeonsuchVMsisveryshort,thebenefitsofusingBfSSareminimal.

Inmostenvironments,largeVMsorhighlytransactionalVMsproducinglargeamountsofchangeddatabenefitmostfromusingBfSS.UsingtheVMChangeRateEstimationreportinVeeamAvailabilitySuite,youmayquicklyidentifysuchVMs.

VMswitheithervirtualorphysicalRawDeviceMapping(RDM)arenotsupportedwithBfSS.SuchVMswillfailovertobackingupviastandardmethodsifallowedinthejobsettings.

.EMCUnityissupportedstartingVeeamBackup&Replication9.0Update2(KB2147)↩

.NimbleStorageissupportedstartingVeeamBackup&Replication9.5↩

.CiscoHyperFlexissupportedstartingVeeamBackup&Replication9.5Update2.CiscoHXutilizesVAAIoffloadedstoragesnapshots,sorestoresusingVeeamExplorerforStorageSnapshotsarenotsupported.↩

1

2

3


77

https://helpcenter.veeam.com/docs/one/reporter/vm_change_rate_estimation.html?ver=95



78

NetAppDataONTAPSpecificallyforNetAppDataONTAP,Veeamofferssomespecificadditionalcapabilities.

Backupfromsecondarysnapshots

BackupfromSecondarySnapshots.IncaseyouuseNetAppSnapVaultorSnapMirror,Veeamcancreateaprimarysnapshot,updatethesecondary(SV/SM)SnapshotandbackuptheCBTchangestothebackupfile.Itisconfiguredwithajobsettinginthe"Advanced"sectionifVeeamshouldallowfallbacktotheprimarysnapshotforbackup.Youcanfindthesettingwithinthesecondarydestinationwindowofyourbackupjobandenable“Useasthedatasource”.

SnapshotOrchestrationForNetAppONTAPstoragesystemsVeeamoffersaSnapShotOrchestrationonlyfeature.SnapShotorchestrationmeanstousestorageSnapShotsasbackuptarget.Thefeaturecanbeusedwithoutanyneedtorunarealbackuptoanexternalrepository.Veeamistakingcareofallrequiredstoragerelatedtaskslikedataretention,SnapShotmanagementandSnapMirror/SnapVaultupdatestosecondarysides.

TheworkflowforStorageOrchestrationis:


79

1. (Optional)Application-awareprocessingensurestransactionalconsistencywithintheVM

2. VeeamrequestsaVMsnapshotviaVADP3. ImmediatelyaftercreatingtheVMsnapshot,astoragesnapshotrequestisissuedfor

savingtheVMincludingtheapplicationconsistentVMsnapshotwithinthestoragesnapshot.

4. Whenthestoragesnapshothasbeencreated,theVMsnapshotisdeleted5. TriggerareplicationupdatetosecondarystorageviaSnapMirrororSnapVault

Toconfigurea“SnapShotonly”jobsettheRepositoryto"NetAppSnapShotonly"


80

Theretentionpolicydefinesthenumberofstoragesnapshotstokeep.Tostore5snapshotsadayfor1week,configuretheretentionto35restorepointswithadailyschedule.Ifthejobisconfiguredwithahighorlowerschedulefrequency,adjustthenumberofrestorepointsaccordingly.

IfyouuseasecondaryNetAppONTAPsystemwithSnapMirrorand/orSnapVaultyoucansettheboxforasecondarydestinationandsettheretention.

WhenusingSnapshotOrchestrationpleasetakecareoftheretryschedulersetting.


81

Ifyouhaveforexample100VMsinonejoband10oftheseVMsarefailinginthefirstrunVeeamwillrerunthejobbasedontheretrysettings.Ifthesettingissetto3(default)Veeamwilltry3moretimetoprocessthefailedVMs.ForeverysuccessfulretryVeeamwillcreateanewSnapshot.IfallretriesareneededtoproceedthefailedVMsthatendsin3Snapshotsforonerun.Itisrecommendedtonotsetthevaluehigherthan3ordisabletheautomaticretrytoavoidahighnumberofSnapshotsbeingcreatedduringeveryrun.

OneofthebigbenefitsisthatyouarestillabletouseallVeeamrestorecapabilitiesfromstoragesnapshots.FormorepleaserefertotheVeeamExplorerforStorageSnapshotssection.


82

NimbleStorageThissectioncontainsintegrationspecificinformationforconfiguringorchestrationofsnapshotcreationandreplicationbetweenNimbleStoragearrays.

Storagearrayconfiguration1. BrowsetheNimbleOSwebGUI:Manage--Protection--VolumeCollections2. AddanewvolumebyclickingonNewVolumeCollection3. AddtheVolumeCollectionNameontheIntroduction.

Becarefulwiththenamingtostaywithinthelimitsof80characters.

4. SelectNoneontheSynchronizationtab.

Veeamwillorchestratethecreationofavolumesnapshot,andinitiatereplicationtothesecondaryNimblearraybeforethebackupjobstarts.

5. SettheschedulingforNimbleStoragesnapshots.

NotethatVeeamBackup&Replicationusesitsownenginetoinitiatethecreationandreplicationofsnapshots.

Nimbleconfigurationwillnotallowemptyscheduling.ThereforeyoucanchooseWeeksorRepeatEveryWeekandReplicatetosetto"2"astheminimum—oranydesiredconfiguration,astheseconfigurationswillnotbeusedbyVeeam.

6. AssociatethedesiredvolumeforreplicationontheVolumesTab

SnapshotonlyjobsWhenajobisconfiguredforusing"Nimblesnapshot"asthebackuprepository,Veeamwillnotcopyanydatafromthesourcestoragetoatargetrepository.InsteadVeeamwillorchestratethecreationofastoragesnapshot,andcanentirelyskipVMwaresnapshotcreation,incaseapplication-awareimageprocessingisleftdisabled.


83

Itisnotrecommendedtorelyonstoragesnapshotsasbackups,asitviolatesthe3-2-1rule.ItishoweveragreatcomplementtotraditionalbackupstoachievelowerRPO,incasetheprimarystoragearrayisstillavailable,whenarestoreisneeded.

Note.

ItisrecommendedbythevendorthatvolumesshouldbeinindividualVolumeCollections.PleaseverifyNimbleVolumeCollectionsconfigurationbeforerunningthesnapshot-onlyjob,otherwiseitmaynotoperateproperly-forexample,replicatemoredatathanexpected.

SnapshotreplicationWhenconfiguringbackupsusingthe"snapshotonly"repository,orregularrepositories,itispossibletoconfigureorchestrationofreplicationtoasecondaryNimbleStoragearraybycheckingtheConfiguresecondarydestinationsforthisjob.


84

https://www.veeam.com/blog/how-to-follow-the-3-2-1-backup-rule-with-veeam-backup-replication.html

ByclickingAdd--NimbleSnapshotReplicatedCopy,itispossibletoconfigurehowmanysnapshotsshouldberetainedatthetargetNimbleStoragearray.Duringthejobrun,VeeamwillsearchforreplicationsettingsconfiguredontheVolumeCollectionforthesourcevolumebeingsnapshotted.PleaseseetheinitialparagraphofthischapterfordetailsonconfiguringVolumeCollections.

Note.

WhenconfiguringreplicationbetweenNimbleArraysforintegrationwithVeeamforSnapshotOnlyJobsorforbackupstoSecondaryArray,itisrecommendedbyNimbletohaveeachvolumehaveitsownvolumecollectiongroup.

BackupfromsecondarystorageWhenperformingbackupstoabackuprepository,itispossibletoconfigureusingthereplicatedcopyatthetargetNimbleStoragearrayasthesourcefortherepositorybasedbackup.


85

ByclickingAdd--NimbleSnapshotReplicatedCopy,itispossibletoconfigurehowmanysnapshotsshouldberetainedatthetargetNimbleStoragearray,andfurthermoreusethecheckbox"Useasthedatasource".ThiswillinstructthebackupproxytousingthesecondaryNimbleStoragearrayasthedatasourceforbackups.


86

SelectingaTransportModeDependingonthesizeoftheenvironment,therearedifferentrecommendationsforselectingatransportmode.Forsimplicity,acoupleofdefinitionswillbeusedinthissection:

Name Definition

Verysmall

Singlehostwithlocaldisksasprimarydatastores.TypicalROBOconfiguration.

Small 2-4hostswithsharedstorage.TypicalROBOconfigurationorsmalldatacenter

Medium 4-20hostswithsharedstorage

Large 20-100hostswithsharedstorage

Enterprise Over100hosts

Keepinmindthatwithinlargerdatacenters,multipledefinitionsmayapply.Asanexample,itispossiblethataseparatemanagementorDMZclusterwithoutsharedstoragecouldbenefitfromusingthe"Verysmall"or"Small"recommendations,whilethemainproductionenvironmentisleveragingrecommendationsbasedon"Medium"to"Enterprise"datacentersize.

VerysmallVirtualAppliance(Hot-Add)modeistherecommendedoption,asitgivesyouthebestperformance.

NBDover10GbEVMKernelinterfaceslinkwillprovideaverystableandgoodperformingsolutionwithoutanyspecialconfigurationneeded.

NBDover1GbEVMKernelinterfacescanbeusedforfailover.

DirectStorageAccessmodeorBackupfromStorageSnapshotsmodesaretypicallyunavailable,asthedisksofthehostarelocalandthuscannotbemountedtoanexternalproxyserver.

SmallandMediumIfstorageintegrationisavailable,useBackupfromStorageSnapshots(BfSS)1


87

ForNFSbasedStorage,useDirectStorageAccess

ForsharedstorageconnectedviaFCoriSCSI,youcanchooseoneofthefollowingtwomodes:

Physicalproxy:DirectStorageAccesswillprovidethebestbackupperformance.Forexample,youcanconfigureaphysicalserverwithaccesstoFCdatastoresonthelocalsiteandperformbackupstoalocalrepository.Ifyouusethin-provisioneddisksfortheVMs,configuringadedicatedbackupproxyforrestoringviaVirtualAppliance(hot-add)modecanhelptoincreasingrestoreperformance.

Virtualproxy:TheVirtualAppliance(hot-add)modeisagoodanfastbackupmode.AvoidtobackingupVMsonNFSdatastoresusinghot-add.UseDirectStorageAccessorNBDbackupmodesinstead.

NBDover10GbEVMKernelInterfaceslinkwillprovideaverystableandgoodperformingsolution.

NBDover1GbEVMKernelInterfacescanbeusedforfailoverandforsituationswhereyoudonothavetotransportmuchdata.

WhenusingNBD,checktheNetworkModechapterfortuningtips.

LargeInadditiontotheaboveconsiderationsforSmallandMedium,pleaseseethefollowingguidelines:

WhenDirectStorageAccess,orBackupfromStorageSnapshotsareunavailable,andwhenvirtualproxyserversaredisallowed,NetworkMode(NBD)istheonlychoice.Insuchcases,10GbEinterfacesareamust.

Forvirtualonlydeployments(virtualproxiesonly)inenvironmentswithmanyisolatedclusters,usingnetworkmode(NBD)maybeideal.Ashot-addrequiresatleastoneproxywithineachcluster,itmayrequiremanymoreproxyserverscomparedtousingnetworkmode.

Acombinationofhot-addmodeforlargeclustersandNBDmodeforsmallerclustersmaybeideal.

EnterpriseInadditiontotheaboveconsiderationsforLarge,pleaseseethefollowingguidelines:


88

Inlargeenterprisescaleenvironments,thedeploymentofVeeamcomponents,configurationandjobcreationistypicallyautomatedusingtheVeeamPowerShellSDK.

Tobalancethemanagementload,itisrecommendedtousemultipleVeeambackupserversforatleastevery5,000VMsandfederatethemforcentralreportingandadministrationbyusingeitherVeeamEnterpriseManager,VeeamManagedBackupPortal,VeeamManagementPackforMicrosoftSystemCenterOperationsManagerorVeeamONE.

Whenrunningacentralbackupserverandwithmultiplebranchesconnectedtoit,adedicatedbackupserverisrecommendedforatleastevery200branches.ConsiderusingVeeamEnterpriseManagerforfederation.

.IncasestorageintegrationisusedwithBackupfromStorageSnapshots(BfSS),theoverheadofmappingblocksfromVMwareCBTandthestoragesnapshotcanincreaseprocessingtimeandleadtolongerbackupwindows.Tomitigate,considerthemajorityiftheVMscanbebackedupwithoneoftheothertransportmodesanduseBfSSonlyforthelargestVMsorhighchangerates(typically10%ofVMs).VeeamONEChangeRateEstimationreportcanhelptoidentifysuchVMs.↩

1


89

SizingaBackupProxyGettingtherightamountofprocessingpowerisessentialtoachievingtheRTPOdefinedbythebusiness.Inthissection,wewilloutlinetherecommendationstofollowforappropriatesizing.

ProcessingResourcesAsdescribedabove,youmaydefinethemaxconcurrenttasksvalueinthebackupproxysettings.Itisbestpracticestoplanfor1physicalcoreor1vCPUand2GBofRAMforeachofthetasks.Ataskprocesses1VMdiskatatimeandCPU/RAMresourcesareusedforinlinedatadeduplication,compression,encryptionandotherfeaturesthatarerunningontheproxyitself.

IntheUserGuideitisstatedthatproxyserversrequire2GBRAM+500MBpertask.Pleaseconsiderthesevaluesasminimumrequirements.UsingtheabovementionedrecommendationsallowforgrowthandadditionalinlineprocessingfeaturesorotherspecialjobsettingsthatincreaseRAMconsumption.

IftheproxyisusedforotherroleslikeGatewayServerforSMBshares,EMCDataDomainDDBoost,HPEStoreOnceCatalystorifyourunthebackuprepositoryontheserver,rememberstackingsystemrequirementsforallthedifferentcomponents.Pleaseseerelatedchaptersforeachcomponentsforfurtherdetails.

Tip:Doublingtheproxyservertaskcountwill-ingeneral-reducethebackupwindowby2x.

CalculatingrequiredproxytasksDependingontheinfrastructureandsourcestorageperformance,thesenumbersmayturnoutbeingtooconservative.WerecommendtoperformingaPOCtoexaminethespecificnumbersfortheenvironment.

D = SourcedatainMB

W = Backupwindowinseconds

T = Throughput =

CR = Changerate

WD

SizingaBackupProxy

90

CF = Coresrequiredforfullbackup =

CI = Coresrequiredforincrementalbackup =

Example

Oursampleinfrastructurehasthefollowingcharacteristics:

1,000VMs100TBofconsumedstorage8hoursbackupwindow10%changerate

Byinsertingthesenumbersintotheequationsabove,wegetthefollowingresults.

D = 100TB ⋅ 1024 ⋅ 1024 = 104 857 600MB

W = 8hours ⋅ 3600seconds = 28 800seconds

T = = 3641MB/s

WeusetheaveragethroughputtopredicthowmanycoresarerequiredtomeetthedefinedSLA.

CF = ≈ 36cores

Theequationismodifiedtoaccountfordecreasedperformanceforincrementalbackupsinthefollowingresult:

CI = ≈ 14cores

Asseenabove,incrementalbackupstypicallyhavelowercomputerequirements,ontheproxyservers.

Consideringeachtaskconsumesupto2GBRAM,wegetthefollowingresult:

36coresand72GBRAM

Foraphysicalserver,itisrecommendedtoinstalldualCPUswith10coreseach.2physicalserversarerequired.Forvirtualproxyservers,itisrecommendedtoconfiguremultipleproxieswithmaximum8vCPUstoavoidco-stopschedulingissues.5virtualproxyserversarerequired.

Ifweinsteadsizeonlyforincrementalbackupsratherthanfullbackups,wecanpredictalternativefullbackupwindowwithlesscompute:

100T

25T ⋅CR

28800104857600

100T

25T ⋅CR

SizingaBackupProxy

91

WS =

W = ≈ 21hours

Ifthebusinesscanacceptthisincreasedbackupwindowforperiodicalfullbackups,itispossibletolowerthecomputerequirementbymorethan2xandgetthefollowingresult:

14coresand28GBRAM

Foraphysicalserver,itisrecommendedtoinstalldualCPUswith10coreseach.1physicalserverisrequired.Forvirtualproxyservers,itisrecommendedtoconfiguremultipleproxieswithmaximum8vCPUstoavoidco-stopschedulingissues.2virtualproxyserversarerequired.

Ifyouneedtoachievea2xsmallerbackupwindow(4hours),thenyoumaydoubletheresources-2xtheamountofcomputepower(splitacrossmultipleservers).

Thesameruleappliesifthechangerateis2xhigher(20%changerate).Toprocessa2xincreaseinamountofchangeddata,itisalsorequiredtodoubletheproxyresources.

Note:Performancelargelydependsontheunderlyingstorageandnetworkinfrastructure.

Requiredprocessingresourcesmayseemtoohighifcomparedwithtraditionalagent-basedsolutions.However,considerthatinsteadofusingallVMsasprocessingpowerforallbackupoperations(includingdatatransport,sourcededuplicationandcompression),VeeamBackup&Replicationusesitsproxyandrepositoryresourcestooffloadthevirtualinfrastructure.Overall,requiredCPUandRAMresourcesutilizedbybackupandreplicationjobsaretypicallybelow5%(andinmanycasesbelow3%)ofallvirtualizationresources.

HowmanyVMsperjob?Forperjobbackupfiles:30VMsperjobForperVMbackupfiles:300VMsperjob

Considerthatsometaskswithinajobarestillsequentialprocesses.Forexample,amergeprocessthatwritetheoldestincrementalfileintothefullfileisstartedafterthelastVMfinishesbackupprocessing.IfyousplittheVMsintomultiplejobsthesebackgroundprocessesareparallelizedandoverallbackupwindowcanbelower.BeaswellcarefulwithbigjobswhenyouuseStorageSnapshotsatBackupfromStorageSnapshots.GuestprocessingandSchedulingofjobsthatcontainmultiplesnapshotscanleadintodifficultschedulingsituationandJobsthatspendtimewaitingfor(free)resources.AgoodsizeforjobsthatwritetoperVMchainenabledrepositoriesis50-200VMsperJob.

14⋅100104857600

3600WS

SizingaBackupProxy

92

Also,rememberthatthenumberofrunningbackupjobsshouldnotexceed100jobsconcurrentlyrunning(notoverall).Veeamcanhandlemore,buta“sweetspot”fordatabaseload,loadbalancingandoverallprocessingisabout80-100concurrentlyrunningjobs.

HowManyTasksperProxy?Typically,inavirtualenvironment,proxyserversuse4,6or8vCPUs,whileinphysicalenvironmentsyoucanuseaserverwithasinglequadcoreCPUforsmallsites,whilemorepowerfulsystems(dual10-16coreCPU)aretypicallydeployedatthemaindatacenterwiththeDirectSANAccessmodeprocessing.

Note:Parallelprocessingmayalsobelimitedbymaxconcurrenttasksattherepositorylevel.

So,inavirtual-onlyenvironmentyouwillhaveslightlymoreproxieswithlessproxytaskslotcount,whileinphysicalinfrastructurewithgoodstorageconnectionyouwillhaveaveryhighparallelproxytaskcountperproxy.

The“sweetspot”inaphysicalenvironmentisabout20processingtasks2x10CoreCPUwith48GBRAMand2x16GbpsFCcardsforread+1-210GbENetworkcards.

Dependingontheprimarystoragesystemandbackuptargetstoragesystem,anyofthefollowingmethodscanberecommendedtoreachthebestbackupperformance:

Runningfewerproxytaskswithahigherthroughputpercurrentproxytask

Runninghigherproxytaskcountwithlessthroughputpertask

Asperformancedependsonmultiplefactorslikestorageload,connection,firmwarelevel,raidconfiguration,accessmethodsandothers,itisrecommendedtodoaProofofConcepttodefineoptimalconfigurationandthebestpossibleprocessingmode.

ConsiderationsandLimitationsRememberthatseveralfactorscannegativelyaffectbackupresourceconsumptionandspeed:

Compressionlevel:ItisnotrecommendedtosetituptoHigh(asitneeds2CPUCoresperproxytask)ortoExtreme(whichneedsmuchCPUpowerbutprovidesonly2-10%additionalspacesaving).HoweverifyouhavealotoffreeCPUressourcesatthebackuptimewindow,youcanconsidertouseHighcompressionmode.

SizingaBackupProxy

93

BlockSize:thesmallertheblockssizeis,themoreRAMisneededfordeduplication.Forexample,youwillseeaRAMincreasewhenusingLANmodeifcomparedtoLocaltarget,andevengreater(2-4times)whenusingWAN.Bestpracticeformostenvironmentsistousedefaultjobsettings(LocalforbackupjobsandLANforreplicationjobs)whereanotherisnotmentionedinthedocumentationorthisguideforspecificcases.

Antivirus-seethecorrespondingsectionofthisdocument.

3rdpartyapplications–itisnotrecommendedtouseanapplicationserverasabackupproxy.

SizingaBackupProxy

94

BackupRepositoryBeforeyoustartplanningfortherepository,gothroughVeeamBackup&Replicationonlinedocumentationathttps://www.veeam.com/documentation-guides-datasheets.htmltogetbasicunderstandingofrepositories.

AbackuprepositoryisastoragelocationusedbyVeeamBackup&Replicationjobstostorebackupfiles,copiesofVMsandmetadataforreplicatedVMs.Technically,abackuprepositoryisaserverthatrunstheVeeamTransportServiceandprovidesadestinationfolderonthebackupstorage.Eachjobcanuseonlyonerepositoryasitsdestinationstorage,butonerepositorycanbeusedbymultiplejobs.

Youcanbalancetheloadacrossthebackupinfrastructurebysettingupseveralrepositoriesintheenvironmentandlimitingthenumberofconcurrentjobsforeachrepository,orifyouhaveaproperlicenseyoucanleverageScale-outBackupRepositoryasexplainedlateroninthissection.

The3-2-1ruleThe3-2-1rulestatesthatanenvironment,inordertobeproperlyprotected,hastohave3copiesofdata,storedon2differentmedia,withatleast1copyinadifferentlocation.Eachofthepartsoftheruleinvolvestheuseofastoragedevice,that'swhyaBackupRepositoryissuchakeycomponentineachVeeamdeployment.

The3-2-1rulehoweverisadataprotectionstrategy,whereasavailabilityrequiresthedifferentstorageimplementedinthisstrategytosupportadditionalcapabilitieslike:

InstantVMrecoveryFiletransformsDistantcopiesItemrestorationSureBackup

Thisisthereasonwhyv9.0introducedtwomajornewfeaturesforVeeambackuprepositories:Scale-outBackupRepositoryandPer-VMBackupchains.

BackupRepository

95


RepositoryTypeBeingstorage-agnostic,VeeamBackup&Replicationsupportsawiderangeofrepositorytypes,eachofferingitsownsetofspecificcapabilities.Sowhendecidingonrepositorystorage,youmightconsiderthefollowing:

CapacityWriteperformanceReadperformanceDatadensitySecurityBackupfileutilization

Asabasicguideline,arepositoryshouldbehighlyresilient,sinceitishostingcustomersdata.Italsoneedstobescalable,allowingthebackuptogrowasneeded.

Organizationpoliciesmayrequiredifferentstoragetypesforbackupswithdifferentretention.Insuchscenarios,youmayconfiguretwobackuprepositories:

Ahigh-performancerepositoryhostingseveralrecentretentionpointsforinstantrestoresandotherquickoperationsArepositorywithmorecapacity,butusingacheaperandslowerstorage,storinglong-termretentionpoints

Youcanconsumebothlayersbysettingupabackupcopyjobfromthefirsttothesecondrepository,orleverageScale-outBackupRepository,iflicensed.

Server-BasedRepository:DASorSAN?

Direct-AttachedStorage

Thisisacheap,easy-to-usesolutionthatcanbeveryefficientintermsofperformance;however,ifnotusedaspartofaScale-outBackupRepository,itislessmanageableduetonon-transportablevolumes,capacitygrowth,andsoon.

SinceaDASstoragecanbefullydedicatedtobackupoperations,thistypeofrepositoryisconsideredtoofferagoodbalancebetween“performance”and“cost”factors.AstrongbenefitofaDASrepositoryisthatitsupportsthefeaturesofferedbyVeeamBackup&Replicationinaveryflexibleway.Inparticular,itprovidesgoodreadandwriteperformance,sufficientforVeeamvPower-basedfeatures(suchasInstantVM

RepositoryTypes

96

Recovery,SureBackup,andothers).AsittypicallyprovidesgoodrandomI/Operformance,itwillbetheoptimalsolutionwhenusingI/Ointensivebackupmodessuchasreverseincrementalorforeverforwardincremental(alsousedinbackupcopyjob).

However,considerthatthoughDASisavaluableoptioninmanycases,itsscalabilitymaynotmeetanorganization’srequirements.

Tip:Toachieveoptimalperformance,itisoftenrequiredtoinstallabatterymoduletotheserver’scontrollercardinordertoenablewrite-backmodefortheinternalcache.ADASisashelfwithdisks,andalltheintelligenceofthesolutionisdelegatedtothecontrollerinstalledintheconnectedserver.

Pros Cons

Cost Manageability

Performance Singlepointoffailure

Simplicity Monolithic

SANStorage

ThisisamoreadvancedandmanageablesolutionthatoffersthesameadvantagesasDAS,andaddsmoreadvantageslikehigheravailabilityandresiliency.

Thevolumesizeandquantityareeasilyadjustableovertime,thusofferingatrulyscalablecapacity.

Tip:YoucanconfiguremultiplebackuprepositoriesontheSANstoragetoincreaserepositorythroughputtothestoragesystem.

Pros Cons

Reliability Complexity

Performance Cost

Technicalcapabilities

WindowsorLinux?ThemaindifferencebetweenWindowsandLinuxinregardstoVeeamrepositoriesisthewaytheyhandleNASshares–thiscanbesummarizedasachoicebetweenNFSandSMB.Generally,aLinux-basedrepositorycanhandleahigherthroughputthanaWindows-basedrepositorywithsameCPU/RAM/Diskresources.However,ifyoudeployVeeaminasmall-

RepositoryTypes

97

sizedinfrastructure,youmaywanttokeeptheconfiguration"all-in-one"onasingleWindowsserver,sodeployingaLinuxserverasarepositorycouldaddextracomplexitytothesolution.Otherpossibleconcernsrelatetocostandadministrativeburden.

PhysicalorVirtual?Youcanuseavirtualmachineasarepositoryserver,however,keepinmindthatthestorageandassociatedtransportmediawillbeheavilyoccupied.

IfyouareusingaSANstorage,itcanbeaccessedthroughsoftwareiSCSIinitiators,ordirectly(asaVMDKorRDMmountedtotheRepositoryVM).

Bestpracticeistoavoidusingthesamestoragetechnologythatisusedforthevirtualizedinfrastructure,asthelossofthissinglesystemwouldleadtothelossofbothcopiesofthedata,theproductiononesandtheirbackups.

Ingeneralwerecommendwheneverpossibletousephysicalmachinesasrepositories,inordertomaximizeperformanceandhaveaclearseparationbetweentheproductionenvironmentthatneedstobeprotectedandthebackupstorage.

RepositoryTypes

98

SMBRepositoryWhileanSMBrepositoryisoftenconsideredtoprovidelessperformancethandirectattachedstorage,itstillcanprovideverygoodresultsasarepositoryduetoleveragingVeeam’sload-balancingtechnologyforwriteoperations,asexplainedinthenextsections.

GatewayServerWhenyousetupanSMBshareasarepository,thefollowingoptionsareavailable:

AutomaticselectionoftheserverastheSMBgatewayproxy(thatis,theserverthatwillhostthetarget-sidetransportcomponentandthusperformtheroleof“datawriter”towardstheSMBshareitself).Specifyaspecificserver(amongtheavailablemanagedWindowsserversinVeeamBackup&Replication)asaSMBgatewayproxy.

ThesecondoptionisveryhelpfulinsituationswheretheSMBshareislocatedonaremotelocation,sinceitavoidsthattheautomaticselectionusesaserverthatisnotlocaltotheSMBshare,thushavingallsyntheticoperationsorbackupcopyjobsoccurringovertheWANlink(whichisusuallyslowerthanthelocallink).ItisalwaysrecommendedtouseanSMBgatewayserverascloseaspossibletotheSMBstorage.ByspecifyingtheSMBgatewayyouhaveabetterchanceofkeepingthedataflowundercontrolandavoiddatacrossingtheWANlinksunnecessarily.

AssinglestreamperformanceforSMBrepositoriesmaybesuboptimal,youcanpotentiallyincreaseperformanceofyourSMBstoragebyconfiguringseveralrepositoriespointingtothesamefolderusingdifferentgatewayservers.Withmultipleproxies,theautomaticSMBgatewaymaybeagoodoptionandcanbeconfiguredbyselectingAutomaticfromthedrop-downlist.

Tip:GatewayserversmustbeproperlysizedasregularWindowsrepositories.IfyouareusingAutomaticmode,rememberthatthesamemachinecouldbeelectedbackupproxyandgatewayserversimultaneously.Applysizingitaccordingly.

AnotheroptionforincreasingthenumberofstreamsisusingperVMbackupfiles.Pleaseseethecorrespondingsectionofthisguideformoreinformation>PerVMbackupfiles

LoadBalancing(withAutomaticSelection)

SMB

99

Evenwhenmultipleproxiesareusedtoprocessagivenbackupjob,onlyone*Windowsserver(called“gatewayserver")perbackupchainwillbeusedtowritedatatotheSMBshare.InAutomaticmodethefirstselectedproxyintherunningjobwillbecomethegatewayserver.Ifper-vmbackupfilesareenabled,thisappliestoeachper-vmchain,thusmultiplegatewayserversmaybestartedconcurrently.

Herearesomerecommendationsformanagingbackupproxiesusedasgatewayservers:

Thenetworkingbetweenthemultipleproxiesshouldbesizedcorrectlytoallowdatatoflowfromeachproxytothegatewayserver.Asthefirstbackupproxyofajobisusedasthegatewayserver,itmayhappenthatallthegatewayserverinstancesofdifferentjobs(orper-vmbackupfilechains)arestartedonthesameproxy.ThisrequirespropersizingofCPUandRAM;ensureresourcemonitoringisinplace.

Note:ConsiderthatincreasingthenumberofjobsalsoincreasesthenumberofthreadstotheNASstorage.

ScalingoutusingthisapproachwillallowforprocessinglargeramountsofdataandoptimizethethroughputoftheSMBshares.BestpracticeforlargescaleenvironmentsistouseatleastamidrangeorenterpriseNASstoragesystemthatprovidesgoodI/Operformance.LowendNASdevicesoftenhavenonofficialimplementationsoftheSMBprotocolthatmayimproveperformancetestresults,butmayalsocorruptbackupfiles.ForthesedevicesitisdiscouragedtouseSMB.

SMB

100

SMB

101


OverviewDeduplicationappliedtostorageisatechniqueaimedatreducingthestoragespaceconsumption.

Deduplicatedstoragesystemsareoftenoptimizedforwriteoperationsandcanofferratherhighingestrates.However,anyrandomreadI/Omaysufferfromre-hydrationprocessesrequiredduringrestores.Forthisreasonwerecommendtousethesedevicesmainlyassecondarytargets,whereparameterslikepriceperGBaremoreimportantthanrestoreperformance.

UsingaDeduplicationApplianceAsastorage-agnosticproduct,VeeamBackup&Replicationcanuseanydeduplicationapplianceasarepositoryindifferentusecases:primarybackuprepository,backupcopyrepository,andVirtualTapeLibrary(VTL)container.

DeduplicationApplianceasaPrimaryBackupRepositoryUnlessyouareusingDDBoostprotocolonEMCDataDomainstorageorCatalystonHPEStoreOnce,youshouldconfigureprimaryjobsforforwardincrementalwithactivefullbackups-sincejobswithtransformationwillrequireblock"de-hydration"andthen"re-hydration"onthestorage.SuchoperationsrequiresignificanttimeandI/O.

Note:"Re-hydration"istheactofrestoringtheoriginalblocksinanon-deduplicatedform.Duringbackupfilestransformationthesameblocksarereadandthenwrittenbacktotheappliancewheretheyarede-hydrated(deduplicated)again.Thistwo-stepprocesscangeneratesignificantloadontheappliance,slowingdownoperations.

Also,considerthatInstantVMRecoverymightnotbeasfastasexpected–unlessthededuplicationapplianceoffersafastnondeduplicatedareaforthemostrecentrestorepoints(suchasExaGrid).


102

Thedownsideofactivefullsistheneedtotransporttheentireamountofvirtualmachinesonaweekly/monthlybasis.Thiscanleadtolongsnapshotcommit,sothismodeneedstobeplannedcarefully.Itisrecommendedtolimittheuseforprimarybackupjobstotheintegrateddeduplicationappliances,wheresyntheticoperationscanbeused.

UsingDeduplicationApplianceasaBackupCopyRepositoryBydefaultabackupcopyjobappliestransformationstothebackupchain.Thiscouldleadtothe"de-hydration"/"re-hydration"overheadattheendofthebackupcopyjobcycle,duetosyntheticfullortransformation).Whenusingnonintegratedappliances,usetheoptionofActiveFullsforBackupCopyjobs.

Ifoneoftheintegratedapplianceisused,syntheticoperationswillbeperformedontheapplianceitself,sotheywillrequireminimaladditionaltimeandlowerI/O.

UsingDeduplicationApplianceasaVirtualTapeLibraryIfadeduplicationapplianceisusedinVirtualTapeLibrary(VTL)mode,itisrequiredtostorethebackupfilesinastagingarea,whichisuncompressed.Sendingcompressedand/ordeduplicatedbackupfilestoaVTLwillcompromisetheefficiencyofthededuplicationappliance.

Therepositoryusedforstagingshouldbeconfiguredwith"Decompressbeforestoring"advancedoptionenabled,whichensurespreviouslyappliedcompressionatthejoblevelisignored.

Also,ensurethattheappliancemeetsVeeamtaperequirementsdescribedintheUserGuide.

File-LevelRecoveryandVeeamExplorersBydesign,VeeamExplorersperformalargeamountofrandomreadoperationsonthebackuprepository.Tooptimizeforsuchoperationsondeduplicationdevices,followingthejobandrepositoryconfigurationbestpractices(seebelow)isparamount.Iftherecommendationsarenotfullyimplemented,thismayleadtosignificantwaitingtimewhenlaunchingfile-levelrecoveryorVeeamExplorers.


103

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=95#tape

Tofurtherreducerestoretime,itisrecommendedtoenablefile-levelindexingforbackupjobslocatedondeduplicationrepositories.IndexingVMswillremovethewaitingtimeformountingarestorepointwhenbrowsingcontentsviaEnterpriseManager.

BestPracticesInthissection,wewilldistinguishbetweenintegratedandnon-integrateddeduplicationappliances.Integrationisavailablefor:

Integratedappliancesare:

HPEStoreOnce-viaCatalystAPIEMCDataDomain-viaDDBoostAPIExaGrid-viaintegratedVeeamdatamover

Limitations:

LimitationsforEMCDataDomainLimitationsforHPEStoreOnce

IfthementionedintegrationAPIisunavailableduetolicensingrestrictions,orifanyotherdeduplicationapplianceisused,theapplianceshouldbeconsiderednon-integrated.

Inordertooptimizethroughputfordeduplicationappliances,pleaseusethefollowingconfigurationguidelines:

Jobconfiguration

Thefollowingsettingsareconfiguredinthebackupjob"Edit"wizardunderStorage>Advanced.Optionsnotdefinedinthistableareoptionalandnotrelatedtobackuprepositoriesusingdeduplicationstorage.


104

https://helpcenter.veeam.com/docs/backup/vsphere/emc_dd.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/deduplicating_appliance_storeonce.html?ver=95

Configurationtab Setting Value

Backup Backupmode Incremental

Backup Createsyntheticfullbackupsperiodically Enabled-ifintegrated

Backup Transformpreviousbackupchainsintorollbacks Disabled

Backup Createactivefullbackupsperiodically Enabled-ifnon-integrated

Maintenance Performbackupfilehealthcheck Disabled

Maintenance Defragmentandcompactfullbackupfile Disabled

Storage Enableinlinedatadeduplication Disabled

Storage Excludeswapfileblocks Enabled

Storage Excludedeletedfileblocks Enabled

Storage Compressionlevel Optimal

Storage Storageoptimization Localtarget(16TB+backupfiles)

Storage Enablebackupfileencryption Disabled

HardwareassistedencryptionisavailableforEMCDataDomainviaDDBoost,butmustbeconfiguredintheintegrationspecificrepositoryconfiguration.Ifenabledonthejobleveldatareductionefficiencywillbesignificantlydegraded.

Repositoryconfiguration

Thefollowingsettingsareconfiguredinthe"EditRepository"wizardunderRepository>Advanced.

Setting Value

Alignbackupfiledatablocks Enabled-onlyifrepositoryusesfixedblocksizededuplication(almostnevertrue)

Decompressbackupdatablocksbeforestoring Enabled

Thisrepositoryisbackedbyrotatedharddrives Disabled

Useper-VMbackupfiles Enabled


105


106

Deduplicationintegrationspecifics

EMCDataDomainSelectingDataDomainasarepositorywillautomaticallyrecommendjobandrepositorysettingsaccordingtobestpractices.Formoreinformation,refertovendorguidelines.

DDBoostallowsforthefollowingcapabilities:

SourcesidededuplicationbetweentheVeeamgatewayserverandDataDomainappliance.ThiswillreducetheamountofdatasentoverthenetworktotheapplianceBetterLANparallelization,sinceDDBoostmanagesitsownnetworkloadbalancingalgorithmswhichareconsideredmoreefficientthanstandardnetworklinksaggregationSeamlessVeeamfilestransformationslikesyntheticfullorforeverforwardincrementalDDBoostcanbeusedthroughFibreChannelSAN,providingatotallyLAN-freebackupsolution

Formoredetails,refertotheDDBoostconfigurationguidebyRickVanover:ConfiguringEMCDataDomainBoostwithVeeamAvailabilitySuite(stillapplicableforversion9).

ChainLengthLimitation

ConsiderthatDataDomaincansupportonlyupto60incrementalrestorepointsforasinglefullbackup.Fordetails,refertotheVeeamBackup&ReplicationUserGuide:LimitationsforEMCDataDomain

ExaGridExaGridappliancesrunanintegratedVeeamdatamoversimilartoaLinuxbasedbackuprepository.WithExaGrid,thereisnorequirementforaWindowsbasedgatewayserver.

SeeUsingVeeamBackupandReplicationSoftwarewithanExaGridSystemformoreinformation.

ExaGridrecommendsconfiguring1jobperrepository.Thus,ifyouwanttoachieveparallelprocessing,createseveralrepositoriesandsetup1jobperrepository.

Asaruleofthumb,the"landingzone"(whichisthezonethatwillholdmostrecentsetofdatawaitingtobededuplicated)shouldhavesufficientcapacityforanuncompressedfullbackupsothateachbackupcanfullybewrittenthereandprocessed.Thisensures


107

https://www.veeam.com/wp-configuring-emc-data-domain-boost-with-veeam-availability-suite-v8.html

https://helpcenter.veeam.com/docs/backup/vsphere/emc_dd_limitations.html?ver=95

http://go.veeam.com/rs/veeam/images/Best_Practices_and_Deployment_Veeam_and_ExaGrid.pdf

SureBackup,InstantVMRecoveryanditem-levelrestoreswillbeusableforthelatestrestorepointwithoutrehydrationoverhead.

HPEStoreOnceSelectingStoreOnceapplianceasarepositorywillautomaticallyrecommendjobandrepositorysettingsaccordingtobestpractices.Formoreinformation,refertovendorguidelines.

WhenusingHPECatalyst,considerthefollowingrecommendations:

IftheCatalystStoreisconfiguredasHighBandwidthontheappliance,LowBandwidthmodecanbeforcedusingthefollowingregistryvalue(ideally,workaroundtheissuebyconfiguringbothPrimaryandSecondarymodesto"Low"):

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Veeam\VeeamBackupTransportKey:UseLowBandwithModeType:REG_DWORDValue:1(default:0)

IftheCatalystStoreisconfiguredasLowBandwidth,additionalpayloadverificationisintroduced.Overhighlatencyconnections,disablingtheverificationmayimproveperformance.However,thedefaultsshouldbeleftforlocalconnections.

Seethefollowingregistrykeys:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Veeam\VeeamBackupTransportKey:PayloadChecksumsDisabledType:REG_DWORDValue:1(default:0)

and

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Veeam\VeeamBackupTransportKey:BodyPayloadCompressionDisabledType:REG_DWORDValue:1(default:0)

ChainLengthLimitation

HPEStoreOncehasalimitonthenumberofconcurrentlyopenedfiles,thislimitisimportantwhenrestoringVM's.Themaximumlengthofabackupchain(Fullbackupfileplusallincrementalbackupfiles)dependsonwhichHPEStoreOncemodelisused.Lookupyour


108

HPEStoreOncemodelin:LimitationsforHPEStoreOncetofindthemaximumlimit.


109

https://helpcenter.veeam.com/docs/backup/vsphere/deduplicating_appliance_storeonce.html?ver=95

WindowsServer2012DeduplicationFollowtherecommendationsprovidedintheconfigurationguidelinesabove;hereisthesummary:

1. UseWindows2012R2andapplyallpatches(someroll-upscontainimprovementstodeduplication).

2. Formatthediskusingthecommandline"/L"option(for"largesizefilerecords")and64KBclustersize(useparameters/Q/L/A:64K)

3. Followcompressionanddeduplicationguidelinesfornon-integrateddeduplicationstorageinpreviouschapter.

4. Modifygarbagecollectionscheduletorundailyratherthanweekly.5. UsebackupjobsconfiguredtoperformActivefullwithIncrementals.6. Ifpossible,spreadactivefullbackupsovertheentireweek.7. Trytokeepthe.VBKfilesbelow1TBinsize(thereisnoofficialsupportfromMicrosoft

forfilesbiggerthanthis;seehttps://msdn.microsoft.com/en-us/library/hh769303(v=vs.85).aspx).Largefilestakealongtimetodeduplicateandwillhavetobefullyreprocessediftheprocessisinterrupted.

8. Wherepossible,usemultiplevolumes.Windowsdeduplicationcanprocessmultiplevolumesusingmulti-coreCPU–oneCPUcorepervolume;seehttp://blogs.technet.com/b/filecab/archive/2014/12/04/sizing-volumes-for-data-deduplication-in-windows-server.aspxfordetails.)

9. Configurededuplicationprocesstorunonceaday,andforaslongaspossible.

Moreinformationcanbefoundhere:http://forums.veeam.com/veeam-backup-replication-f2/best-practice-for-ms-server-2012-dedup-repo-t14002-135.html.

WindowsServer2012Deduplication

110

https://msdn.microsoft.com/en-us/library/hh769303(v=vs.85).aspx

http://blogs.technet.com/b/filecab/archive/2014/12/04/sizing-volumes-for-data-deduplication-in-windows-server.aspx

http://forums.veeam.com/veeam-backup-replication-f2/best-practice-for-ms-server-2012-dedup-repo-t14002-135.html

ConfigurationGuidelines

ParallelProcessing

Arepositorycanbeconfiguredtolimittheamountofparalleltasksitcanprocessatatime;withparallelprocessingenabled(bydefault)ataskisoneVMDKhandledbytheproxyduringabackupjob,orbyarepositoryduringabackupcopyjob.Iftherearemanyparalleltasksontheproxysideforonlyfewtasksonthebackuprepository,thiswillleadtheVeeamschedulerservicetowaitforavailableresourcesontherepository.Topreventsuchsituation,youcanfigureoutonwhichsidethebottleneckwillbe(proxyorrepository)andthensettheoverallamountofparalleltasksontheproxiesequaltothetotalamountofparalleltasksontherepositories.

Note:Considertasksforreadoperationsonbackuprepositories(likebackupcopyjobs).

Blockssizes

Duringthebackupprocessdatablocksareprocessedinchunksandstoredinsidebackupfilesinthebackuprepository.YoucancustomizetheblocksizeduringtheJobConfigurationusingtheStorageOptimizationsettingofthebackupjob.

BydefaultblocksizeissettoLocaltarget,whichis1MBbeforecompression.Sincecompressionratioisveryoftenaround2x,withthisblocksizeVeeamwillwritearound512KBorlesstotherepositorypereachblock.

Thisvaluecanbeusedtobetterconfigurestoragearrays;especiallylow-endstoragesystemscangreatlybenefitfromanoptimizedstripesize.

Therearethreelayerswheretheblocksizecanbeconfigured:Veeamblocksizeforthebackupfiles,theFilesystem,andtheStoragevolumes.

Let'suseaquickexample:

RepositoryPlanning

111

TheVeeamblocksizeof512KBisgoingtobewrittenintheunderlyingfilesytem,whichhasablocksizeof64k.Itmeansthatoneblockwillconsume8blocksatthefilesytemlavel,butnoblockwillbewasted,asthetwoarealigned.Ifpossible,settheblocksizeatthefilesytemlayerascloseaspossibletotheexpectedVeeamblocksize.

Then,belowthefilesytemthereisthestoragearray.Evenonsomelow-endstoragesystems,theblocksize(alsocalledstripesize)canbeconfigured.Ifpossible,again,setthestripesizeascloseaspossibletotheexpectedVeeamblocksize.It'simportantthateachlayerisalignedwiththeothers,eitherbyusingthesamevalue(ifpossible)oravaluethatisadivisionofthebiggerone.Thislimitstoaminimumthesocalledwriteoverhead:witha128KBblocksizeatthestoragelayer,aVeeamblockrequires4I/Ooperationstobewritten.Thisisa2ximprovementcomparedforexamplewitha64KBstripesize.

Tip:Ascanbeseenfromthefield,optimalvalueforthestripesizeisoftenbetween256KBand512KB;however.Itishighlyrecommendedtotestthispriortodeploymentwheneverpossible.

Formoreinformation,refertothisblogpost:http://www.virtualtothecore.com/en/veeam-backups-slow-check-stripe-size/

FileSystemFormats

Inadditiontothestoragestripesizealignment,asexplainedinthepreviousparagraph,thefilesystemmayalsobenefitfromusingalargerclustersize(orAllocationUnitSize).Forexample,duringformattingofNTFSvolumes,AllocationUnitSizeissetto4KBbydefault.Tomitigatefragmentationissues,configureto64KBwheneverpossible.

Itisalsorecommendedtouseajournalingfilesystems(thismakesexFATalessreliableoptionthanNTFS).

Using"LargeFile"SwitchforNTFS

RepositoryPlanning

112

http://www.virtualtothecore.com/en/veeam-backups-slow-check-stripe-size/

AfilesizelimitationcanbeoccasionallyreachedonNTFS,especiallyonWindows2012R2withdeduplicationenabled.Thishappensduetoahardlimitreachedonthefilerecordssizebecauseofthehighleveloffilefragmentation.Tomitigatetheissue,werecommendtoformatWindowsNTFSrepositorieswiththe"/L"(largefiles)option.

KeepingFileSizeUnderControl

Trytoavoidbackupchainsgrowingtoomuch.Rememberthatverybigobjectscanbecomehardlymanageable.SinceVeeamallowsabackupchaintobemovedfromonerepositorytoanotherwithnothingmorethanacopy/pasteoperationofthefilesthemselves,itisrecommendedtokeepbackupchainsize(thesumofasinglefullandlinkedIncrementals)under10TBperjob(~16TBofsourcedata).Thiswillallowforasmooth,simpleandeffortlessrepositorystoragemigration.

SyntheticBackupandCaching

Togetthebestoutofasyntheticbackupandenhancetheperformance,itisrecommendedtouseawrite-backcache.Readandwriterequestprocessingwithwrite-backcacheutilizationisshowninthefigurebelow.

RepositoryPlanning

113

RepositorySizingInmid-sizedorenterpriseenvironments,therecommendedamountofCPUforarepositoryis1coreperconcurrentjobthatprocessesdataonarepositoryserver.Atleast2coresallowfortheOperatingSystemtobemoreresponsive.

Itisrecommendedtoconfigure4GBRAMpercore.ThesameamountofresourcesareneededforSMBgatewayservers.Also,considerthatVMrecoveryprocesses(InstantRecovery,FLRandothers)requiresufficientresources(asdescribedhere.

EstimatingRepositoryCapacityWhenestimatingtheamountofrequireddiskspace,youshouldknowthefollowing:

TotalsizeofVMsbeingbackedupFrequencyofbackupsRetentionperiodforbackupsWilljobsuseforwardorreverseincremental

Also,whentestingisnotpossiblebeforehand,youshouldmakeassumptionsoncompressionanddeduplicationratios,changerates,andotherfactors.Thefollowingfiguresaretypicalformostdeployments;however,itisimportanttounderstandthespecificenvironmenttofigureoutpossibleexceptions:

DatareductionthankstoCompressionandDeduplicationisusually2:1ormore;it'scommontosee3:1orbetter,butyoushouldalwaysbeconservativewhenestimatingrequiredspace.Typicaldailychangerateisbetween2and5%inamid-sizeorenterpriseenvironment;thiscangreatlyvaryamongservers;someserversshowmuchhighervalues.Ifpossible,runmonitoringtoolslikeVeeamONEtohaveabetterunderstandingoftherealchangeratevalues.Includeadditionalspaceforone-offfullbackups.Includeadditionalspaceforbackupchaintransformation(forwardforeverincremental,reverseincremental)–atleastthesizeofafullbackupmultipliedby1.25x.

Note:Whenusingdeduplicationappliances,pleasecontactthevendorforsizingguidelines.

Usingthenumbersabove,youcanestimaterequireddiskspaceforanyjob.Besides,alwaysleaveplentyofextraheadroomforfuturegrowth,additionalfullbackups,movingVMs,restoringVMsfromtape.

Sizing

114

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=95#repo

Arepositorysizingtoolthatcanbeusedforestimationisavailableathttp://vee.am/rps.NotethatthistoolisnotofficiallysupportedbyVeeam,anditshouldbeused"asis",butit'snonethelessheavilyusedbyVeeamArchitectsandregularlyupdated.

Tip:WithVeeamAvailabilitySuite,youcanuseVeeamONEtogetherwithVeeamBackup&Replication.Amongthemanyreports,VeeamONEhastheVMChangeRateEstimationreportfromthe“InfrastructureAssessment”reportpack;thiscanbeusedasanindicativepre-deploymentassessmentofthepotentialamountofspacethatshouldbeavailableonthebackuprepositories.ThisreportisbuiltmeasuringthenumberofVMvirtualdiskwriteoperationssuppliedbyVMwarevSpherewhileadditionalcompressionanddeduplication(usually2to3times)ratioshouldbeassumed.

Itisalsorecommendedtoperiodicallyrunthe“CapacityPlanningforBackupRepositories”reportfromthe“VeeamBackup&ReplicationReports”packtoanalyzetheamountoffreespaceonbackuprepositoriesandestimatetheprojectedgrowthandconsequentspaceconsumption.Thereportprovidesrecommendationsforadjustingtheallocatedstorageresourcesinordertomeetthefuturedemandforbackupstorage.Furthermore,itcalculatestheamountofadditionalspacethatneedstobeprovisionedtoaccommodatethenecessaryrestorepoints.

FormoreinformationonVeeamAvailabilitySuite,pleaserefertoitsReviewer'sGuideathttps://www.veeam.com/documentation-guides-datasheets.html

Examples

Theexamplesbelowexplaintheimpactofbackupmethodandretentionpolicyontheestimatedrepositorysize,assumingtheenvironmentisthesameinallthreecases.

Environment:10VMs,100GBeach,80GBavg/used

2:1EstimatedCompression/Deduplication,5%dailychange

Example1

Backup:ReverseIncremental,DailyBackup,30DayRetention

EstimatedFullBackupSize:10*80GB(Usedspace)*50%(2:1Compression)=400GBEstimatedReverseIncrementalSize:10*80GB*50%(2:1Comp)*5%(ChangeRate)*29(reverseincrementalrestorepoints)=580GBSpare:500GBEstimatedtotalBackupSize:400GB+580GB+500=1480GB

Example2

Sizing

115

http://vee.am/rps

https://helpcenter.veeam.com/docs/one/reporter/vm_change_rate_history.html?ver=95


Backup:ForwardIncremental,DailyBackup,30DayRetention,WeeklyFull

EstimatedFullBackupSize:10*80GB(Usedspace)*50%(2:1Compression)=400GBEstimatedspacefor6WeeklyFulls(Maxrequiredfor30DayRetention):400GB*6=2400GBEstimatedForwardIncrementalSizeMax:10*80GB*50%*5%*32=640GBEstimatedtotalBackupSize:2400GB+640GB=3,040GB(~3TB)

Example3

Backup:ForwardIncremental,DailyBackup,30DayRetention,MonthlyFull

EstimatedFullBackupSize:10*80GB(Usedspace)*50%(2:1Compression)=400GBEstimatedspacefor3MonthlyFulls(Maxreqfor30DayRetention):400GB*3=1200GBEstimatedForwardIncrementalSizeMax:10*80GB*50%*5%*60=1200GBEstimatedtotalBackupSize:1200GB+1200GB=2,400GB(~2.4TB)

Tosummarize,whenestimatingthesizeoftherepositories,usethefollowingbestpractices:

Beconservativewhenestimatingcompressionanddeduplicationratiosifactualratiosanddiskcontentareunknown.UsehigherestimatesforchangerateifasignificantnumberofserversaretransactionalsuchasMicrosoftSQLandMicrosoftExchange.Includeenoughfreespacetotakeatleastoneandaquarterextrafullbackupforeachtransformationjob.

Sizing

116

PerVMbackupfilesItispossibletowriteonebackupfilechainpereachVMonarepository,comparedtotheregularchainholdingdataforalltheVMsofagivenjob.Thisoptiongreatlyeasesjobmanagement,allowingtocreatejobscontainingmuchmoreVMsthanjobswithsinglechains,andalsoenhancesperformancethankstomoresimultaneouswritestreamstowardsarepository,evenwhenrunningasinglejob.

Inadditiontooptimizingwriteperformancewithadditionalstreamstomultiplefiles,thereareotherpositivesideeffectsaswell.Whenusingtheforwardincrementalforeverbackupmode,youmayexperienceimprovedmergeperformance.Whenbackupfilecompactingisenabled,perVMbackupfilesrequirelessfreespace:insteadofrequiringsufficientspacetotemporarilyaccommodateanadditionalentirefullbackupfile,onlyfreespaceequivalenttothelargestbackupfileinthejobisrequired.Parallelprocessingtotapewillalsohaveincreasedperformance,asmultiplefilescanbewrittentoseparatetapedevicessimultaneously.

PerVMbackupfilesisanadvancedoptionavailableforbackuprepositories,anditisdisabledbydefaultfornewbackuprepositories.Ifenabledonanexistingrepository,anactivefullbackupisrequiredaftertheoptionhasbeenenabled.

NOTE:InScale-OutBackupRepositories,Per-VMbackupfilesoptionisENABLEDbydefault

PerVMBackupFiles

117

MaximumnumberofVMsperjobWithperVMbackupfilestherecommendationfornumberofVMsperjobcanbeincreasedsignificantly.EveniftechnicallyjobscontainingfivethousandsVMshavebeensuccessfullytestedinalab,feedbackfromthefieldshowsasweetspotataround300VMsperbackupjob,moreformanagementreasonsandunexpectedsideeffectsthanpureperformancematters.

Whendesigningyourjobs,keepinmindthatseveraloperationssuchassyntheticoperations,healthchecksandBackupCopyJobswillbependinguntilallVMsinthejobhavecompletedsuccessfully.Forthosereasons,extremelylargejobsmaybeimpractical.

PerformanceToavoidcounterproductiveeffects,attentionshouldbepaidonnothavingtoomanywritethreadstowardsastorageusedasarepository.Forexample,alowrangeNASstoragewillprobablynotreactverywelltoahighamountofparallelprocessescreatedbyperVMbackupfiles.Tolimitthiseffects,refertoRepositoryconfigurationoptions,especiallytheConcurrenttaskslimit.

DeduplicationUsingPerVMbackupfilewillnegativelyimpactrepositoryspaceusagesinceVeeamdeduplicationisfilebased.IfbackupjobshavebeencreatedwhilegroupingsimilargueststooptimizededuplicationandifActiveFullisused,perVMBackupchainmightrequireadditionalrepositoryspace.

PerVMBackupFiles

118

ScaleOutBackupRepositoryVeeamScale-outBackupRepositoryisalogicalentitymadeofmultiple“simple”repositories,groupedtogetherintoasingleabstractedobject,thatcanbeusedasatargetforanybackupandbackupcopyjoboperation.

Scale-outBackupRepositoryisanextremelyeasywayforbothmediumandlargecustomerstoextendrepositorieswhentheyrunoutofspace.Insteadoffacingthelongandcumbersomerelocationofbackupchains,userswillbeabletoaddanewextent(thatisanyofthe“simple”backuprepositoriessupportedbyVeeamBackup&Replication)totheexistingScale-outRepository—orgroupmultiplerepositoriestocreateanewone.

Theonlyrequirementistheownershipofaproperlicense,andthatatleasttwosimplerepositorieshavebeenaddedtoVeeamBackup&Replicationalready.Asperdefaultsettings,itisrecommendedtoenable"perVMbackupfiles"ontheScale-outBackupRepositoryforoptimalbalancingofdiskusage.

NOTE:thedefaultbackuprepositorycreatedduringtheinstallationcannotbeusedinaScale-outBackupRepositoryaslongasit’sthetargetofConfigurationBackup,asthistypeofjobisnotsupportedbyScale-outBackupRepository.IfthedefaultrepositoryneedstobeaddedtoaScale-outBackupRepository,considerfirsttochangethetargetofConfigurationBackup.

Foradditionaltechnicalinformation,theonlinedocumentationisavailablehere:HelpcenterSoBR.

FileplacementpoliciesScale-outBackupRepositoryhastwodifferentoptionsforfileplacement.

DataLocality

Thisisthedefaultpolicy,anditworksbyplacingallthedependentfilesofabackupchainintothesameextent.Everyextentgroupedwiththispolicyhasthesamechancesofreceivingabackupchainasthealgorithmtreatsthemequally,andthemajorparameterfortheinitialplacementisthefreespacevalue.


119

https://helpcenter.veeam.com/docs/backup/vsphere/backup_repository_sobr.html?ver=95

Thefailuredomainisasingleextent,asthelossofagivenextentimpactsonlythebackupchainsstoredintothatextent.PolicycanbeviolatedbyVeeamitselfif,forexample,oneoftheextentshasnofreespaceleft,andtheadditionalincrementalisstoredinadifferentextent.Thisbecausethepriorityisalwaystocompleteabackuporbackupcopy.

Performance

Performancepolicyplacesdependentincrementalbackupfilesonadifferentextentfromthecorrespondingfulls.Inordertochoosewhichextentwillholdthedifferentfileswhenusingtheperformancepolicy,foreachextentusersareabletoassignita“role”.


120

Important:Whenusingintegrateddeduplicationdevices,virtualsyntheticoperationsmaynotwork,ifthefullandincrementalbackupfilesareplacedonseparateextents.PleaseuseDataLocalitymodeinstead.

Userscanconfigureeachrepositoryofthegrouptoacceptfullbackups,incrementalbackupsorboth.AssoonasanewbackupchainisstoredintoaperformanceScale-outBackupRepository,thedifferentfilesareplaceinaccordancetothepolicyitself.

Note:inordertoleveragetheperformancepolicycorrectlyusersneedtouseatleasttwodifferentrepositories.Evenifit’spossibletoassignbothrolestothesamerepository,thisconfigurationmakeslittlesenseandthebestresultscanbeobtainedbysplittingfullbackupfilesandincrementalbackupfilesoverdifferentphysicalextents.

Performancepolicyincreasesthefailuredomain—abackupchainissplitoveratleasttworepositories,thusthelossofoneofthetwocorruptstheentirebackupchain.ThisisaconsiderationthatVeeamarchitectsneedtoevaluatecarefully.Thereisatrade-offbetweentheincreasedperformanceguaranteedbytheperformanceplacementpolicy,andtheincreasedfailuredomain.

Scale-outBackuprepositoryandnetworkconsiderations


121

Scale-outBackupRepositoryis,asthenameimplies,ascaleoutarchitecture,basedonmultipledatamovers,withanotionofmasterandslaverepositorydatamovers.

Duringbackups,themasterdatamoverisalwaysstartedwherethewriteishappening.Duringrestore,themasterisalwaysstartedwheretheVBKislocated,asmostblocksarelikelyretrievedfromthislocation.

Amasterdatamoveristheonlyrepositorydatamoverreceivingdatafromasourcedatamover(aproxyinabackupjoborasourcerepositoryinabackupcopyjob).Amasterdatamoverisabletocommunicateifneededwithotherslavedatamoverstoretrievetheirdata.

Asinanyscale-outsolution,carefuldesignshouldbeappliedtothenetwork,ascommunicationsbetweenthedifferentdatamoversmayincreasenetworkconsumption,regardlessthepolicyinuseorthespecificdesignofthescale-outarchitecture.WhenusingScale-outBackupRepository,10Gbnetworksarealwaysrecommended.


122

WANAccelerationBycombiningmultipletechnologiessuchasnetworkcompression,multi-threading,dynamicTCPwindowsize,variableblocksizededuplicationandglobalcaching,WANaccelerationprovidessufficientcapabilitywhenthenetworkbandwidthislowordramaticallyreducedwhenperformingBackupCopyandReplicationjobs.ThistechnologyisspecificallydesignedtoaccelerateVeeamjob.AnyotherWANaccelerationtechnologyshouldbedisabledforVeeamtraffic.

TodeterminewhetherWANaccelerationisnecessaryinanenvironment,itisimportanttounderstandwhatparticularsavingscanbeachieved.

DeterminingRequiredBandwidthWhenusingWANaccelerationonlinkswithlowbandwidth,youmayhavetomanuallyseedtheinitialcopytothetarget.Formoreinformation,refertotheWANAccelerationsectionoftheVeeamBackup&ReplicationUserGuide.

TheWANacceleratorusesitsowndigestsbasedonthehashesoftheblocksinsideaVMdisk,whichmeansthatitreadsdatafromthebackupfilesandre-hydratingthemonthefly,oritreadsdirectlyfromthesourceVMincaseofreplication.TheWANacceleratorcomponentwillthenprocessthosedatablockswithmuchmoreefficientdatadeduplicationandcompressionalgorithms.ThisisthereasonwhytheWANacceleratorconsumessignificantamountsofCPUandRAMresources.

TodeterminehowmuchdatahastobetransferredovertheWANlinkwithandwithoutWANaccelerationenabledinabackupcopyjob,youcancomparethedailychangesoftheprimarybackupjobstatistics(asthesamedataistransportedinastandardbackupcopyjobwithoutWANacceleration)withtheWANacceleratedbackupcopyjoblogandstatistics.

WANAcceleration

123

https://helpcenter.veeam.com/docs/backup/vsphere/wan_acceleration.html?ver=95

AnalyzingBackupJob

Duringbothfullandincrementaljobsessions,threemetricsaredisplayedinthesessiondata:Processed,ReadandTransferred.TobetterunderstandthedifferencebetweendirectdatatransferandWANacceleratedmode,examinetheReadandTransferredvalues:

Read—amountofdatareadfromtheproductionstoragepriortoapplyinganycompressionanddeduplication.ThisistheamountofdatathatwillbeoptimizedbytheWANaccelerator.

Transferred—amountofdatawrittentothebackuprepositoryafterapplyingcompressionanddeduplication.ThisistheamountofdatathatwillbeprocessedbythebackupcopyjobrunninginDirectTransfermode(withoutWANacceleration),assuming


124

allVMsfromthebackupjobareincludedinthebackupcopyjob.

AnalyzingBackupCopyJob

WhenanalyzingabackupcopyjobyoucanseethesamemetricsinthejobsessionData:Processed,ReadandTransferred.ComparingthebackupcopyjobwithWANaccelerationenabledandthebackupjob,itispossibletocorrelatetheinformationinbothoutputs.

TheamountofProcessedblocksinthebackupcopyjobsessionisequaltotheamountofReadblocksinthebackupjobsession.Thisisthemostimportantmetric,asitistheamountofdatathathastobeprocessedbytheWANaccelerator.

ThenumberofReadblocksforthebackupcopyjobistypicallyhigherthantheamountofProcessed-thisisduetothebackupcopyjobusingadifferingfingerprintingalgorithmthatworkswithadifferentblocksizecomparedtothefingerprintingalgorithm


125

andblocksizeusedbybackupjobsthatcreatedtheoriginalbackupfile.Forthisreason,thismetriccanbeignored.

TheamountofTransferreddataistheamountofdataactuallytransferredovertheWANlink.


126

ComparingDirectModewithWANAcceleratedMode

Considerthatthesavingsrate(18.5x)displayedintheGUIisbasedonProcesseddata("re-hydrated"datablocks).Intheexampleabove,283MBwouldhavebeentransferredovertheWANlinkinDirectTransfermode,whileonly72.8MBweretransferredafterenablingWANacceleration.Theactualsavingsrateequals3.9xinthisrelativelystaticdemoinfrastructure,whilstitwouldtypicallybesignificantlyhigherinreal-lifescenarios.

Note:Approximatesavingsratiocanbeassumedasof10x.

TocalculatepossiblesavingsandneededbandwidthyoumayusethefollowingcalculatorBandwidthCalculator.

BackupModeEffectWhenplanningforWANacceleration,reviewthebackupmodeusedontheprimarybackupjob.SomebackupmethodsproducearandomI/Oworkloadonthesourcerepository(asopposedtosequentialI/Opatternsinotherbackupmodes).Themethodsofreadingfromsourceisillustratedbythefigurebelow:

Forexample,forwardincrementalandforeverforwardincrementalmethodswillmakebackupcopyjobsworkmuchfaster,asreadoperationswillbesequentialratherthanrandom.ToavoidsimilarfragmentationandrandomI/Oonforwardincrementalmodes,keepbackupstoragemaintenanceenabledwhenpossible.

Thoughaworkloadpenaltymaynotbesignificant,itcanbeagoodideatomonitorthestoragelatencyonthebackuprepository,especiallyifthereportedbottleneckisSource.Ifthestoragelatencyonthebackuprepositoryishigh,itisrecommendedthatyouchangethe


127

http://vee.am/bandwidth

backupmodeinordertoincreasethethroughputofonepairofWANaccelerators.

ConfigurationWhenconfiguringtheWANaccelerator,notallconfigurationparametersaffectbothsourceandtargetWANaccelerators.Inthissectionwewillhighlightwhatsettingsshouldbeconsideredoneachside.

SourceWANAccelerator

AtthefirststepoftheWANacceleratorconfigurationwizard,youcanchangethedefaultsettingoffiveTCPthreads.ThissettingappliestothesourceWANacceleratoronlyandisautomaticallyconfiguredtomirrorthenumberonthetargetWANacceleratoratthebeginningofeachjob.ThisensuresdifferentsourceWANacceleratorscanhavedifferentsettingswhenusingthesametargetWANacceleratoratdifferenttimes.Themaximumsettingis100simultaneousthreadsforthroughputoptimizationandcompensationforhighlatencyorpacketloss.

Ifthelinkhaslowlatencyandhighbandwidth,thedefaultsetting(5streams)maybeenoughtofullysaturateit.Ifthelinkisstillnotsaturated,thenumberofstreamsmaybeincreasedaccordingly.


128

Testingshowsthatwithhighlatencylinks,linkspeedx1.5isagoodbestpracticeforestimatingthenumberofstreamsrequired.Belowisanexamplebenchmarkona10Mbit/sWANlinkwith100millisecondsoflatency.

Link(Mbit/s)

Latency(ms)

Packetloss(%) Streams Throughput

(Mbps)

10 100 0 3 3.5

10 100 0 10 7.5

10 100 0 15 10

10 100 0 20 10

Increasingthenumberofstreamstomorethanrequiredforfullysaturatingthelinkwillcauseinitializationofdatatransferstoslowdown,asthedatatransferwillwaitforallstreamstoinitializeandstabilizebeforebeginningtransferringanydata.

Tip:TotestdifferentscenariosinthelabbeforedeployingWANacceleration,youcanuseaWANemulator(suchasWANem).

WhenconfiguringthecachelocationforthesourceWANaccelerator,considerthattheactualcachesizeonthesourceisirrelevant,asitisusedonlyfordigestfiles(whereblockhashesarestored).However,ifaWANacceleratorwillbeusedforbi-directional


129

http://wanem.sourceforge.net/

acceleration(actasbothsourceandtarget),followtheguidelinesprovidedinthe"TargetWANAccelerator"sectionbelow.


130

SizingForWanAccelerationWhenconfiguringtheWANacceleratoronthesourceside,considerthatallVMdiskdatablocksarealreadyinthesourcebackuprepositoryandtheycansimplybere-readfromthesourcerepositorywhenneeded.ThisisthereasonwhyconfiguringthecachesizeonasourceWANacceleratorisnotasimportantbutstillmustexistasanumber.Itisneverusedforcachinganydata.However,thereareotherfilesresidinginthesourceWANacceleratorfolder,andthefilestructurewillbedescribedinthefollowingsections.

Hardware

ThesourceWANacceleratorwillconsumeahighamountofCPUandmemorywhilstre-applyingtheWANoptimizedcompressionalgorithm.Recommendedsystemconfigurationis4CPUcoresand8GBRAM.WhenusinganexistingVeeamManagedServerforWanAccelerationwhichalreadyhasarolesuchasVeeamBackup&ReplicationServer,ProxyorwindowsRepositoryensureyouhavenotovercommittedtheCPUsonthathostandthereisresourceforeachsourceandTargetWanAccelerator.IfthereisnotenoughCPUcoresfreethejobwillwaitforafreecputocontinue.

TheI/OrequirementsforthesourceWANacceleratorspikeseverytimeanewVMdiskstartsprocessing.Thus,itisrecommendedtodeployWANacceleratorsondiskconfigurationswithdecentI/Operformance.

ThetypicalI/Opatternismadeofmanysmallblocks,sousinghighlatencyspinningdisksisnotrecommended.

DiskSize


131

Eachdigestfileconsumesupto2%ofitssourceVMdisksize.Thismeans,forexample,thata2TBVMdiskfilecanproduceadigestsfileupto40GBinsize.

Additionally,planfor10GBofworkingspaceforpayloadsandothertemporaryfiles.

Formula:(<SourcedatasizeinGB>*2%)+10GB

Examplewith2TBsourcedata:(2,000GB*2%)+10GB=50GB

Forunderstandinghowdiskspaceisconsumed,pleaseseethefollowingsections.

Note:AsthecachesizeonthesourceWANacceleratorwillalwaysbeignored,thedigestsfilewillbeproducedregardlessofcachesettingbeenconfigured.Theymayconsumeconsiderablediskspace.

VeeamWAN\GlobalCache\src

Onlyadata.veeamdrffileislocatedinthe\VeeamWAN\GlobalCache\srcfolder.ThisfilewillbesynchronizedfromthetargetWANacceleratorduringtheveryfirstjobrun(orifthecachewasmanuallycleared)tounderstandwhatdatablocksarealreadycachedinthetargetWANaccelerator.Thesizeofthisfileistypicallyupto2%oftheconfiguredtargetcachesize;thus,itmaytakesometimefortheinitialdatatransfertobegin.

VeeamWAN\Digests

OnthesourceWANacceleratortherearetheVMdiskdigeststhattakeupdiskspace.ForeachprocessedVMdisk,adiskdigestfileiscreatedandplacedin\VeeamWAN\Digests\<JobId>_<VMId>_<DiskId>_<RestorePointID>.

Note:AlthoughtheDigestfolderiscreatedonthetargetacceleratornodataisstoredonthetargetnormally,howeveritmustbesizedintothetargetincasethedigestonthesourcebecomescorruptorismissing.InthiscasethetargetwillcalculateitsowndigestsinthislocationuntilthesourceWANAcceleratorcomesbackonline.

Trafficthrottlingrulesshouldbecreatedinbothdirections.SeeNetworkTrafficThrottlingandMultithreadedDataTransferformoreinformation.

TargetWANAccelerator

ThefollowingrecommendationsapplytoconfiguringatargetWANaccelerator:

ThecachesizesettingconfiguredonthetargetWANacceleratorwillbeappliedtothepairofWANaccelerators.Thisshouldbetakenintoaccountwhensizingformany-to-onescenarios,asconfiguring100GBcachesizewillresultin100GBmultipliedbythenumberofpairs configuredforeachtargetWANaccelerator.1

2


132

https://helpcenter.veeam.com/docs/backup/vsphere/setting_network_traffic_throttling.html?ver=95

Itisrecommendedtoconfigurethecachesizeat10GBforeachoperatingsystemprocessedbytheWANaccelerator.

OncethetargetWANacceleratorisdeployed,itisrecommendedtousethecachepopulationfeature(seethissectionoftheUserGuidefordetails).Whenusingthisfeature,theWANacceleratorservicewillscanthroughselectedrepositoriesforprotectedoperatingsystemtypes.

Itisalsopossibletoseedtheinitialcopyofdatatothetargetrepositorytofurtherreducetheamountofdatathatneedstobetransferredduringthefirstrun.

Sizing

Hardware

AlthoughatargetWANacceleratorwillconsumelessCPUresourcesthanthesource,theI/Orequirementsforthetargetsidearehigher.

Foreachprocesseddatablock,theWANacceleratorwillupdatethecachefile(ifrequired),oritmayretrievethedatablockfromthetargetrepository(ifpossible).Asdescribedintheuserguide,thecacheisactiveonoperatingsystemdatablocks,whileotherdatablocksarebeingprocessedonlywiththeWANoptimizeddatareductionalgorithm(in-linecompression).

2


133

https://helpcenter.veeam.com/docs/backup/vsphere/wan_population.html?ver=95

TestsshowthattherearenosignificantperformancedifferencesinusingspinningdiskdrivesasstorageforthetargetWANacceleratorcacheratherthanflashstorage.However,whenmultiplesourceWANacceleratorsareconnectedtoasingletargetWANaccelerator(many-to-onedeployment),itisrecommendedtouseSSDorequivalentstorageforthetargetcache,astheI/Oisnowthesumofallthedifferencesources.

DiskSize

EnsurethatsufficientspacehasbeenallocatedforglobalcacheonthetargetWANaccelerator.

Atleast10GBpereachdifferentOSthatisbackedup.Thatis,ifyouplantobackupVMsrunningWindows8,Windows2008R2,Windows2012andRHEL6(fourdifferentoperatingsystems),youwillneedatleast10GB*4=40GB

Planforadditional20GBofworkingspaceforcachepopulation,payloadandothertemporaryfiles.

Ifthecacheispre-populated,anadditionaltemporarycacheiscreated.Thetemporarycachewillbeconvertedintobeingthecacheusedforthefirstconnectedsource.Subsequentlyconnectedsourceswillduplicatethecacheofthefirstpair.AscachesareduplicatedtheconfiguredcachesizeisconsideredperpairofWANaccelerators.

Formulas:

Formulaforconfiguredcachesize(insertthisnumberinconfigurationwizard):(Numberofoperatingsystems*10GB)+20GB

Formulaforuseddiskspace:(Numberofsources*<formulaforconfiguredcachesize>)

Examples:

Examplewithonesourceandtwooperatingsystems:Configuredcachesize:(2operatingsystems*10GB)+20GB=40GBUseddiskspace:(1source*40GB)=40GB

Examplewithfivesourcesandfouroperatingsystems:Configuredcachesize:(4operatingsystems*10GB)+20GB=60GBUseddiskspace:(5sources*60GB)=300GB


134

Digestspacemustbebuiltintotheequationusingthesamesizeforeachsourcetarget:

Examplewithonesourcetwooperatingsystemsonesourcedigestspace20GBequatestotargetdigestrequiring20GBso20GB+Cachediskspace'(2operatingsystems*10GB)20GB'is40GB

Examplewith5sourceFivesourcewithdigestspace20GBeachequatestotargetdigestrequiring20GB*5,100GBso100GB+Cachediskspace'(2operatingsystems10GBfivesources)100GB'is200GB

Forunderstandinghowthediskspaceisconsumed,pleaseseethefollowingsections.

VeeamWAN\GlobalCache\trg

Foreachpairtherewillbeasubfolderinthetrgdirectory,withaUUIDdescribingwhichsourceWANacceleratorthecacheisattachedto.Ineachofthosesubfolders,theblob.binfilecontainingthecachewillbelocated.Thatfilesizecorrespondstothesettingconfiguredinthemanagementconsole.

Note:Theblob.binfilewillexistforallconnectedsourceWANaccelerators.

VeeamWAN\GlobalCache\temp

WhenconnectinganewsourceWANaccelerator,thetempfolderwilltemporarilycontainthedata.veeamdrffilethatislatertransferredtothesourcecontainingthecachemanifest.


135

SizingTargetsforOnetoOneandOnetoManyrelationshipsWANAcceleratorCache/DigestProvisioning

wecanhavetwotypesofrelationshipwithourSourceandTargetaccelerators,OnetoOneandmanytoOne.

Onetooneisthemostsimplestform,thisiswhereoneSourceAcceleratorismappedtoasingleTargetAcceleratorattheotherlocation.

TheothertypeisManytoOnewheremanysourceacceleratorswillmaptoasingletargetacceleratorinafanintypedesign.thisisacommonconfigurationandbestpracticeistohavenomorethan4sourceacceleratorstoasingletargetforresourcereasons.

Sizingforeachscenario:

Ifweassumethatwehave3VMs,eachwithuniqueOSes(forinstance,Win2008R2,Win2012R2,Solaris10)eachOSrequires10GBtobeallocatedforit.

TheCacheitselfiswhollyindependentfromthedigestsrequired.Thatis,theVeeamGUIdoesnotmakeanydeterminationofhowmuchyoucanallocateforadigestandsoon.

Thedigestisessentiallyanindexofwhatcachedblocksgowhere.Fordigestsize,1TBofVMdiskcapacitywearebackingupshouldcorrespondwith20GBofdiskspace.Thatis,for10VMswearebackingupwhosecapacityis2TB,youmustaccount/allocate40GBfordigestdataontheSourceWANAccelerator.ThislimitationisnotappliedtotheTargetWANAccelerator.


136

ForaMany-to-1setup,theglobalcacheiscalculatedper1SourceWANAcceleratorworkingwiththeTargetWANAccelerator.

Inthiscasetheglobalcacheneedstobeincreasedproportionally.

IfweusethesameVMsinthepreviousexample,thecacheisonlyrequiredtobe30GB.However,sincewe’reusing3SourceWANAccelerators,thecachesizemustbe90GBinresponse.

OntheTargetWANAccelerator,cachesizeisdictatedbytheamountofSourceWANAcceleratorsplusnumberofoperatingsystemsinuse,thedigestsspaceonthetargetendinthisexamplecannotbeexcludedfromthecalculationeventhoughitmayneverbeused.Wemayrequire120GBofDigestspaceatsourcesothisneedstobeaddedtothecachesize(90GB)attargetresultinginarequirementof210GBofcapacityataminimumonthetarget.

WhencreatingaWANAcceleratorintheuserinterfaceitrelatestocachesizingonly,digestsizingshouldbepartoftheoveralldesignandincludedaspartofthespecificationoftheWANAccelerationhost.

Note:Thetargetacceleratorwillusethedigestcapacityintheeventthesourcedigestbecomesunavailable,isrebuiltorbecomescorrupt.Thetargetwillusethesparecapacitytocalculatethedigestsonthetarget.


137

HowManyWANAcceleratorstoDeploy?AsthesourceWANacceleratorcanonlyprocessonetaskatatime(oneVMdiskinabackupcopyjoborreplicationjob),youmayneedtodeploymultipleWANacceleratorpairstomeettheperformancedemands.

AsthetargetWANacceleratorcanhandlemultipleincomingstreams(asdescribedintheMany-to-OneWANAccelerationsectionoftheUserGuide),itisrecommendedtomaintaina4:1ratiobetweenthenumberofsourceWANacceleratorspertargetWANaccelerator.

ThisguidelineisverymuchdependentontheWANlinkspeed.ManysourcesiteswithlowbandwidthwillcreatelittlepressureonthetargetWANaccelerator.So,forinstance,inmultipleROBOconfigurationsa10:1ratiocanbeconsidered.

Iftherearesiteswithveryhighbandwidth(suchasdatacenter-to-datacenterreplication),theywillproduceamuchmoresignificantloadonboththetargetWANacceleratorandthetargetrepositoryduetotheseconddatablocklookup(formoreinformation,refertotheUserGuide).

Note:Thesecondarydatablocklookupisused,whenadatablockisnotavailableintheWANacceleratorcache.WhenthereisaWANcache“miss”,thesecondarylookupforthesamedatablockisperformedonthetargetrepository.Ifitisfoundhere,itisreadbacktotheWANacceleratorinsteadofre-transmittingoverWAN.

Assumingthesourceandtargetrepositoriescandeliverthethroughputrequiredfortheoptimalprocessingrate,usetheguidelinesthatfollow.

Note:Thenumbersbelowareprocessingrates.TheWANlinkusageisdependentontheachieveddatareductionratio.

AveragethroughputpertargetWANaccelerator:500Mbit/s(62.5MB/s)

Dependingontheachieveddatareductionrate(typically10x),thetransferrateovertheWANlinkwillvary.

Iftheprocessingrateis62.5MB/s,andthedatareductionrateis10x,thenitispossibletosustain6.25MB/s(50Mbit/s)overtheWANlink.

IftheWANlinkhashighbandwidth(above100Mbps)considerusingbackupcopyjobswithoutWANAcceleration.However,ifyouuseWANacceleratorsinthatscenario,itmayrequiredeploymentofmultipleWANacceleratortofullysaturatetheWANlink.

1


138

https://helpcenter.veeam.com/docs/backup/vsphere/wan_acceleration_many.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/wan_acceleration_sources.html?ver=95

.ApairofWANacceleratorsmeansanysourceWANacceleratorpairedwiththetargetWANaccelerator.↩

.AllLinuxoperatingsystemsareconsideredasoneintermsofWANacceleratorsizing.↩

1

2


139

IsWanAccelerationrightforyourenvironment?WanAccelerationisdesignedtooptimizehighlatencyorlowbandwidthlinksbetweenlocations.thereisanaturaloverheadandresourcerequirementwhenthisisinoperationandtherewillcomeabreakpointinregardtodoesWanAccelerationworkforme.

Thereareanumberofwaystodeterminethisbasedaroundspeedandyouravailableresources.

WanAccelerationcanbeonetooneoronetomanyconnections,thefirstthingyoushouldconsideristhebandwidthavailablebetweenthelocationstoseeifthecostofoptimizingyourtrafficisoutweighedbythespeedofyourlink.

Thefollowingisageneralruletolookatwhendesigningyourtransport:

GlobalCacheonSpinningDisk

Linklessthan3Mb/s-WANlikelysaturated;processingratedependentondatareductionratio(estimated10x)Linkmorethan3Mb/sandlessthan50Mb/s-WANwillnotbefullyutilized,expect~5MB/sprocessingratebutlessbandwidth.Linkmorethan50Mb/s-WANwillnotbefullyutilized,usingdirectmodecopywillusemorebandwidthbutlikelybefaster**

Thesenumbersaretobeconsideredasabaseline,“Yourmileagemayvary”.TheperformanceoftheunderlyingstoragewheretheGlobalDedupeCacheislocatedcangreatlyimpacttheperformanceoftheWANAcceleratorfunction.

TestsshowthattherearenosignificantperformancedifferencesinusingspinningdiskdrivesasstorageforthetargetWANacceleratorcacheratherthanflashstorage.However,whenmultiplesourceWANacceleratorsareconnectedtoasingletargetWANaccelerator(many-to-onedeployment),itisrecommendedtouseSSDorequivalentstorageforthetargetcache,astheI/Oisnowthesumofallthedifferencesources.

Onemorepointtofocusonistherepositoryusedatthetarget-wan-accelerator,datamaybetakenfromtherepositoryatthetargetWANacceleratorifthedataisnotfoundintheglobalcachebutisknowntoexistinaprevioustransfer.Ifslowdisksareuseditcanhaveanimpactonthespeedofthecompletionofthejobandoverallprocessingrate.


140

Otherfactorsarealsopresentsuchasisthislinkgoingtohavebi-directionaldataflowwhenusingtheWanAccelerators,howmanyjobswillbeusingthelinkatthesametime.MeasureyouroverallsaturationofthelinkpriortousingWanAccelerationtoensurethatitmeetsyourneeds.


141

TapeSupport

OverviewThediagrambelowillustratesthemaincomponentsandprocesseswithinthebackupinfrastructurewhentapesupportisimplementedinVeeamBackup&Replication:

TapeDeviceConnection

TapeSupport

142

Thefollowingconfigurationprerequisitesmustbemet:

AllconnectiontypesrequiredriverinstallationYoucanusegenericdriversfromMicrosoftWindows,buttheymaynotprovideashighperformanceasthevendor’sSeparatedriversfortapedrivesandfortapemedialibrariesshouldbeinstalledStorageTekACSLSisnotsupportedwhileadirectconnectiontothelibraryisDynamicDriveSharingisnotsupportedLibraryPartitioningissupportedMultiplecontrolpathsaresupportedonlywhencontrolpathfailoverandMPIOisconfiguredcorrectly.Pleasecontactthevendorformoreinformation.

ConnectionTypeCompatibility

FC/SAS/SCSI/FCoE/Infiniband/iSCSIorotherblocktechnologytophysicalTapeProxySupportedwithWindowsdriveraslongasthetapevendorsupportstheconnection.(“Unknownmediachanger”supportforFC/SASandVTLs)FC/SASredirecttoVMwareVMUnsupportedFC/SASredirecttoHyper-VVMUnsupportedFC/SAStoiSCSIConverter/BridgeSupportedStarwindTapeRedirectorSupported

Tapedevicesupport

Whilethesystemrequirementsdictatewhattapedevicesaretechnicallysupported,thereisacommunityvalidatedlistavailableontheVeeamforums:Unofficialtapedevicecompatibilitylist

Supported

LTO-3orhigherForVTLs,seethecorrespondingsectionunderDeduplicationStorage

Notsupported

IBM"Jaguar"TS11x0EnterprisetapedrivesStorageTekT10000tapedrivesOlderTapedriveslikeDLTorAIT

Drivers

HPdrivers:thesearenotinstallablewiththedownloadedinstall.exefileonaVM(for

TapeSupport

143

example,tousewithVTL).Asasolution,runtheinstall.exeandchooseExtract.UseDeviceManager–>Updatedriverandselectthedriversfortapedrivesand(ifyouuseHP/HPemulationtapelibrary)formediachanger.

UnknownMediumChangers:

VeeamsupportsmediumchangersthathavenoMicrosoftWindowsdriversavailable.MakesurethatsuchdeviceisrecognizedasanunknownmediumchangerintheMicrosoftDeviceManagerlist.

Itisrecommendedthatyouusetapedeviceswithoriginalequipmentmanufacturer(OEM)drivers.LimitationsVMwaredoesnotsupporttapedrivesconnecteddirectlytoESX(i)4.xandlater.Formoreinformation,seeVMwarevSphereReleaseNotes.

Formoredetailsandrecommendationsonconfiguringvendor-supportedtapedrivesandmediachangersonESX/ESXi,refertoVMwaredocumentationathttp://kb.vmware.com/kb/1016407.

Note:VeeamBackup&ReplicationusestheMTF(MicrosoftTapeFormat)industryformattowritedatatotape.VeeamBackup&ReplicationdoesnotsupportusingWORM(WriteOnceReadMany)tapes.

TapeSupport

144


TapeDevicesDeploymentToconnecttapedevicestoVeeamBackup&Replication,youneedtodeployatapeserver.TapeserversareVeeamrolesthatconnecttapelibrariestotheVeeambackupserverandmanagetrafficbetweentapedevicesandVeeambackupserver.TheconnectedtapedevicesarerecognizedbytheVeeamBackup&Replicationautomatically.

DataMoverswithVeeamBackup&Replication,thedatatransferduringarchivingandrestoreprocessesisenabledwithVeeamDataMoverservices.TheDataMoversrunontapeserversandothercomponentsofbackupinfrastructure.TheyreceivetasksfromtheVeeambackupserverandcommunicatetoeachothertotransferthedata.TheDataMoversarelight-weightservicesthattakeafewsecondstodeploy.Deploymentisfullyautomated:whenyouassignatapeserverroletoaserver,VeeamBackup&Replicationinstallsthenecessarycomponentsonthisserverandstartstherequiredservicesonit.

DataBlockSize

Drivesusehardwaredependentblocksizestoread/writethetapedata.Generally,thedrivessupportarangeofblocksizesandreportthisrangetoVeeamBackup&Replication.Ifyouuseatapelibrarywithmultipledrivesoranumberofstandalonedrives,VeeamBackup&Replicationusesaunifiedblocksizetowritedatatotapes.VeeamBackup&Replicationcollectstheblocksizerangesreportedbyeachdrive,comparesthemanddetectsarangeofblocksizesthatcanbesupportedbyalldrives.Thisrangeisadditionallylimitedbystoragecontrollerssettingsusedinyourinfrastructure.Fromthisrange,VeeamBackup&


145

Replicationsupportsonlyvaluesdivisibleby1024.YoucanchecktheresultingrangeofblocksizessupportedbyVeeamBackup&ReplicationforaparticulardriveintheDrivesproperties.Fordetails,seeWorkingwithDrives.

Note:IfyouconnectthetapedevicesviaHBA,VeeamBackup&ReplicationusestheblocksizeconfiguredfortheHBA.

Theblocksizeisunifiedfor:Alldrivesinonelibrary(ifthedrivessupportdifferentblocksizes)

Allstandalonedrivesconnectedtoonetapeserver.Mindtheblocksizerangewhenworkingwiththefollowingtapes:TapeswithVeeambackupswrittenbyanothertapelibrary,TapeswithVeeambackupswrittenonanothertapeserver,Tapeswrittenwithotherdatatransferconfigurationsettings,Tapeswrittenona3rdpartydevice.

Thetapesmustbewrittenwithblocksizethatmatchusedforwritingsuchtapesmustmatchthevaluecurrentlyusedforthetapedeviceyouareusingforrestore.

IfyouhaveanumberofVeeambackupservers,youcaneasilyreconnectatapeservertoanotherVeeambackupserverwithoutreconfiguringthetapedevice:Veeambackupserverwillrecognizethelibrarysettingsautomatically.Notethatwhenyoureconnectthetapeserver,thetapejobswillnotrunwithanotherVeeambackupserverunlessyoucopytheconfiguration


146

MediaManagement

AutomatedDriveCleaning

YoucaninstructVeeamBackup&Replicationtoautomaticallycleanthetapelibrarydrives.AssigningtheautomatedcleaningtoVeeamBackup&Replicationpreventspossibleoverlappingofcleaningtasksandtapejobs.Suchoverlappingmaycausetapejobsfailures.ToinstructVeeamBackup&Replicationtoautomaticallycleanthedrives:

1. OpentheTapeInfrastructureview.2. ExpandtheLibrariesnodeandselecttheneededlibrary.ClickPropertiesontheribbon.

Youcanalsoright-clickthenecessarylibraryintheworkingareaandselectProperties.3. InthePropertieswindow,selectthePerformdrivecleaningautomaticallyoption.


147

IfyouenabletheautomateddrivecleaningoptioninVeeamBackup&Replication,makesurethatyoudisabledthedrivecleaningtasksonyourtapelibrarydevice.

VeeamBackup&Replicationcleansthedrivesatthebeginningofbackuptotapejobsorfiletotapejobrun.Thecleaningisnotperformedduringothertapeoperationssuchas,forexample,catalogingorexport.Tocleanthedrivesautomatically,VeeamBackup&Replicationperformsthefollowingactions:

1. ThetapelibraryalertsVeeamBackup&Replicationonadrivethatrequirescleaning.2. VeeamBackup&Replicationwaitsforatapejobtostart.3. Whenthetapejoblocksnecessarydrivesforwritingdata,VeeamBackup&Replication

checkswhichofthemrequirescleaning.4. VeeamBackup&Replicationejectsthetapefromthedrive,insertsacleaningtapeand

performsthecleaning.5. VeeamBackup&Replicationejectsthecleaningtapeandinsertsthetapethatwas

reservedforthetapejob.6. Thetapejobwritesthedataontape.

Thecleaningprocessusuallytakesseveralminutes.

ThecleaningtapesarelocatedintheUnrecognizedmediapool.Theworn-outcleaningtapesaremovedtotheRetiredmediapoolautomatically.


148

Ifatapejoblocksmultipledrivessimultaneouslyforparallelprocessing,andoneormoredrivesrequirecleaning,alldriveswaituntilthecleaningisfinished.Aftercleaning,alldrivesstartwritingsimultaneously.

Theautomateddrivecleaningdoesnotaffectcreationofmediasets.

LimitationsforAutomatedDriveCleaning

Youcannotenabletheautomateddrivecleaningonstandalonetapedrives.YoucannotstartthedrivecleaningmanuallywithVeeamBackup&Replication.Thedrivecleaningisfullyautomated.

WorkingwithTapeLibraries

AlltapelibrariesmanagedbyVeeamBackup&ReplicationareshownasalistofdevicesundertheLibrariesnodeintheTapeInfrastructureview.Allconnecteddevicesarediscoveredautomaticallyduringtherescanprocedure.Whenyouaddanewtapedevicetothetapeserver,itappearsinyourconsoleafterrescan.Toviewpropertiesofatapelibrary:

OpentheTapeInfrastructureviewExpandtheLibrariesnodeandselecttheneededlibrary.ClickPropertiesontheribbon.(Youcanalsoright-clickthenecessarylibraryintheworkingareaandselectProperties).SelectthePerformdrivecleaningautomaticallycheckboxifyouwantVeeamBackup&Replicationtomanagethetapedrivescleaning.

Formoreinformationaboutautomateddrivescleaning,seeAutomatedDriveCleaning.SelecttheUsenativeSCSIcommandsinsteadofWindowsdrivercheckboxifyourlibraryisanunknownmediachanger.

MediaInformation

VeeamBackupDatabaseVeeamBackup&ReplicationcataloguesinformationaboutallarchiveddataandstoresthisinformationintheVeeambackupdatabase.Theregisteredtapesstayinthedatabaseuntilyouremovetheinformationaboutthem.Youcanalwaysviewdetailsforeachtape,forexample,informationaboutbackupswrittentoit,evenifthetapeisnotinsertedinthelibrary.Thecatalogueletsquicklydetectlocationoftherequireditemsontape.Thecataloguecorrelatesthearchivedfilesandtherestorepointstothenamesofthecorrespondingtapes,bothonlineorofflineandthenamesofthemediasetswithinwhichthedatawaswritten.


149

Whenyoustartrestore,VeeamBackup&Replicationpromptsforthetapesyouneedtobringonline.Asaresult,youcanrestoredatafromtapemuchquickerwhennecessary.VeeamBackup&Replicationusesthefollowingcataloguesforstoringthetape-relateddata:

TapeCataloguestoresinformationaboutfiles/foldersarchivedtotapemediawithfiletotapejobs,aswellasbackupfilesproducedbybackuptotapejobs.ThecontentoftheTapecataloguecanbeexaminedintheFilesview.

BackupcataloguestoresinformationaboutVMswhosebackupsarearchivedtotapemediawithbackuptotapejobs.ThecontentoftheBackupcataloguecanbeexaminedundertheBackups>TapenodeintheBackup&Replicationview

MediaPool

AmediapoolsimplydefinesagroupoftapesmanagedbyVeeamVeeamBackup&Replication.Therearethreetypesofmediapools:

Servicemediapools.Createdandmanagedautomatically.Itisnotpossibletomodifytheirsettings.Theycontains:

EmptymediastartsoutintheFreepoolindicatingit’savailableforuseinotherpools.

UnknownmediawillbeplacedtotheUnrecognizedpoolsothatitisnotoverwritten.

Afterinventoryorcataloging,mediawithexistingdataisplacedintotheImportedpool.ReviewthecontentsandplacesuchmediaintotheFreepoolforoverwriteorleaveinImportedpooltokeepthedata.

ExhaustedorbrokentapesareplacedintotheRetiredpoolandarenotusedfurther.

Mediapoolsaregroupsofmediatowhichbackupdatacanbewritten.

Youcancreateasmanycustommediapoolsasneeded.

Mediacanbeassignedtoapoolmanually,orconfiguredtobeautomaticallyassignedfromthefreepool.

Configureeachpoolsettingsaccordingtothepurposeofthepool,suchastheoverwriteprotectionperiodthatisappliedtoallmediawithinthepool.

Sincev9a(Custom)TapePoolcanbespannedovermultipletapelibraries.Theideaistousethecapacityanddrivesofmultipletapesystemstogetherandtofailovertoanothertapelibraryincaseonelibrarygoesoffline.


150

GFSmediapoolsareusedtostoreweekly,monthly,quarterlyandyearlybackupsontape.

YoucancreateasmanyGFStapepoolsasneeded.

Mediacanbeassignedtoapoolmanually,orconfiguredtobeautomaticallyassignedfromthefreepool.Aswelloptionalcandefinespecifictapesforspecificmediasets(forexampleyearlybackups).

Configureeachpoolsettingsaccordingtothepurposeofthepool,suchastheoverwriteprotectionperiodthatisappliedtoallmediawithinthepool.

MediaSet

Amediasetisasubsetofamediapoolthatcontainsatleastonebackup.Anewmediasetcanbecreatedforeverybackup,oronatimebasedschedule(i.e.weekly).Itisalsopossibletoreusethesamemediasetforever.Whenamediasetcontainsatleastonefullbackup,itisaself-sufficientrestorepoint.Itmeansthatifyouhavealltapesfromthemediasetathand,youcanbesurethatrestorewillbesuccessful.

MediaVault

Amediavaultisusedtoorganizeofflinemedia.Forexample,youhaveaserviceorganizationthattransportsthetapestoasafeatabunker.Youcannamethevaultaccordinglyandaddsomeusefulinformationinthedescription(phonenumber,place,etc.).Whenyouneedtotransportphysicaltapestothesafe,addthesetapestothevaultmanuallyorsetautomaticexportofofflinetapestoavaultinthetapejobsormediapoolsproperties.

BackupModesBackupjobscancreatedifferentbackuptypesofbackupfilechainsondiskdependingonthebackupmodeused.Dependingonbackupmode,"BackuptoTape"jobseithercopiesfilestotapeorsynthesizeafullbackup.Thefollowingrulesapply:

Whenarchivingreverseincrementalbackups,thebehaviorvariesonthetypeofmediapoolused:

StandardMediaPool:Thetapejobwillalwayscopythefullbackupandignoreanyrollbackfiles(VRB)GFSMediaPool:ThetapejobwillcreateafullbackupfromVRBfilesonspecifiedday(s)asperschedule.


151

Whenarchivingforwardincrementalbackups,withactiveorsyntheticfullscheduled,thebackupchainontapewillbeacopyofthebackupchainondisk.Thevirtualfulloptionintapejobconfigurationisignored.

Ifyouarchiveforwardincrementalbackupswithoutsyntheticoractivefullenabled,orarchiveBackupCopyJobs,thefullfilesaresynthesizedfromexistingrestorepointsondisk.Thevirtualfullbackupschedulecanbeconfiguredonthe"BackuptoTape"job.

Formoreinformationaboutvirtualfulltotape,pleasesee[VeeamHelpCenter](https://helpcenter.veeam.com/docs/backup/vsphere/virtual_full_backup.html?ver=95

Ifthesourcebackupjobcontainsmultiplechains,andthecheckbox"Processlatestfullbackupchainonly"inadvancedjobsettingsisunchecked,youwillbepromptedforadecision,whencreatingaBackuptoTapejob.Youmaychoosetoeitheronlythelastbackupchainorallexistingrestorepoints.

SizingForthehighestthroughput,enablingparallelprocessingfortheBackuptoTapeisrecommended.Youneedtosizetheserversandstorageconnectionaccordingly.Itcanbehelpfultocreatemultiplepartitionswith2-4tapedrivesandaddthesepartitionstodifferenttapeservers.Addingtheselibrariestothemediapoolandenablingparallelprocessingwilldistributetheloadacrossmultipledrivesandtapeservers.

Note:ParallelprocessingfortapeisunavailableforGFSmediapools.

InstallWindows2012R2oraboveonthetapeserverforbestperformance.UsethelatestVeeamversionandpatchlevelastheyoftencontaintapethroughputoptimizations.

PerformaPOCtotestthroughputoftapeanddisk.Ifyouhavenoopportunitytotestspeed,assumethatthelowestspeedforbackuptotapejobswithLTO5/6is50MB/sasaconservativeestimate.WehighlyrecommendtodoaPOCtoevaluaterealthroughputtoavoidadditionalhardwarecosts.

TheGFS(Grandfather,Father,Son)tapejobcanhelpavoidacomplexBackuptoTapejobcreationbyhandlingweekly,monthly,quarterlyandyearlybackupsinasinglejob.

ForBackuptoTapejobsthatuseforwardincremental(withoutsyntheticoractivefulls)jobsorBackupCopyJobsassourceofthedata,itmayberequiredtotemporarilydisablethejobusingpre-andpostscripts,asthetransformprocessofforeverincrementalforeverwillterminatethetapejob.Anotheroptionistoincreasetherestorepointsofthesejobstemporarily.Byincreasingthenumberofrestorepointsforthesourcejob,theBackupstoTapejobwillnotbeterminatedbythemergeprocess.However,pleasenotethiswill


152

https://helpcenter.veeam.com/docs/backup/vsphere/virtual_full_backup.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/parallel_processing.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/add_media_pool_tapes.html?ver=95

increasethetransformtimesignificantlyoncethesettingisrevertedandishighlydiscouragedforlargejobs.Anexampleofthisimplementationcanbefoundhere:v9GFSjob-Nomorecontinuous?

Using3 partytapesoftwareAsVeeamBackup&Replicationtracksandorchestratesallbackupswrittentotape,Veeamrecommendsusingthebuilt-inVeeamtapefeatures(BackupstoTapeandFilestoTapejobs).

However,insomesituationsyoumaywanttouseanexistinglibrarywithnon-LTOtapes,oryouneedtointegrateVeeamBackup&Replicationintoanexistingbackup-to-tapesoftware.Veeambackupfilescontainallinformationneededforrestore(e.g.deduplicationinformation,VMmetadata,etc.),andyoucanusetheexistingbackup-to-tapesolutiontobringtheVeeambackupfilesontape.Thisapproachcanalsosupportenterprisecustomer"Segregationofduty"demandsastwocompletedifferentteamscanhandlebackupsandtapebackups.Nosinglepersoncandeletebymistakeoronpurposetheprimaryandtapechain.Beforehavingtwobackupsolutionsco-existonthesameserver,pleaseverifytheydonotconflicteachother.

TapeEncryptionVeeamuseshardwareencryptionifitisprovidedbythetapedeviceandenabledinVeeamBackup&Replication.Tapelibraryshouldworkintheapplication-managedencryptionmode.

Ifthehardwarebasedencryptionisnotsupportedbythetapedevice,softwarebasedAES-256encryptionisused.Pleasenotesoftwarebasedencryptionmaycausesignificantperformancedegradation,ifnotnativelyacceleratedbytheCPUofthetapeserver.

HardwarebasedencryptionistypicallyavailableforLTO-4ornewerlibraries,andwhilealicenseisoftenrequired,thisisusuallysupportedforfreebythetapelibraryvendor.

Whenarchivingdata,Veeamgeneratesauserkeywhichisstoredwithdataontape.IfyourestoredatausinganotherVeeambackupserver,providethepasswordorutilizethePasswordLossProtectioninEnterpriseManager.SeetheUserGuideformoreinformation.

Ifthehardwareencryptionoptionisused,andyouarchivetotapeVeeambackupsthatarealreadyencryptedondisk,theywillbeencryptedtwice.IfyourestoresuchbackupswithdoubleencryptiononthesameVeeambackupservertheywillbedecryptedautomatically.

rd


153

https://forums.veeam.com/tape-f29/v9-gfs-job-no-more-continuous-t32336-15.html

https://helpcenter.veeam.com/docs/backup/vsphere/encryption_tape.html?ver=95

TodecryptonanotherVeeambackupserver,youwillneedtoenterthetwopasswordsaccordingly.

Foradditionaldetailsontapeencryption,seethecorrespondingsectionofthisguide>Encryption

Tips"ShortErase"alltapesbeforeusewithVeeamtoavoidanyproblemscausebydatafromotherbackupsoftwareInstalllatestWindowsUpdatesInstalllatestfirmwareonlibrary,drives,HBA(verifyinteroperability)InstallseparateHBAsfortapeisrecommended,butnotrequiredAstagingareaforbackupfilesisrequiredwhenrestoringfromtape.Keepthisinmindwhensizingbackuprepositories.Tapecompressionshouldbedisabledfortapejobs,whenbackupfilesarealreadycompressedatthebackuprepository"FiletoTape"engineisoptimizedforsmalleramountofbigfiles(e.g.backupfiles)only


154

ConfiguringBackuptotapeBeforeyouconfigureabackuptotapejob,completethefollowingprerequisites:

YoumusthaveVeeamBackup&ReplicationEnterpriselicenseorhigherisinstalledontheVeeambackupserver.

Youmustpre-configurebackupjob(s)thatproducethebackupforarchiving.

Theprimarybackupjobmusthaveatleast2restorepointsondisk.

Theprimarybackupcopyjobmusthaveatleast4restorepointsondisk.

Youmustconfigureoneormoresimplemediapoolwiththenecessarymediasetandretentionsettings.

Youmustloadtapestothetapedeviceandconfigurethetargetmediapoolsothatithasaccesstothem.Ifthemediapoolhasnoavailabletape,thetapejobwillwaitfor72hoursandthenterminate.

Mindthefollowinglimitations:

ThebackuptotapejobprocessesonlyVBK(fullbackups)andVIBfiles(forwardincrementalbackups).

Ifyoubackuptotapeareverseincrementalchain,thetapejobwillalwayscopythefullbackup.

Reverseincrementalbackups(VRB)areskippedfromprocessing.

MicrosoftSQLServerlogfiles(VLB)areskippedfromprocessing.

TapeSupportConfigRequirements

155

TapeParallelProcessingIfyourtapelibraryhasmultipledrives,youcanusedrivessimultaneouslyforwritingdatatotape.Thisoptionisusefulifyouhavealotoftapejobsrunningatthesametimeoryouhavealotofdatathatmustbewrittentotapeinalimitedbackupwindow.

Note:YoucannotenableparallelprocessingforGFSmediapools.

Toprocessthetapedatainparallel,youcansplitthedataacrossdrivesin2ways:

ParallelprocessingfortapejobsParallelprocessingforsourcechainsofone(ormore)tapejobsProcessingTapeJobsSimultaneouslyWhenyouprocesstapejobsinparallel,themediapoolassignsadrivetoeachrunningtapejob.

Themediapoolcanusethepredefinedmaximumnumberofdrivesandprocesstheequalnumberoftapejobssimultaneously.

Forexample,ifyouset3drivesasthemaximum,youcanprocessupto3tapejobsatthesametime.Ifyouhavemorejobsrunningatthesametime,theyarequeued.Whenoneofthejobsfinishesandreleasesitsdrive,thefirstqueuedjobtakesthedrive.

Thisoptionisavailableforbackuptotapeandfiletotapejobs.Forexample:

Yousetthemaximumnumberofdrivesto3.4tapejobsstartatthesametime.ThetapejobsstartandjobsA,BandCoccupy3drivestowritedatatotape.TheTapejobDisqueuedandwaits.Whenoneofthejobsfinishesandreleasesitsdrive,theTapejobDtakesthedriveandstartswritingdata.

ProcessingBackupChainsSimultaneously

Whenyouselectprocessingbackupchainsinparallel,themediapoolprocessesseveralprimaryjobssimultaneously.Iftheprimaryjobsproduceper-VMbackups,themediapoolprocessesseveralper-VMbackupchainssimultaneously.Thisoptionisavailableforbackuptotapejobsonly.Forexample:

Yousetthemaximumnumberofdrivesto3.TapejobAhas4primaryjobs.TapejobAstarts,andoccupies3drivestoprocess3primaryjobs.Thefourthprimaryjobisqueuedandwaits.Whenoneofthedrivesisreleased,thefourthprimaryjobtakesthedriveandstartswritingdata.Ifanothertapejobstarts,itwillbequeuedandwaituntilTapejobAfinishesNote:Ifthemediapoolisconfiguredtofailovertoanotherlibraryincasealltapedrivesarebusy,onlytapejobscanusedrivesofthenextlibrary.Youcannotsplitsourcebackupchainswithinonejob


156

acrosslibraries.


157

VirtualFullBackupsVirtualfullallowsyoutobackupupforeverforwardincrementalbackupchainstotape.Theforeverforwardincrementalchainalwayskeepsondiskonefullbackupfollowedbyafixednumberofincrements.Thefullbackupisconstantlyrebuilt:asnewincrementsappear,theolderonesareinjectedintothefull.

Unlikediskbackups,tapearchivesarestatic:tapejobscannotrebuildbackupsoncetheyarewrittentotape.Also,thestandardbackuptotapescheme(archivingnewrestorepointsduringeachtapesession)cannotbeused:thetapearchivewouldhaveonefullbackupandanendlesschainofincrementsallofwhichwouldberequiredforrestore.

Toadapttheforeverforwardincrementalchainstotapes,VeeamBackup&Replicationusesthevirtualfull.Thevirtualfullmechanismcreatesaperiodicsynthesizedfullbackupontape.Theperiodicfullssplittheforeverincrementalbackupchainintoshorterseriesoffilesthatcanbeeffectivelystoredtotapes.Eachseriescontainsonesynthesizedfullbackupandasetofincrements.Suchseriesareconvenientforrestore:youwillneedtoloadtothetapedeviceonlythosetapesthatarepartofoneseries.

Thevirtualfulldoesnotrequireadditionalrepositorydiskspace:itissynthesizeddirectlyontapeonthefly,whenthetapejobruns.Tobuildsuchfullbackup,VeeamBackup&Replicationusesbackupfilesthatarealreadystoredonthebackuprepository.Iftheprimaryjobproducesaforeverincrementalbackupchainorisabackupcopyjob,VeeamBackup&Replicationwillperiodicallycreateavirtualfullbackup.Youcanconfigurethefullbackupwiththescheduler.

Thevirtualfullcannotbeswitchedoff;however,itisdisabledautomaticallyiftheprimaryjobperiodicallycreatesactivefullorsyntheticfullbackups.Thevirtualfulldoesnotdependonthejobsettingsforincrementalbackups.Ifyouenablethevirtualfullforthejob,itwillbecreatedinanycase,nomatterwhetheryouenableordonotenableincrementalbackups.

PrioritisingTapebackupsoverPrimarybackups

Sometimes,theprimaryjobmaystartwhenthetapejobisstillrunning.Bydefault,theprimaryjobhaspriority.Inthiscase,thetapejobterminateswitherrorandnodataiswrittentotape.SelectthePreventthisjobfrombeinginterruptedbyprimarybackupjobsoptionifyouwanttogivethetapejobahigherpriority.Ifthisoptionisselected,theprimaryjobwillwaituntilthetapejobfinishes.Notethattheprimaryjobmaystartwithasignificantdelay.


158


159

FileBackuptoTape

FiletotapejoballowsyoutobackuptotapeanyMicrosoftWindowsorLinuxfiles.TobackupVeeambackupfiles,youcanusebackuptotapejobsthatarespeciallyintendedforthisandoffermorepossibilities.However,youcanarchivebackupsasfilesusingfiletotapejob.Thefiletotapejobcomparesthesourcefilestothefilesstoredintapearchiveandcopiesthechangestotape.Youcancreatebothfullandincrementalbackupsoffilesontape.VeeamBackup&ReplicationsupportsfilebackupfromanyserverwhichhasbeenaddedasamanagedservertotheVeeamBackupconsole(thatis,WindowsorLinuxserver,includingphysicalboxes).YoucanalsoarchivefilesresidingonNASdevices.Whenplanningfiletotapejobs,considerthatthejobperformancedependsmoreonthenumberoffilestobackupthenontheamountofdata.Forexample,writingalargenumberofsmallfileswithoverallsizeof10GBwithonejobwilltakemoretimethanwritingone10GBfile.Ifyourjobcontainsanextra-largenumberoffiles(likemillionsoffiles)withonejob,thejobperformancewillbeaffectedsignificantly.Toimproveperformance,considercreatingseveralfiletotapejobs.

Note:Ifthefiletotapejobfailstocompletein3weeks,itisterminatedbytimeout.

VMBackuptoTape

Tobackupdatatotape,youneedtocreateandruntapejobsdedicatedtoarchiveVeeambackupsthatwereproducedbyVeeambackupjobstotapes.Whenabackuptotapejobruns,itdoesnotcreatenewbackups:itlocatesalreadyexistingbackupsandcopiesthemfrombackuprepositorytotape.Youneedtosetthesourceofthetapejob:jobsand/orbackuprepositories.JobsasSourceThefollowingjobscanbeprimaryfortapejobs:

VMwarebackupjobsHyper-VbackupjobsVMwarebackupcopyjobsHyper-VbackupcopyjobsWindowsAgentbackupjobsLinuxAgentbackupjobsWindowsAgentbackupcopyjobsLinuxAgentbackupcopyjobs.

Whenthetapejobstartsonit'sschedule,itpickstherestorepointsthatwereproducedbytheprimaryjobsinperiodsincethelasttapejobrun.Ifyouchangetheconfigurationoftheprimaryjobs,thetapejobisupdatedautomatically:itaddsnewVMstothelistofVMstoarchiveorstopsarchivingVMsthatwereremovedfromprimaryjobs.Theprimaryjobsmayuseanybackupmethod:


160

Foreverforwardincrementalbackupmethod:Tobackuptheforeverforwardincrementalchainstotape,thetapejobusesthevirtualfull.Thevirtualfullcreatesasyntheticfullbackupontaperegularly(forexample,onceaweek)andsplitsthechainintoshortseriesoftapeswhichismoreconvenientforrestore.Formoreinformation,seeVirtualFullBackup.Thesourcebackupchainmustcontain4ormorerestorepoints.Iftheprimaryjobisbackupcopyjob,keepinmindthatthelastrestorepointofthebackupcopyjobstaysactiveuntilthenextrestorepointiscreated.Thetapejobdoesnotcopysuchactivepoints,becausetheymaybeupdated.Forthisreason,thebackupchainontapewillbealwaysonerestorepointshorterthanondisk.

Forwardincrementalbackupmethod:Whenthetapejobbacksuptheforwardincrementalchaintotape,itcreatesacopyofthediskbackupchain.Thesourcebackupchainmustcontain2ormorerestorepoints.

Reverseincrementalbackupmethod:Thelastbackupinthereverseincrementalbackupchainisalwaysthefullbackup.Ifthesourcebackupchainisreverseincremental,thetapejobwillcopythefullbackupeachtimethetapejobruns.Theincrementsareskipped.Thesourcebackupchainmaycontainanynumberofrestorepoints.

BackupRepositoriesasSource

Whenyouaddarepositoryassourcetotapejob,thetapejobconstantlyscanstheselectedrepository(orrepositories)andwritesthenewlycreatedbackupstotape.Thetapejobmonitorstheselectedrepositoryinabackgroundmode.Youcansetexplicitbackupwindowsforthetapejob.Inthiscase,thetapejobwillstartonthesettimeandarchiveallnewrestorepointsthatwerecreatedinperiodsincethelastjobrun.Ifyoucreateorremovebackupjobsthatusethisrepository,orifyouchangetheconfigurationofsuchbackupjobs,youdonotneedtoreconfigurethetapejobthatarchivestherepository.MixedJobsToonetapejob,youcanlinkanunlimitednumberofsources.Youcanmixprimaryjobsofdifferenttype:backupandbackupcopy,andofdifferentplatform(VMware,Hyper-V,WindowsAgentorLinuxAgent).Youcanaddjobsandrepositoriesassourcetothesametapejob.Important!ThetapejoblooksonlyfortheVeeambackupsthatareproducedbybackupjobsrunningonyourconsole.Otherfileswillbeskipped.Notethattobackupfiles,youneedtoconfigurefiletotapejob.

LinkingPrimaryJobs

Youcanaddprimaryjobstotapejobsatanymoment:whenyoucreateatapejob,orlater.Addingprimaryjobsisnotobligatorywhenyoucreateatapejob:youcancreatean"empty"jobanduseitasasecondarydestinationtarget.Whenyoulinkjobs,thetapejobprocesses


161

theminthesamewayasthejobsaddedwiththeTapeJobWizard.Formoreinformation,seeLinkingBackupJobstoBackuptoTapeJobs.


162

Restores

VMRestorefromTapetoInfrastructure

RestoringaVMfromtapewithVeeamBackup&ReplicationisalotlikerestoringaVMfromdisk.Forexample,youcanchooseadesiredrestorepoint,selectthetargetlocationorchangetheconfigurationoftherestoredVM.TorestoreaVMfromtape,youcanchoosebetweenthefollowingoptions:

restoredirectlytoinfrastructurerestorethroughastagingrepository

Tochoosetheneededoption,selectRestoredirectlytotheinfrastructureorRestorethroughthestagingrepositoryattheBackupRepositorystepoftheFullVMRestorewizard.

RestoreDirectlytoInfrastructure

WhenyourestoreVMsfromtapedirectlytotheinfrastructure,therestoreprocesspublishestheVMstothevirtualinfrastructurecopyingtheVMdatadirectlyfromtape.ThisoptionisrecommendedifyouwanttorestoreoneVMorasmallnumberofVMsfromalargebackupthatcontainsalotofVMs.Inthiscase,youdonotneedtoprovideastagingrepositoryforalargeamountofdatamostofwhichisnotneededtoyouatthemoment.ThisoptionisslowifyourestoremanyVMs.TheVMsarerestoredonebyone:thisrequiresalotofrewindingoftapeastapesdonotproviderandomaccesstodata.

RestoreThroughStagingRepository

WhenyourestoreVMsfromtapethroughastagingrepository,therestoreprocesstemporarilycopiesthewholerestorepointtoabackuprepositoryorafolderondisk.AfterthatVeeamstartsaregularVMrestore.ThisoptionisrecommendedifyouwanttorestorealotofVMsfromabackupasthediskprovidesamuchfasteraccesstorandomdatablocksthantape.

BackupRestorefromTapetoRepository

ThisoptionallowsyoutocopyVMbackupsfromtapetorepository.Thisishelpfulifyouneedsomebackupsondiskforlateruse,oralsoforVMguestOSfilesrestore.Youcanrestorefullbackupsorincrementalbackupstoarepositoryoranylocationofyourchoice.TherestoredbackupisregisteredintheVeeamBackup&Replicationconsoleasanimporteddiskbackupsothatyoucanuseitforanyrestorefromdiskscenariolateron.Foronerestoresessionatatime,youcanchooseonerestorepointavailableontape.

TapeSupportRestores

163

FileRestorefromTape

Youcanrestorefilesandfoldersthatwerepreviouslyarchivedwithfiletotapejobs.Restoringcapabilitiesallowsyoutorestorefilestotheiroriginallocationoranotherserver,preservingownershipandaccesspermissions.Thefilerestoreprocessallowsyoutorestorefilestoanyrestorepointavailableontape.

TapeSupportRestores

164

VeeamExplorersVeeamExplorersaretoolsincludedinalleditionsforitem-levelrecoveryfromseveralapplication.Asofv9,followingExplorersareavailable:

VeeamExplorerforActiveDirectoryVeeamExplorerforSQLServerVeeamExplorerforExchangeVeeamExplorerforSharePointVeeamExplorerforOracleVeeamExplorerforStorageSnapshots

EachExplorerhasacorrespondinguserguideavailableinHelpcenter:VeeamBackupExplorersUserGuide.ForspecificsofperforminggranularrestoreofcertainapplicationsrefertotheApplicationssectionofthisguide.

ExplorerforStorageSnapshotsVeeamExplorerforStorageSnapshots(VESS)isincluded,butitisrelatedtostorageintegrationswithprimarystorage.ThisisexplainedintheBackupfromStorageSnapshotssectionofthisguide.

VESSisaveryeasywaytoperformitem-levelrecoverydirectlyfromstoragesnapshots.Veeamisabletousediscoverandmountanystoragesnapshotforrestores.BycombiningtheVeeamapplicationconsistentwithcrashconsistentsnapshots,theRPOforcertainapplicationscanbesignificantlyreduced.

WhenopeningVESS,thefollowingworkflowkicksoff:

VeeamExplorers

165

https://helpcenter.veeam.com/docs/backup/explorers/introduction.html?ver=95

1. CreatingaCloneoftheSnapshottomakeitwriteable

2. IncaseofBlockaccess(iSCSI,FC,FCoE)mountthenewLUNtoaproxyESXiandregisteratemporarydatastore,incaseofNFSaccesstheexistingNFSdatastoreandlookfortheclonedVM

3. RegisterthetemporaryVMwithintheVMwareinventory

4. AccesstheVMusingtheVMwareAPI

5. ShowthecontentasaVeeamExplorertorestore

AfterrestoringandexitingVESS,thetemporarydatastore,VMandLUNcloneswillberolledbackandcleanedup.

VeeamExplorers

166

InteractionwithvSphereVeeamBackup&ReplicationreliesheavilyonthevSphereinfrastructureitisprotecting.Muchoftheimplementationsuccessdependsontheperformanceandstabilityofthisenvironment.Inthissection,wewilldiscussthoseinteractionsandnotetheitemsthatshouldbeconsideredforasuccessfulimplementation.

WhileitispossibletoconnectaVeeamBackup&ReplicationserverdirectlytoESX(i)hosts,thissectionassumesavSphereenvironmentwithatleastonevCenterServer,andthatthebackupserverisintegratedatthevCenterServerlevel,asthisisthebestpracticeconfigurationinalmostallusecases.

vCenterServerOneofthemostcriticalcomponentsofanyvSphereenvironmentisthevCenterServer.Thisserverprovidesasingleviewoftheentirevirtualenvironment,andacentralpointofmanagement.VeeamBackup&ReplicationcommunicateswiththevCenterServerinmanyoperations.Forthisreason,fastandstablecommunicationbetweenVeeamBackup&ReplicationandthevCenterServeriscriticaltoachievingastablebackupenvironment.

Considersomeimportantfactors:

ProblemswithconnectivitytothevCenterServerisoneofthetopreasonsforfailedVeeamjobs.Havingawell-performingvCenterServerwithreliableconnectivitywillmitigatethisissueandprovideastrongbackboneforareliablebackupinfrastructure.

ThevCenterServermustbereliableandalwaysavailablewhenbackupjobsarerunning.Itmustbeabletoanswerqueriesandperformactionsinareasonableamountoftime.IfthevCenterServerperformspoorlyduringnormaloperations,thisshouldbecorrectedpriortoimplementingVeeamBackup&Replication.

Forlargerenvironments,withmanyconcurrentjobs,especiallyjobsthatrunatshortintervals,theloadonthevCenterServercanbesignificant.ThevCenterServermustbeabletohandleincreasedtransactionalworkloadtopreventrandomjobfailuresduetocommandtimeouts.

ThebackupservermusthavereliablenetworkconnectivitytothevCenterServer.ItisgenerallysuggestedthatthebackupserverisplacedincloselogicalproximitytothevCenterServer,butthisisnotalwaysthebestdeploymentoption.Incaseswherethe


167

backupserverandvCenterServermustbedeployedacrossadistance,theonlyrealrequirementisthatthisconnectionisconsistentandreliable.

WhenmaintenanceisbeingperformedonthevCenterServer,bestpracticewoulddictatethatallVeeamBackup&Replicationjobsmustbeidle,andtheVeeamBackupServiceshouldbestopped.ThisincludesapplyingWindowsupdates(ifusingthevCenterServerinstallableversion),vCenterServerpatchesandupgrades,oranymaintenancethatwouldrequirethevCenterservicetoberestartedorthesystemrebooted.

ImpactofSnapshotOperationsTocreateVMbackups,VeeamBackup&ReplicationleveragestheVMwarevSpheresnapshotfunctionality.WhenVeeamBackup&ReplicationbeginsthebackupofaVM,itcommunicateswithvSpheretorequestasnapshotoftheVM,andafterthebackupoftheVMiscomplete,VeeamrequeststhatvSphereremovethesnapshot(withtheexceptionofbackupjobsleveragingBackupfromStorageSnapshots).ThecreationandremovalofsnapshotsinvSpherecreatesasignificantimpactontheenvironmentwhatmustbetakenintoaccount.Thissectionwilldescribevariousfactorsthatshouldbeconsideredregardingthisprocess,andofferseveraltechniquestominimizetheimpactofsnapshotoperations.

Asaconcept,VMwarevSpheresnapshotsareasimpletechnology.AVMgenerallycontainsatleastonevirtualdisk,whichisrepresentedbyaVMDKfile.Whenasnapshotistaken,VMwarevSpherecontinuestoreadblocksfromthefileasnormal.However,foranynewblocksthatarewrittentothedisk,thesewritesareredirectedtoanew“thin”VMDKfilecalledthedeltafile.

SincetheoriginalVMDKfileisonlybeingusedforreads,itprovidesaconsistentviewoftheblocksthatmadeuptheVMatthetimethesnapshotwastaken.ThisallowsVeeamBackup&Replicationtoreadthisbasediskasaconsistentimageforbackupandreplicationfunctions.Whenthesnapshotisremoved,theblocksthatwerewrittentothedeltafilearereadandwrittenbackintotheoriginalVMDK,andfinallythedeltafileisdiscarded.

AsVeeamBackup&Replicationleveragesthesnapshottechnologyforperformingbackups,youshouldensureitispossibletosnapshotthevirtualmachinedisks,sincetherearecertainconfigurationsthatdonotsupportsnapshots.ToidentifyVMsthatdonotsupportsnapshots,seeVMwareKBarticle1025279;youcanalsouseVeeamONEassessmentreportstoautomaticallydetectthembeforestartingVeeamAvailabilityproject.

Aswithmanythingsintechnology,althoughtheconceptissimple,theactualimplementationisalittlemorecomplex.ThefollowingsectionisaquicklookattheimpactofvariousoperationsontheVMandunderlyinginfrastructure.


168


https://helpcenter.veeam.com/docs/one/reporter/vm_configuration_assessment.html?ver=95

SnapshotCreation

Theactualoperationofcreatingasnapshotgenerallyhasonlyaminorimpact:thesnapshotfilehastobecreated,andthereisaveryshort“stun”oftheVM.This“stun”isgenerallyshortenough(typically,lessthan1sec),soitisrarelyanissueexceptforthemosttime-sensitiveapplications.

Note:VeeamBackup&ReplicationleveragesastandardVMsnapshotforthebackupprocess.TheseVMwaresnapshotshaveasinglefilesizelimitations.Keepinmind,thatthemaximumfilesizeincludeallsnapshotfilesandthedatadiskintotal.ForexampleifyouhaveanoldVMFSversion3themaximumfilesize(includingsnapshots)is2TBandsoyourdatadiskshouldnotbesizedover1.98TBtostillbeabletocreatesnapshots.Fordetails,seeVMwareKBarticle1012384.

ThedefaultnumberofconcurrentlyopensnapshotsperdatastoreinVeeamBackup&Replicationis4.Thisbehaviorcanbechangedbycreatingthefollowingregistrykey:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:MaxSnapshotsPerDatastoreType:REG_DWORDDefaultvalue:4

SnapshotOpen

SimplyhavingasnapshotopenforarunningVMinvolvessomeperformancepenaltyontheVM,theESX(i)hostandtheunderlyingstorage.ThehosthastotracktheI/O,splitwritestothesnapshotfileandupdatethesnapshotfilemetadata.Thisoverhead,inturn,impactstheguest(primarily,withslowerI/O).

ThisisgenerallymostnotableforVMswithsignificantwriteload,andhaslessimpactonreadperformance.

Fromthestorageperspective,VMsrunningwithanopensnapshotrequireadditionalspacetostorethesnapshotdata,andadditionalI/Oloadonthedatastore.ThisisgenerallymorenotedonsystemswithsignificantwriteI/Oload.

Note:RefertoVMwareKnowledgeBasearticleatwww.kb.vmware.com/kb/1035550forinformationonvMotionandStoragevMotionprocessesperformedwithopensnapshots.

SnapshotRemoval


169


https://kb.vmware.com/kb/1035550

Snapshotremovalisthestepwiththehighestimpactfromtheperformanceperspective.I/Oloadincreasessignificantly,duetotheextraR/WoperationsrequiredtocommitthesnapshotblocksbackintotheoriginalVMDK.ThiseventuallyleadstotheVM“stun”requiredtocommitthefinalbitsofthesnapshot.The“stun”istypicallyashortpauseusuallyonlyafewsecondsorless,whentheVMisunresponsive("lostping"),whiletheverylastbitsofthesnapshotfilearecommitted.

VMwarevSphereusesthe"rollingsnapshot"forolderversionsandthesamemethodasstoragevMotionusesstartingfromvSphere6.0u1tominimizetheimpactanddurationofthestun,asdescribedbelow:

ForvSphere6u1andnewer:ThehostleveragestheStoragevMotionMirrordrivertocopyallneededdatatotheoriginaldatadisks.Whencompleted,a"FastSuspend"and"FastResume"isperformed(comparablewithvMotion)tobringtheoriginaldatafilesonline.

ForoldervSphereVersions(RollingSnapshot):

1. Thehosttakesasecond,“helper”,snapshottoholdnewwrites.2. Thehostreadstheblocksfromtheoriginalsnapshotandcommitsthemtotheoriginal

VMDKfile.3. Thehostchecksthesizeofthe“helper”snapshot.Ifthesizeisoverthethreshold,step

1isrepeated.4. Onceallhelpersnapshotsaredeterminedtobeunderthethresholdsize,vSphere

“stuns”theVMandcommitsthelastbitsofthesnapshot.

This“stun”periodcanbelessthanonesecondforsmallVMswithlightload,orseveralsecondsforlargerVMswithsignificantload.Toexternalclients,thissmallstunlooksliketheserverisbusyandthusmightdelayaresponseforafewseconds.However,applicationsthatareverysensitivetodelaysmayexperienceissueswiththisshortperiodofunresponsiveness.

Forexplanationofsnapshotremovalissues,seeVMwareKBarticle1002836.

HowtoMitigate?Tomitigatetheimpactofsnapshots,considerthefollowingrecommendations:

UpgradetovSphere6u1ornewertousethenewStoragevMotionbasedSnapshotcommitprocessing.

Minimizethenumberofopensnapshotsperdatastore.Multipleopensnapshotsonthesamedatastorearesometimesunavoidable,butthecumulativeeffectcanbebad.Keepthisinmindwhendesigningdatastores,deployingVMsandcreatingbackupand


170


replicationschedules.Leveragingbackupbydatastorecanbeusefulinthisscenario.

Considersnapshotimpactduringjobscheduling.Whenpossible,schedulebackupsandreplicationjobduringperiodsoflowactivity.LeveragingtheBackupWindowfunctionalitycankeeplong-runningjobsfromrunningduringproduction.SeethecorrespondingsettingontheScheduletabofthejobwizard

UsethevStorageAPIsforArrayIntegration(VAAI)whereavailable.VAAIcanoffersignificantbenefits:

HardwareLockAssistimprovesthegranularityoflockingrequiredduringsnapshotgrowthoperations,aswellasothermetadataoperations,thusloweringtheoverallSANoverheadwhensnapshotsareopen.VAAIinvSphere5.xoffersnativesnapshotoffloadsupportandshouldprovidesignificantbenefitsoncevendorsreleasefullsupport.VAAIissometimesalsoavailableasanESXipluginfromtheNFSstoragevendor.

DesigndatastoreswithenoughIOPStosupportsnapshots.SnapshotscreateadditionalI/OloadandthusrequireenoughI/Oheadroomtosupporttheaddedload.ThisisespeciallyimportantforVMswithmoderatetoheavytransactionalworkloads.CreatingsnapshotsinVMwarevSpherewillcausethesnapshotfilestobeplacedonthesameVMFSvolumesastheindividualVMdisks.ThismeansthatalargeVM,withmultipleVMDKsonmultipledatastores,willspreadthesnapshotI/Oloadacrossthosedatastores.However,itactuallylimitstheabilitytodesignandsizeadedicateddatastoreforsnapshots,sothishastobefactoredintheoveralldesign.

Note:Thisisthedefaultbehaviorthatcanbechanged,asexplainedintheVMwareKnowledgeBase:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002929

Allocateenoughspaceforsnapshots.VMwarevSphere5.xputsthesnapshotVMDKonthesamedatastorewiththeparentVMDK.IfaVMhasvirtualdisksonmultipledatastores,eachdatastoremusthaveenoughspacetoholdthesnapshotsfortheirvolume.Takeintoconsiderationthepossibilityofrunningmultiplesnapshotsonasingledatastore.Accordingtothebestpractices,itisstronglyrecommendedtohave10%freespacewithinadatastoreforageneraluseVM,andatleast20%freespacewithinadatastoreforaVMwithhighchangerate(SQLserver,Exchangeserver,andothers).

Note:Thisisthedefaultbehaviorthatcanbechanged,asexplainedintheVMwareKnowledgeBase:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002929

Watchforlowdiskspacewarnings.VeeamBackup&Replicationwarnsyouwhenthereisnotenoughspaceforsnapshots.Thedefaultthresholdvalueforproductiondatastoresis10GB.Keepinmindthatyoumustincreasethisvaluesignificantlyifusing


171



verylargedatastores(upto62TB).Youcanincreasethewarningthresholdinthebackupserveroptions,oftheVeeamBackup&ReplicationUI.YoucanalsocreatearegistrykeytopreventVeeamBackup&Replicationfromtakingadditionalsnapshotsifthethresholdisbreached:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:BlockSnapshotThresholdType:REG_DWORDDefaultvalue(inGB):2

Tip:UsetheVeeamONEConfigurationAssessmentReporttodetectdatastoreswithlessthan10%offreediskspaceavailableforsnapshotprocessing.

Enableparallelprocessing.ParallelprocessingtriestobackupmultipleVMdisksthatbelongtoasingleVMatthesametime.Thisreducessnapshotlifetimetotheminimum.Thisoptionisenabledbydefault.Pleasenoteifyouupgradedfromv6.5orearlierversions,youhavetoenablethisoptionexplicitlyinthebackupserveroptions.

Tuneheartbeatthresholdsinfailoverclusters.Someapplicationclusteringsoftwarecandetectsnapshotcommitprocessesasfailureoftheclustermemberandfailovertootherclustermembers.Coordinatewiththeapplicationownerandincreasetheclusterheartbeatthresholds.AgoodexampleisExchangeDAGheartbeat.Fordetails,seeVeeamKBArticle1744.

ConsiderationsforNFSDatastoresBackupfromNFSdatastoresinvolvessomeadditionalconsideration,whenthevirtualappliance(hot-add)transportmodeisused.Hot-addistakespriorityintheintelligentloadbalancer,whenBackupfromStorageSnapshotsorDirectNFSareunavailable.

DatastoresformattedwiththeVMFSfilesystemhavenativecapabilitiestodeterminewhichclusternodeistheownerofaparticularVM,whileVMsrunningonNFSdatastoresrelyontheLCKfilethatresideswithintheVMfolder.

Duringhot-addoperations,thehostonwhichthehot-addproxyresideswilltemporarilytakeownershipoftheVMbychangingthecontentsoftheLCKfile.Thismaycausesignificantadditional"stuns"totheVM.Undercertaincircumstances,theVMmayevenendupbeingunresponsive.TheissueisrecognizedbyVMwareanddocumentedinhttp://kb.vmware.com/kb/2010953.

Note:ThisissuedoesnotaffectVeeamDirectNFSaspartofVeeamDirectStorageAccessprocessingmodesandVeeamBackupfromStorageSnapshotsonNetAppNFSdatastores.Wehighlyrecommendyoutouseoneofthese2backupmodestoavoidproblems.


172

https://helpcenter.veeam.com/docs/one/reporter/vm_configuration_assessment.html?ver=95



Inhyperconvergedinfrastructures(HCI),itispreferredtokeepthedatamoverclosethebackedupVMtoavoidstressingthestoragereplicationnetworkwithbackuptraffic.IftheHCIisprovidingstorageviatheNFSprotocol(suchasNutanix),itispossibletoforceaDirectNFSdatamoveronthesamehostusingthefollowingregistrykey:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:EnableSameHostDirectNFSModeType:REG_DWORDDefaultvalue:0(disabled)

0(default)–Disabled

1–“PreferredsameHost”IfDirectNFSproxyonsamehostexistitwillwaitforafreetaskslotthere.IfaproxyonsamehostdonotexistitwilluseanotherDirectNFSproxy(onanotherhostorphysicalserver)orfallbacktoVirtualAppliance(HotAdd)andthentoNetwork(NBD)mode.

2–IfthereisnoDirectNFSproxyonsamehostasVM,itwillfallbacktoNetworkmode(NBD)

OverallHCIsolutionsshoulduse1or2(recommended)“1”shouldbeusedwithHCIsolutionsonlyifthe“EnableSameHostHotAddMode”wassetto“2”.

ThisregkeyisnotusedfortheVeeamCiscoHyperFlexintegration.

IfforwhateverreasonDirectNFSprocessingcannotbeusedandHotAddisconfigured,ensurethatproxiesrunningintheVirtualAppliancemode(Hot-Add)areonthesamehostastheprotectedVMs.

TogivepreferencetoabackupproxylocatedonthesamehostastheVMs,youcancreatethefollowingregistrykey:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:EnableSameHostHotAddModeType:REG_DWORDDefaultvalue:0(disabled)

Value=1–whenproxyAisavailableonthesamehost,VeeamBackup&Replicationwillleverageit.IfproxyAisbusy,VeeamBackup&Replicationwillwaitforitsavailability;ifitbecomesunavailable,anotherHot-Addproxy(proxyB)willbeused.

Value=2-whenproxyAisavailableonthesamehost,VeeamBackup&Replicationwillleverageit.IfproxyAisbusy,VeeamBackup&Replicationwillwaitforitsavailability;ifitbecomesunavailable,VeeamBackup&ReplicationwillswitchtoNBDmode.


173

Thissolutionwilltypicallyresultindeployingasignificantnumberofproxyservers,andmaynotbepreferredinsomeenvironments.Forsuchenvironments,itisrecommendedswitchingtoNetworkmode(NBD)ifDirectNFSbackupmodecannotbeused.

SnapshotHunterAtVeeamSupport,oneofthemostcommonlyraisedsupportcaseswasfororphanedsnapshots.OrphanedsnapshotswerecausedbyVMware’sownfailedsnapshotcommitoperationsduetounreleasedVMDKfilelocksduringVDDKoperations.VeeamusestheVMwarestandardVMsnapshotprocessingforbackupandreplicationprocesses,soalthoughVeeamwasnottheoriginoftheorphanedsnapshots,asVeeamusesVMwaresnapshots,Veeamisoftenseenasarootcauseasthisissuewasonlydiscoveredwhenabackupfailed.

Ifnotmonitoredappropriately,VMwareorphanedsnapshotscancausemanyunexpectedproblems.ThemostcommonproblemsareoverfilledVMdatastores,orsnapshotsgrowingsolargetheyareimpossibletocommit.Thisisawell-knownVMwarevSphereissuedescribedinVMwareKBarticle1007814.TheonlywaytomanuallyremediatethisissueiscloningtheVMandperforminganewfullVMbackup.

VeeamSnapshotHunterautomaticallydetectsanyVMwiththeconfigurationissue“Virtualmachinedisksconsolidationneeded”.PriortoperformingbackupofsuchVMs,VeeamBackup&Replicationwilltriggerdiskconsolidation(providedthatthedatastoreperformancethresholdspecifiedintheStorageLatencyControlsettingsisnotexceeded).

SnapshotHunterwillattemptconsolidationeight(8)times.Ifconsolidationfailsafterallretries,VeeamBackup&Replicationwillsendane-mailwithawarning.

YoucanviewinformationontheSnapshotHuntersessionsontheHistory>SystemviewinVeeamBackup&Replicationconsole.

Note:Currently,thedefaultbehaviorofSnapshotHuntercannotbechanged.AsSnapshotHunterwillautomaticallyretryconsolidationuptoeighttimes,itmaybeinappropriateforsomeVMsthatrequireplanneddowntimetoconsolidatethesnapshotmanually.SuchVMsshouldbeexcludedfrombackuporreplicationjobsuntiltheorphanedsnapshotsaremanuallyremoved.


174


https://helpcenter.veeam.com/docs/backup/vsphere/options_parallel_processing.html?ver=95

IfyouareevaluatingVeeamBackup&Replication,usetheInfrastructureAssessmentReportsincludedinVeeamAvailabilitySuitetoidentifyVMswithsnapshotsthatcanbeaffectedbyautomaticsnapshotconsolidation.

StorageLatencyControlOnequestionthatoftenarisesduringthedevelopmentofasolidavailabilitydesignishowmanyproxyserversshouldbedeployed.Theremustbeabalancebetweentheproductioninfrastructureperformance(asyoumustavoidoverloadingproductionstorage),andcompletingbackupjobsintime.

ModernCPUshavemanyphysicalcoresandcanrunmanytaskssimultaneously.Theimpactofhavingmanyproxyserversreadingdatablocksfromtheproductionstorageataveryhighthroughputmaybenegative.Withthisinmind,manybusinessesavoidedrunningbackuporreplicationjobsduringbusinesshourstoensuregoodresponsetimefortheirendusers.StorageLatencyControlwasimplementedtohelpavoidthisissue.

WhenStorageLatencyControlisenabled,itmonitorsthestoragereadlatencyontheproductiondatastoresusingreal-timemetricsfromthehypervisor.Bydefault,metricsfromthehypervisorarecollectedevery20seconds.ThesesettingsareinheritedfromvSphere.

ThefirstStorageLatencyControlthresholdStopassigningnewtaskstodatastoreatputsalimitationonassigningnewtasks(onetaskequalsoneVMdisk).Ifthelatencyforaparticulardatastoreisexceeded,nomoreproxytaskswillbeassignedtoit,untilthelatencydropsbelowthethreshold.

Iflimitingthenumberoftasksassignedtothedatastoreisnotsufficient,StorageLatencyControlwillthrottlethethroughputforexistingtasksaccordingtothesecondthresholdThrottleI/Oofexistingtasksat.


175

https://helpcenter.veeam.com/docs/one/reporter/vmware_infrastructure_dashboard.html?ver=95

TheresultsofenablingStorageLatencyControlareveryeasytoreviewusingthevSphereClient.

WhentoUse?

StorageLatencyControlprovidesasmartwaytoextendbackupwindowsoreveneliminatebackupwindows,andrundataprotectionoperationsduringproductionhours.


176

WhenStorageLatencyControlisenabled,VeeamBackup&ReplicationmeasuresthestoragelatencybeforeprocessingeachVMdisk(andalsoduringprocessing,ifThrottleI/Oofexistingtasksatsettingisenabled).Furthermore,ifthestoragelatencyforagivendatastoreisalreadyabovethethreshold,committingVMsnapshotscanbedelayed.Insomeenvironments,enablingStorageLatencyControlwillreducetheoverallthroughput,aslatencyincreasesduringthebackupwindow.

However,inmostenvironmentshavingthisfeatureenabledwillprovidebetteravailabilitytoproductionworkloadsduringbackupandreplication.Thus,ifyouobserveperformanceissuesduringbackupandreplication,itisrecommendedtoenableStorageLatencyControl.

StorageLatencyControlisavailableinEnterpriseandEnterprisePluseditions.TheEnterprisePluscustomersareofferedbettergranularity,astheycanadjustlatencythresholdsindividuallyforeachdatastore.ThiscanbereallyhelpfulininfrastructureswheresomedatastorescontainVMswithlatency-sensitiveapplications,whilelatencythresholdsfordatastorescontainingnon-criticalsystemscanbeincreasedtoavoidthrottling.

vCenterServerConnectionCountIfyouattempttostartalargenumberofparallelVeeambackupjobs(typically,morethan100,withsomethousandVMsinthem)leveragingtheVMwareVADPbackupAPIorifyouuseNetworkTransportmode(NBD)youmayfacetwokindsoflimitations:

LimitationonvCenterSOAPconnectionsLimitationonNFCbuffersizeontheESXiside

AllbackupvendorsthatuseVMwareVADPimplementtheVMwareVDDKkitintheirsolutions.ThiskitprovidesstandardAPIcallsforthebackupvendor,andhelpstoreadandwritedata.Duringbackupoperations,allvendorshavetodealwithtwotypesofconnections:theVDDKconnectionstovCenterServerandESXi,andvendor’sownconnections.ThenumberofVDDKconnectionsmayvaryfordifferentVDDKversions.

IfyoutrytobackupthousandsofVMsinaveryshorttimeframe,youcanrunintotheSOAPsessioncountlimitation.Forexample,invSphere5.1thedefaultmaximumnumberofsessionsis500.Ifyouhitthislimitation,youcanincreasethevCenterServerSOAPconnectionlimitfrom500to1000.Fordetails,seehttp://kb.vmware.com/kb/2004663.

Veeam’sschedulingcomponentdoesnotkeeptrackoftheconnectioncount.Forthisreason,itisrecommendedtoperiodicallycheckthenumberofvCenterServerconnectionswithinthemainbackupwindowtoseeifyoucanpossiblyrunintoabottleneckinfuture,andincreasethelimitvaluesondemandonly.


177


YoucanalsooptimizetheESXinetwork(NBD)performancebyincreasingtheNFCbuffersizefrom16384to32768MB(orconservativelyhigher)andreducingthecacheflushintervalfrom30sto20s.Fordetailshowtodothis,seeVMwareKBarticle2052302.AfterincreaingNFCbuffersetting,youcanincreasethefollowingVeeamRegistrysettingtoaddadditionVeeamNBDconnections:

Path:HKLM\SOFTWARE\VeeaM\VeeamBackupandReplicationKey:ViHostConcurrentNfcConnectionsType:REG_DWORDDefaultvalue:7(disabled)

Becarefulwiththissetting.Ifthebuffervs.NFCConnectionratioistooaggressive,jobsmayfail.

VeeamInfrastructurecacheAnewserviceinVeeamBackup&Replicationv9.5isInfrastructureCachereflectedasthe"VeeamBrokerService"windowsservice.Withit,VeeamcancachedirectlyintomemoryaninventoryoftheobjectsinavCenterhierarchy.ThecollectionisveryefficientasitusesmemoryanditislimitedtojustthedataneededbyVeeamBackup&Replication.

Thiscacheisstoredintomemory,soateachrestartoftheVeeamservicesitscontentislost;thisisnotaproblemastheinitialretrievalofdataisdoneassoonastheVeeamserverisrestarted.Fromhereon,Veeam"subscribed"toaspecificAPIavailableinvSphere,sothatitcanreceivein"push"modeanychangetotheenvironment,withouttheneedanymoretodoafullsearchonthevCenterhierarchyduringeveryoperation.


178


Themostvisibleeffectsofthisnewserviceare:

TheloadagainstvCenterSOAPconnectionisheavilyreduced,aswehavenowonesingleconnectionperVeeamserverinsteadofeachjobrunninganewqueiryagainstvCenter;EverynavigationoperationofthevSpherehierarchyisinstantaneous;Theinitilisationofeveryjobisalmostimmediate,asnowtheInfrastructureCacheservicecreatesacopyinmemoryofitscachededicatedtoeachjob,insteadoftheVeeamManagerservicecompletingafullsearchagainstvCenter:

NospecialmemoryconsiderationneedstobedonefortheInfrastructureCache,asitsrequirementsarereallylow:asanexample,thecacheforanenvironmentwith12hostsand250VMsisonly120MB,andthisnumberdoesnotgrowlinearlysincemostofthesizeisfixedevenforsmallerenvironments.


179

SecurityWhenconnectingVeeamBackup&ReplicationtothevCenterServerinfrastructure,youmustsupplycredentialsthatthebackupserverwillusetocommunicatewiththevCenterServer.

ThefeaturesthatVeeamprovides,suchasbackup,restore,replication,andSureBackup,interactwithvSphereatthefundamentallevel.Certainpermissionsarerequiredtotakesnapshots,createVMs,datastores,andresourcegroups.Becauseofthislevelofinteraction,itisgenerallyrecommendedthatVeeamBackup&Replicationusesarestrictedaccountwiththepermissionsthatarerequiredtocompletethejob.

However,insomeenvironmentsfulladministrativepermissionsarenotdesirableorpermitted.Forthoseenvironments,Veeamhasidentifiedtheminimumpermissionsrequiredforthevarioussoftwarefunctions.Reviewthe"RequiredPermissions"document(notchangedsinceV9.0)andconfiguretheaccountusedbyVeeamBackup&Replicationtomeettheserequirements.

Youcanalsoleveragesecuritytorestrictthepartoftheenvironmentthatthebackupservercan“see”.ThiscanhavemultiplebenefitsbeyondsecurityinthatitlowersthetimerequiredtoparsethevCenterServerhierarchyandreducesthememoryfootprintrequiredtocachethisinformation.However,caremustbetakenwhenattemptingtousethislevelofrestriction,assomepermissionsmustbeprovidedattheverytopofthevCenterServertree.SpecificallyifyouaccessthevCenteroveraWANlinksuchscopingcanreducethe(managementbackground)WANtraffic.

Foradetaileddescriptionofaccounts,rightsandpermissionsrequiredforVeeamBackup&Replicationoperations,seethe"RequiredPermissions"document(notchangedsinceV9.0).


180

https://www.veeam.com/veeam_backup_9_0_permissions_pg.pdf


Hyper-VbackupmodesVeeamBackupandReplicationprovidestwodifferentbackupmodestoprocessHyper-Vbackups,bothrelyingontheMicrosoftVSSframework.

On-Hostbackupmode,forwhichbackupdataprocessingisontheHyper-VnodehostingtheVM,leveragingnontransportableshadowcopiesbyusingsoftwareVSSprovider.Off-Hostbackupmode,forwhichbackupdataprocessingisoffloadedtoanothernonclusteredparticipatingHyper-Vnode,leveragingtransportableshadowcopiesusingHardwareVSSproviderprovidedbytheSANstoragevendor.

Backupmodeavailabilityisheavilydependingontheunderlyingvirtualizationinfrastructure,leavingOff-HostbackupmodeavailableonlytoprotectvirtualmachineshostedonSANstoragevolumes.

Performancewise,sincebothbackupmodesareusingtheexactsameVeeamtransportservices,theonlydifferentiatingfactorswillbetheadditionaltimerequestedtomanagetransportablesnapshots(infavorofOn-Hostmode)andthebalancebetweencomputeandbackupresourcesconsumptionduringbackupwindows(infavorofOff-Hostmode).

Backupmodesselectionmatrix

PRO CON

On-Host

SimplifiesmanagementDoesnotdependonthirdpartyVSSproviderDoesnotrequireadditionalhardwareCanbeusedonanyHyper-Vinfrastructures

Requiresadditionalresourcesfromthehypervisorsduringthebackupwindow,forIOprocessingandoptimizationDoesnotdependonthirdpartyVSSproviderDoesnotrequireadditionalhardware

Off-Host

Noimpactonthecomputeresourcesonthehostinghyper-vRequiresthirdpartyVSShardwareprovider

AddsadditionaldelayforsnapshotstransportationAvailableonlyforvirtualizationinfrastructuresbasedonSANstorage

Hyper-VConcerns

181

LimitingtheimpactofOn-HostbackupmodeontheproductioninfrastructureWhileconsumingproductionresourcesforbackuppurposetheOn-Hostbackupmodedisadvantagescanbemitigatedbythefollowingguidelines.

Spreadingloadacrosshypervisors.Itshouldbekeptinmindthatthebackupload,insteadofbeingcarriedbyalimitednumberofdedicatedproxies,willbespreadthroughallthehypervisors.DefaultVeeamsettingistolimitbackupto4paralleltasksperhypervisor,whichwilluseamaximumoffourcoresand8GBofRAM.Thiscanbemodifiedinthe“Managedserver”sectionoftheVeeamConsole,throughthe“Tasklimit”setting.Forinstance,ifthesizingguidelines(pleaserefertotheresourceplanningsectionofthisdocument)resultsinatotalamountof24coresand48GBofRAMneededforVeeamtransportservices,andtheinfrastructurecomprises12Hyper-Vservers,eachservertasklimitcanbesetto2.

Leveragingstoragelatencycontrol.Thisfeatureallowstoprotectthevolumes(globallyforenterpriseedition,andindividuallyforenterpriseplusedition)fromhighlatency,bymonitoringandadjustingbackuploadaccordingly.Pleaserefertouserguidepropersectionforfurtherinformation.

ChangeblocktrackingonHyper-VDependingonthecombinationofHyper-VOSversionandtheprimarystoragetype,themechanismfortrackingchangesmaydiffer.

MicrosoftResilientChangeTrackinginHyper-V2016

Hyper-VConcerns

182

https://helpcenter.veeam.com/docs/backup/hyperv/options_parallel_processing.html?ver=95

Beforeversion2016,MicrosoftdidnotoffernativechangeblocktrackingleadingVeeamtodevelopaprivateCBTenginetodrasticallyoptimizebackupsprocess.Inversion2016ofHyper-V,Microsofthasimplementeditsownchangedblocktrackingmechanism,named“ResilientChangeTracking”.TobenefitRCT,thefollowingprerequisitesmustbemet,otherwiseincrementalbackupsorreplicationwillhavetoreadentirelythesourcevirtualdiskstorecalculatedifferences:

Hyper-Vserverversion2016Clusterfunctionallevelisupgradedto2016VMconfigurationversionisupgradedto8.0

ChangeblocktrackingonthirdpartySMBimplementationSinceVeeamownChangeBlockTrackingfilterdriverisnotcompatiblewiththirdpartySMBimplementations(assometimesimplementedonhyperconvergedinfrastructures)itisadvisedtoupgradetheclusternodestoHyper-V2016toleverageMicrosoftnativeRCTinsuchsituations.

MixedclustersandChangeBlockTrackingAsmigratingHyper-Vclustersfrom2012R2to2016canbedoneusingthe"rollingprocedure"aHyper-Vclustermighttemporaryrundifferentversions,impactingtheCBTmechanismusage.

HostsOS VMLevel ClusterLevel CBT

All2012R2 lowerthan8 lowerthan9 Veeamfilterdriver

Mixed Lowerorequalto8 Lowerthan9 NoCBT

All2016 Lowerthan8 Equalto9 NoCBT

All2016 Equalto8 Equalto9 MicrosoftRCT

BackupofMicrosoftS2Dhyperconvergedcluster

Hyper-VConcerns

183

WhenconfiguringahyperconvergedinfrastructurebasedonMicrosoftStorageSpacesDirectonelimitationtoknowaboutisthatavolumehostingvirtualmachinesisownedbyasinglenodeoftheclusteratagiventime.ThisimpliesthatallIOs(includingbackupworkloadgeneratedbyallnodes)willbeservedbythesinglenodeowningthevolume.

Agoodruleofthumbtoavoidsuchpotentialbottleneckistocreateanumberofvolumesequalorgreaterthanthenumberofnodescomposingthecluster,spreadingIOsservicingacrossallnodes.

Guestinteraction

PowerShellDirectIntroducedbyMicrosoftinHyper-V2016,PowerShellDirectisanewmethodallowingtointeractwiththeguestevenifnodirectnetworkconnectionisavailablebetweentheVeeamguestinteractionproxyandtheguestitself.

PowerShellDirectrequiresthefollowingprerequisites:

PowerShell2.0orlaterHostmustbeWindowsServer2016GuestmustbeWindowsServer2016orWindows10

PowerShellDirectcanbeeasilytestedonthehost,usingthefollowingcommand.

Enter-PSSession-VMNameVMName

LinuxIntegrationServicesandapplicationawarenessissueIthassometimesbeenobservedthatsomeBuilt-inLinuxIntegrationServicesversionsfailedtocommunicatetheguestIPaddresstotheHypervisor,causingtheVeeamapplicationawareprocessingtofail.

PleaserefertothefollowingTechnetblogpostforfurtherexplanationsonwheretofindandhowtoinstallLIS.

Guestrestoration

Hyper-VConcerns

184

https://blogs.technet.microsoft.com/virtualization/2016/07/12/which-linux-integration-services-should-i-use-in-my-linux-vms/

InstantVMrecoverystoragerequirementWhenperformingInstantVMrecovery,Veeamwillimmediatelypre-allocatethenecessaryamountofstorageonthetargetinfrastructure,eventhoughtheguestimageusedisresidingonthebackuprepository.

Note:thispre-allocationisperformedonlyforInstantVMRecoveryUsage.SureBackupprocessingwilluseathinprovisioningmechanisminstead,preservingresourcesontheinfrastructure.

Hyper-VConcerns

185

https://helpcenter.veeam.com/docs/backup/hyperv/instant_recovery.html?ver=95

JobConfigurationInthefollowingsection,youwilllearnmoreaboutconfigurationguidelinesfordifferentjobtypes,andhowtooptimizeboththeuserexperienceofusingBackup&Replication,andthebackendoperationstogetthemostoftheavailableinfrastructure.

JobConfiguration

186

BackupMethodsVeeamBackup&Replicationstoresbackupsondiskusingasimple,self-containedfilebasedapproach.However,thereareseveralmethodstocreateandstorethosefilesonthefilesystem.Thissectionwillprovideanoverviewofthesemethods,theirprosandcons,aswellasrecommendationsonusecasesforeachone.

BackupmodedirectlyinfluencesdiskI/Oonbothproductionstorageandbackuprepository,andbackupssize;forthesereasonsitisrecommendedtocarefullyreviewcapabilitiesofthedestinationstoragewhenselectingone.TakealookatDeduplicationAppliancessectionofthisguideforimportantdetailsonusingdedicateddeduplicatinghardwareappliancesforstoringbackups.

Foragraphicalrepresentationofthementionedbackupmodesinthissection,pleaseseeVeeamKB1799.

AsagenericoverviewforI/Oimpactofthebackupmodes,pleaseseethistable:

Method I/Oimpactondestinationstorage

Forwardincremental 1xwriteI/Oforincrementalbackupsize

Forwardincremental,activefull 1xwriteI/Ofortotalfullbackupsize

Forwardincremental,transform 2xI/O(1xread,1xwrite)forincrementalbackupsize

Forwardincremental,syntheticfull 2xI/O(1xread,1xwrite)forentirebackupchain

Reversedincremental 3xI/O(1xread,2xwrite)forincrementalbackupsize

Syntheticfullwithtransformtorollbacks 4xI/O(2xread,2xwrite)forentirebackupchain

WhilechangingbackupmodeisonewayofreducingamountofI/OonbackuprepositoryitisalsopossibletoleveragefeaturesofthefilesystemtoavoidextraI/O.CurrentlyVeeamBackupandReplicationsupportsadvancedfeaturesofonefilesystem,MicrosoftReFS3.1(availableinWindowsServer2016),tocompletelyeliminateunnecessaryread/writeoperationsincertainconfigurations.Formoredetailsrefertothecorrespondingsectionofthisguide.[ReFSchapterisworkinginprogress]

ForwardIncremental

BackupMethods

187


Theforwardincrementalbackupmethodisthesimplestandeasiesttounderstand;itgenerallyworkswellwithallstoragedevicesalthoughitrequiresmorestoragespacethanotherbackupmethodsduetothefactthatitrequiresthecreationofperiodicfullbackups(eitherusingactiveorsyntheticbackups),typicallyscheduledweekly.Thisisnecessarybecausetheincrementalbackupsaredependentontheinitialfullbackup;thus,olderfullbackupscannotberemovedfromtheretentionchainuntilanewerbackupchainiscreated.Whenanewfullbackupiscreated,anewchainisstarted,andtheoldbackupscanberemovedoncethenewchainmeetstheretentionrequirements.

ActiveFullBackups

Thefirsttimeajobisrunitalwaysperformsanactivefullbackup.DuringthisprocesstheVMisreadinfull(withtheexceptionofblankblocksandswapareas),andVMdataisstored(typicallycompressedanddeduplicated)intoafullbackupfile(.VBK).

Eachtimeanactivefullisperformed(eitheronscheduleorbymanuallytriggeringtheActiveFullcommand),anew.VBKfileiscreatedbyreadingalldatafromtheproductionstorage.Followingincrementalbackupsarestoredinincrementalbackupfiles(.VIB).

Whenperformingactivefullbackups,allblocksarere-readfromthesourcestorage.

I/OImpactofActiveFull

Whencreatinganactivefull,theI/Opatternonthebackupstorageismainlysequentialwrites,whichgenerallyprovidesgoodperformanceformoststoragesolutions.However,allthedata(notjustthechanges)hastobecopiedfromtheproductionstorage,andthiswillincreasethedurationofthebackupactivityandthetimeaVMsnapshotremainsopen(seealsothe"ImpactofSnapshotOperations"sectionofthisguide).ThesnapshotlifetimecanbereducedbyleveragingBackupfromStorageSnapshots.

BackupMethods

188

Whentouse

Forwardincrementalbackupprovidesgoodperformancewithalmostanystorageandthehighestlevelofbackupchainconsistencysinceeachnewchainispopulatedbyre-readingVMsourcedata.IncrementalbackupsarestillprocessedusingChangedBlockTracking(CBT)thusdatareductionisstillpossible.ActiveFullcanbeusedinanycasewhereplentyofrepositoryspaceisavailable,thebackupwindowallowsenoughtimeandnetworkbandwidthissufficienttosupportreadingthesourcedatainfull.

Use Don'tUse

RecommendedfordeduplicationappliancesthatuseSMBorNFSprotocols.

Whenbackupwindowdoesnotallowenoughtimeforre-readingallofthesourceVMdata.

Onstoragesystemsthatusesoftwareornon-cachingRAIDhardwaresuchasmanylow-endNASdevices.

ForlargeorperformancesensitiveVMswherere-readingthedatacanhaveanegativeimpactontheVMsperformance.

SyntheticFull

Syntheticfullreadsthedataalreadystoredinthemostrecentbackupchain(fullanditsdependentincrementals)tocreateanewfullbackupdirectlyintothedestinationstorage.

Ifasyntheticfullisscheduled,whenthejobruns,itfirstcreatesanormalincrementalbackuptocollectthemostrecentchanges.

Afterthejobcompletestheincrementalbackup,thesyntheticfullgenerationisstarted.ItreadsthemostrecentversionofeachblockforeveryVMinthejobfromthebackupchain,andwritesthoseblocksintoanewVBKfile.Thisishowanewfullbackupis"synthetically"created.

I/OImpactofSyntheticFull

BackupMethods

189

SyntheticfullI/Opatternsneedtobesplitintotwodifferentoperation:thecreationoftheadditionalincrementalisexactlylikeanyotherincrementaljob.However,thesyntheticcreationofthefullbackupisanI/Ointensiveprocess,allinchargeoftheVeeamrepository.Sincetheprocessreadsindividualblocksfromthevariousfilesinthechainandwritesthoseblockstothefullbackupfile,theI/Opatternisroughly50%-50%read/writemix.TheprocessingspeedislimitedbytheIOPSandlatencycapabilitiesoftherepositorystorage,soitmaytakeasignificantamountoftime.However,thereisnoimpactonthesourcestorageorproductionnetworksduringthistimeasI/Ooccursonlyinsidetherepository.

NOTE:ifanSMBsharetypeofrepositoryisused,theVeeamrepositoryroleisexecutedintheGatewayServerthereisgoingtobenetworktrafficbetweenthegatewayserveritselfandtheSMBshare.

RecommendationsonUsage

Duetothewaysyntheticfullworks,havingmanysmallerbackupsjobswithfewerVMswillallowforfastersyntheticfulloperations.KeepthisinmindwhensettingupjobsthatwillusethismethodorchoosetousePerVMBackupFiles.

Use Don’tUse

WhenrepositorystorageusesfastdiskswithcachingRAIDcontrollersandlargestripes.

SmallNASboxeswithlimitedspindlesthatdependonsoftwareRAID.

Deduplicationappliancesthatsupportoffloadingsyntheticoperations(DataDomain,StoreOnceandExaGrid)

DeduplicationappliancesthatuseSMBorNFSprotocols.

ForeverForwardIncrementalForeverforwardincrementalmethodcreatesonefullbackupfile(VBK)onthefirstexecution,andthenonlyincrementalbackups(VIBs)arecreated.Thismethodallowsbackupspacetobeutilizedefficiently,asthereisonlyasinglefullbackupondisk,andwhenthedesiredretentionisreachedamergeprocessisinitiated.Itreadstheoldestincrementalbackupandwritesitscontentinsidethefullfile,virtuallymovingitforwardinthetimelinewherethemergedincrementalwasbefore.

BackupMethods

190

I/OImpactofMergeProcess

Themergingprocessisperformedattheendofthebackupjoboncetheretentionforthejobhasbeenreached.Thisprocesswillreadtheblocksfromtheoldestincrementalbackup(VIBfile)andwritethoseblocksintotheVBKfile;theI/Opatternisa50%-50%read-writemixonthetargetstorage.ThetimerequiredtoperformthemergedependsonthesizeoftheincrementaldataandtherandomI/Operformanceoftheunderlyingstorage.


Theprimaryadvantageofusingforeverforwardincrementalbackupmethodisspacesavings.However,thetradeoffistherequiredresourcesforthemergeprocess.Themergeprocessmaytakeaconsiderableamountoftime,dependingontheamountofincrementalchangesthatthejobhastoprocess.Theadvantageisthatthemergeprocessimpactsonlythetargetstorage.

Likewithsyntheticfull,itisrecommendedtohavemanysmallerjobswithalimitednumberofVMs,asthiscansignificantlyincreasetheperformanceofsyntheticmergeprocess.Verylargejobscanexperiencesignificantincreaseintimeduetoextrametadataprocessing.ThismayberemediatedbycombiningforeverforwardincrementalmodewithperVMbackupfiles.

Use Don’tUse

Repositorieswithgoodperformance

SmallerbackuprepositoriesorNASdeviceswithlimitedspindlesandcache

IdealforVMswithlowchangerate

Jobswithsignificantchangeratemaytakealongtimetomerge

ReverseIncremental

BackupMethods

191

Aseveryotherbackupmethod,duringitsfirstrunreverseincrementalbackupcreatesafullbackupfile(VBK).Allsubsequentbackupsareincremental,thatis,onlychangeddatablocksarecopied.Duringtheincrementalbackup,updatedblocksarewrittendirectlyintothefullbackupfile,whilereplacedblocksaretakenoutandwrittenintoarollbackfile(.VRB).

Thismethodprovidesspace-efficientbackup,asthereisonlyonefullbackuptostore.Italsofacilitatesretention,sinceremovingoldrestorepointsissimplyamatterofdeletingoldVRBfiles.

Thedisadvantageisthatcreationofrollbackfilesoccursduringthebackupprocessitself,whichresultsinhigherI/Oloadonthetargetstorageandcanslowdownthebackupprocess.

Also,overtimethein-placeinjectionofnewblocksintothefullfilecausesfragmentationoftheVBKfile.Thiscanbepartiallyfixedbyusingcompactoperations.

I/OImpactofReverseIncremental

DuringthebackupprocessnewblocksarereadfromthesourceVMandarewrittendirectlytotheVBKfile.Ifthisblockreplacesanexistingolderblock,thisoldblockisreadfromtheVBKandthenwrittentotheVRBfile,andreplacedbythenewoneintotheVBKfileitself.Thismeansthatreverseincrementalbackupscreatesa33%-66%read-writeIOpatternonthetargetstorageduringthebackupprocessitself.ThisI/Otypicallybecomesthelimitingfactorforbackupperformanceofthejob.Astherollbackiscreatedduringthebackupprocessitself,backupthroughputcanbelimitedbytargetstorage.ThisslowerperformancecanleadtoVMsnapshotsstayingopenforalongertime.

ThiscanbeespeciallynoticeableforVMswithahighchangerate,orwhenrunningmultipleconcurrentjobs.


BackupMethods

192

Use Don’tUse

WhenrepositorystorageusesfastdiskwithcachingRAIDcontrollersandlargestripesizes

SmallNASboxeswithlimitedI/Operformance

VMswithlowchangerate DeduplicationappliancesduetorandomI/Opattern

HighchangerateVMs,asVMsnapshotmaybeopenforalongtime

BackupMethods

193

Encryption

OverviewTheencryptiontechnologyinVeeamBackup&Replicationallowsyoutoprotectdatabothwhileitisintransferbetweenbackupcomponentsandatrest,whenitisstoredatitsfinaldestination.Thiscanbedisk,tapeoracloudrepository.Customerscanuseoneoftheencryptionmethodsoracombinationofbothtoprotectagainstunauthorizedaccesstoimportantdatathroughallthestepsinthedataprotectionprocess.

VeeamBackupEnterpriseManageradditionallyprovidesPasswordLossProtectionoptionthatallowsauthorizedVeeamuserstorecoverdatafromthebackupeveniftheencryptionpasswordislost.Ifthepasswordgetslost,thebackupserverwillprovideachallengekeyforEnterpriseManager.Usingasymmetricencryptionwithapublic/privatekeypair,EnterpriseManagergeneratesaresponsewhichthebackupservercanuseforunlockingthebackupfilewithouthavingthepasswordavailable.FormoredetailsonthisfeaturerefertothecorrespondingsectionoftheUserGuide.

Theencryptionalgorithmsusedareindustrystandardinallcases,leveragingAES-256andpublickeyencryptionmethods.DataEncryptionsectionoftheUserGuideprovidesdetailedinformationontheencryptionalgorithmsandstandardsusedbytheproduct.

Thefollowingsectionsdescribeencryptionoptionsavailableintheproduct,whattheyprotect,whentheyshouldbeusedandbestpracticesfortheiruse.

BackupandBackupCopyJobEncryption

Whatdoesitdo?

Backupandbackupcopyjobencryptionisdesignedtoprotectdataatrest.Thesesettingsprotectdataifunauthorizedusergetsaccesstobackupfilesoutsideofthebackupinfrastructure.AuthorizedusersoftheVeeamconsoledonotneedtoknowthepasswordtorestoredatafromencryptedbackups.EncryptiondoesnotpreventauthorizedVeeamusersfrombeingabletoaccessdatastoredinbackups.

Anexampleistheuseofrotateddrivesforanoffsiterepository.Becausethesedrivesarerotatedoffsite,theyareatahigherriskoffallingintothehandsofunauthorizedusers.Withoutencryptionenabled,theseunauthorizeduserscouldinstalltheirowncopyofVeeamBackup&Replicationandgainaccesstothestoredbackupseasily.

Encryption

194

https://helpcenter.veeam.com/docs/backup/vsphere/decrypt_without_pass.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/data_encryption.html?ver=95

Ontheotherhand,ifthebackupfilesareencrypted,unauthorizeduserscannotaccessanydatainthebackupsorevenlearnanycriticalinformationaboutthebackupinfrastructureasevenbackupmetadataisencrypted.WithoutthekeyusedforencryptionoraccesstotheoriginalVeeamBackup&Replicationconsoleitself,thebackupfilesremainsecure.

Howdoesitwork?

Forencryptionfunctionalitytoworkbackupencryptionkeyshavetobegenerated.Thosekeysusemathematicalsymmetriccryptographyandarenotusedtoencryptthedataitselftoavoidimpactingbackupperformance.Insteadforeachbackupsessionuniquesessionsymmetricencryptionkeyisgeneratedautomaticallyandthenstoredinthebackupfileencryptedwiththebackupencryptionkey.Theneachdatablock(compressedornotdependingonthejobconfiguration)isencryptedwiththesessionkeygeneratedforcurrentjobsessionandstoredinthebackupfile.IncasePasswordLossProtectionfunctionalityisenabledanadditionalcopyofsessionkeysisstoredinthebackupfileencryptedwiththeEnterpriseManagerencryptionkeys.

Thisapproachprovidesamethodforencryptingbackupswithoutcompromisingbackupperformance.

Whentouseit?

Backupandbackupcopyjobencryptionshouldbeusedifbackupsaretransportedoffsite,orifunauthorizedusersmayeasilygainaccesstobackupfilesinanotherwaythanbyusingtheVeeamconsole.Commonscenariosare:

OffsitebackupstoarepositoryusingrotateddrivesOffsitebackupsusingunencryptedtapesOffsitebackupstoaVeeamCloudConnectproviderRegulatoryorpolicybasedrequirementstostorebackupsinencryptedform

Activefullbackupisrequiredforenablingencryptiontotakeeffectifitwasdisabledforthejobpreviously.

BestPractices

Enableencryptionifyouplantostorebackupsinlocationsoutsideofyoursecuritydomain.WhileCPUusageforencryptionisminimalformostmodernprocessors,someamountofresourceswillstillbeconsumed.IfVeeambackupproxiesarealreadyhighlyloaded,takeitintoaccountpriortoenablingjob-levelencryption.Usestrongpasswordsforjobencryptionanddevelopapolicyforchangingthem

Encryption

195

regularly.VeeamBackup&Replicationhelpswiththis,asittrackspasswords’age.Storepasswordsinasecurelocation.ObtainEnterpriseorahigherlevellicenseforVeeamBackup&Replication,configureVeeamBackupEnterpriseManagerandconnectbackupserverstoittoenablePasswordLossProtection.ExportacopyoftheactivekeysetfromEnterpriseManager(seeUserGuideformoreinformation).BackuptheVeeamBackupEnterpriseManagerconfigurationdatabaseandcreateanimage-levelbackupoftheVeeamBackupEnterpriseManagerserver.Ifthesebackupsarealsoencrypted,makesurethatpasswordsarenotlostastherewillbenoPasswordLossProtectionforthesebackups.

TapeJobEncryption

Whatdoesitdo?

Similartobackupjobencryption,tapejobencryptionisdesignedtoprotectdataatrest.Thesesettingsprotectdataifanunauthorizedusergainsaccesstotapemediaoutsideofthebackupinfrastructure.Authorizedusersdonotneedtoknowthepasswordtorestoredatafromencryptedtapebackups.EncryptiondoesnotpreventauthorizedVeeamusersfrombeingabletoaccessdatastoredintapebackups.

Typicalusecaseistoprotectdataontapeswhenmediaisshippedtoanoffsitelocationortoa3 party.Withoutencryptionenabled,alosttapecouldeasilybeaccessed,anddatastoredontapescouldbecompromised.

Howdoesitwork?

Similartoencryptionforbackupsondisk,asessionencryptionkeyisusedtoencryptdatablocksastheyarewrittentotape.Tapeencryptioncanleverageeitherhardwaretapeencryption(ifpresentandenabled)orsoftware-basedencryption.Ifthetapedrivesupportshardwareencryption,thesessionkeyissenttothetapedeviceviaSCSIcommandsandthedriveitselfperformstheencryptionpriortowritingdatatotape.ThisallowsencryptiontooccurwithnoimpactontheCPUofthetapeserver.Ifthetapehardwaredoesnotsupportencryption,Veeamfallsbackautomaticallytousingsoftware-basedAES-256dataencryptionpriortosendingdatatothetapedevice.

Whentouseit?

rd

Encryption

196

https://helpcenter.veeam.com/docs/backup/em/em_export_import_keys.html?ver=95

Tapejobencryptionshouldbeusedanytimeyouwanttoprotectthedatastoredontapefromunauthorizedaccessbya3 party.Tapesarecommonlytransportedoffsiteandthushaveahigherchanceofbeinglostandturningupinunexpectedplaces.Encryptingtapescanprovideanaddedlayerofprotectioniftapesarelost.

Iftapejobsarewritingalreadyencrypteddatatotape(forexample,Veeamdatafrombackupjobsthatalreadyhaveencryptionenabled),youmayfinditacceptabletonotusetape-levelencryption.However,beawarethatauserwhogetsaccesstothetapewillbeabletorestorethebackupfiles.Althoughthisuserwillnotbeabletoaccessthebackupdatainthosefiles,somevaluableinformation,forexample,jobnamesusedforbackupfiles,mayleak.

BestPractices

Enableencryptionifyouplantostoretapesinlocationsoutsideofyoursecuritydomain.Considertherisks/benefitsofenablingtapejobencryptionevenifthesourcedataisalreadyencryptedandevaluateappropriatelytheacceptablelevelofrisk.Usestrongpasswordsfortapejobencryptionanddevelopapolicyforchangingthemregularly(youcanuseVeeamBackup&Replicationpasswordagetrackingcapability).Storepasswordsinasecurelocation.ObtainEnterpriseorahigherlevellicenseforVeeamBackup&Replication,configureVeeamBackupEnterpriseManagerandconnectbackupserverstoittoenablePasswordLossProtection.BackuptheVeeamBackupEnterpriseManagerconfigurationdatabaseandcreateanimage-levelbackupoftheVeeamBackupEnterpriseManagerserver.Ifthesebackupsarealsoencrypted,makesurethatpasswordsarenotlostastherewillbenoPasswordLossProtectionforthesebackups.

NetworkTransportEncryption

Whatdoesitdo?

Unlikethebackupandtapejobencryptionfeatures,thenetworktransportencryptionfeatureisdesignedtoprotectdata“in-flight”.Forexample,whentheproxyissendingdataacrossthenetworktothebackuprepository,datacanbeencryptedbetweenthesetwopointsevenifjob-levelencryptionisnotenabled.Thisisprimarilyusefulwhenthenetworkbetweenthesourceandtargetisnottrusted,forexample,whensendingdataacrosstheInternet.

Howdoesitwork?

rd

Encryption

197

NetworkencryptioninVeeamBackup&ReplicationiscontrolledviatheglobalNetworkTrafficoptions.

WhenevertwobackupinfrastructurecomponentsneedtocommunicatewitheachotherovertheIPnetwork,adynamickeyisgeneratedbythebackupserverandcommunicatedtoeachnodeoverasecurechannel.Thetwocomponentsthenestablishanencryptedconnectionbetweeneachotherusingthiskey,andallcommunicationsbetweenthesetwocomponentsforthatsessionarethenencryptedwiththiskey.Thekeyhasaone-timeuseandit'sdiscardedoncethesessioniscompleted.

Whentouseit?

NetworktransportencryptionshouldbeusedifthenetworkbetweentwobackupinfrastructurecomponentsisuntrustedoriftheuserdesirestoprotectVeeamtrafficacrossthenetworkfrompotentialnetworksniffingor"maninthemiddle"attacks.

Bydefault,VeeamBackup&Replicationautomaticallyencryptscommunicationbetweentwonodesifeitheroneorbothhasaninterfaceconfigured(ifusedornot)thatisnotwithintheRFC1918privateaddressspace(10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16).Veeamalsoautomaticallyusesnetwork-levelencryptionforanyconnectionwithVeeamCloudConnectserviceproviders,howeverCloudConnectestablishesaTLS1.2encryptedtunneltotheserviceproviderinadifferentway.TolearnmoreaboutspecificCloudConnectencryptionmechanism,watchthisYouTubevideo:HowVeeamCloudConnectEncryptionworks.

BestPractices

Enableencryptionifnetwork-levelattacksareasecurityconcern.Network-levelencryptioncanusesignificantCPUresources,especiallyontheencryptingside(source)oftheconnection.Makesurethatcomponentnodeshaveenoughresources.ModernCPU'scanoffloadencryptionandreducetheamountof

Encryption

198

https://www.youtube.com/watch?v=yGuw37PxRHU

CPUresourcesrequired.ForIntelCPU'sspecifically,youmaycheckyourCPUmodelonIntelARKandlookfortheAES-NIcapability.

Usenetwork-levelencryptiononlywhererequired.Ifbackupinfrastructurecomponentsarerunningonanetworkthatisusingnon-RFC1918IPaddressesbutisstillprivateandsecurefromattacks,considerusingthefollowingregistrykeytodisableautomaticnetwork-layerencryption.

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:DisablePublicIPTrafficEncryptionType:REG_DWORDValue:1(default:0)

Encryption

199

http://ark.intel.com/search/advanced/?s=t&AESTech=true

https://en.wikipedia.org/wiki/AES_instruction_set


StorageOptimizationOverviewVeeamBackup&Replicationtakesadvantageofmultipletechniquesforoptimizingthesizeofstoredbackups,primarilycompressionanddeduplication.Themaingoalofthesetechniquesistostrikethecorrectbalancebetweentheamountofdatareadandtransferredduringbackupaswellaswhatisstoredonthebackuptargetwhileprovidingacceptablebackupandrestoreperformance.VeeamBackup&Replicationattemptstousereasonabledefaultsbasedonvariousfactorsbuttherecanbecaseswhenleveragingsettingsotherthandefaultmightbevaluable.

Deduplication

Whatdoesitdo?

Theprimarypurposeofdeduplicationistoreducetheamountofdatathathastobestoredondiskbydetectingredundantdatawithinthebackupandstoringitonlyonce.VeeamdeduplicationisbasedonidentifyingduplicateblocksinsideasingleVMdiskoracrossmultipleVMsinsidethesamejob.ThisisprimarilybeneficialwhenVMsaredeployedfromthesametemplatesincethebaseimageisidentical,butit'slessusefulforincrementaldata.

Howdoesitwork?

Deduplicationisperformedbothbythesourceproxy(onlyforvirtualdiskcurrentlybeingprocessed)andthetargetrepository.Targetrepositorydeduplicationisappliedonlytoblocksbelongingtothesamebackupchainsoitsefficiencydependsonwhetherper-VMchainsareenabledornot.Inthecaseofper-VMchains,onlyvirtualdisksbelongingtothesameVMwillbededuplicated,whileforregularchainsvirtualdisksofallVMsinthesamejobwillbededuplicated.

Veeamoffers4differentstorageoptimizationsettingsthatimpactthesizeofreadblocksandhashcalculationsfordeduplication:

Local–thisisthedefaultsettingandisrecommendedwhenusingadisk-basedrepository.Whenthissettingisselected,Veeamreadsdataandcalculateshashesin1MBchunks.LAN–thisvalueisrecommendedwhenusingafile-basedrepositorysuchasSMB


200

shares.Whenthissettingisselected,Veeamreadsdataandcalculateshashesin512KBchunks.WAN–thisvalueisrecommendedwhenbackingupdirectlyoveraslowlinkorforreplicationasitcreatesthesmallestbackupsfilesatthecostofmemoryandbackupperformance.Whenthissettingisselected,Veeamreadsdataandcalculateshashesin256KBchunks.Local(>16TB)–thissettingisrecommendedforlargebackupjobswithmorethan16TBofsourcedatainthejob.Whenthissettingisselected,Veeamreadsdatahashesandcalculatesdataon4MBblocks.

Thesmallertheblocksize,themoreCPUwillbeconsumedforhashcalculationsandthemoreRAMwillbeusedtostorethosehashes.

Note:Local(>16TB)underlyingblocksizehaschangedinv9.0from8MBto4MB.IfyouupgradetoVeeamBackup&Replicationv9.0fromapreviousversion,thisoptionwillbedisplayedas"LocalTarget(legacy8MBblocksize)"inthelistandwillstillusethe8MBblockssize.Itisrecommendedthatyouswitchtoanoptionthatusesasmallerblocksizeandcreateanactivefullbackuptoapplythenewsetting.

Whentouseit?

Veeamdeduplicationshouldbeenabledinalmostallcases,exceptwhenbackinguptodeduplicationdevices.Disablingin-linededuplicationinsuchcasessignificantlyincreasesrestoreperformance.

However,thereareafewspecialcaseswhereausermightconsiderdisablingthisoption:

LargecompressedordeduplicatedsourceVMs–whenbackingupVMs,especiallylargeVMs(>1TB)thatcontainalreadycompresseddata(images,video,Windowsdeduplicatedfileservers,etc),itmaybebeneficialtosimplydisableVeeamdeduplicationsinceitisunlikelytogainadditionalspacesavingsforthistypeofsourcedata.NotethatVeeamdeduplicationisajob-levelsettingsoVMsofthesametypeshouldbegroupedandprocessedwithinthesamejob.

WhendoIchangethedefaults?

Asarule,thedefaultsettingsprovidedbyVeeamaredesignedtoprovideagoodbalancebetweenbackupsizeandbackupandrestoreperformanceandresourceusageduringthebackupprocess.However,givenanabundanceofprocessingresourcesorotherspecificsoftheenvironment,itmightbeusefultochangethedefaultsforaparticularjob.


201

Forexample,transactionalserverslikeMicrosoftExchangeandMicrosoftSQLcommonlymakesmallchangesacrossthedisk.Ifyouusethe1MBblockssetting,thiscanleadtoagreatamountofincrementalchangeseachday.TheWANoptimizationwithitssmallerblocksizeof256KBmaysignificantlydecreasethesizeofincrementalbackups.However,thiscanhaveaverysignificantimpactonthebackupspeedandtheamountofmemoryneededduringthebackupprocessontherepository,especiallyforlargebackupjobs.

A2TBMicrosoftExchangeservermayneedonly2GBofRAMontherepositoryduringbackupwhenusingdefaultsettingsofLocal(1MB)blocks,butwouldpotentiallyneed8GBofRAMontherepositorywithWAN(256KB)blocks.Also,transformoperationssuchassyntheticfullbackups,foreverforwardmergeandreverseincrementalrollbackwillrequirefourtimetheI/Ooperationscomparedtothe1MBblock,andthiscansignificantlyincreasetotalbackuptime.Allofthismustbetakenintoconsiderationpriortochangingthedefaults.

Bestpractices

Unlessyouhaveareallygoodunderstandingoftheimpactthatcancauseblocksizechanging,sticktothedefaults.Ifyouwanttochangethedefaultblocksize,besuretotestitwellandmakesureyouhaveplannedappropriatelyfortheextraI/Oandmemoryrequirementsontherepository.Whenusingablocksizesmallerthanthedefaultoneforalargeserver,itisrecommendedtouseabackupmodethatdoesnotperformsyntheticprocessing(likeforwardincrementalwithscheduledactivefull).

Setting BlockSize Maximumrecommendedjobsize

WAN 256KB 4TBofsourcedata

LAN 512KB 8TBofsourcedata

Local 1,024KB 16TBofsourcedata

Local(>16TB) 4,096KB 64TBofsourcedata

Note:Blocksizechangeswillonlybecomeeffectiveafteranactivefulliscreated.

Compression

Whatdoesitdo?

Thepurposeofcompressionistoreducetheamountofdatathathastobetransferredacrossthewireandstoredondisk.VeeamBackup&Replicationleveragesseveraldifferentcompressionalgorithmsthatprovidevariousbalancesbetweencompressionratios,


202

throughputandtheamountofCPUuseonthebackupproxy.Compressionprovidesmaximumeffectonspacesavingsinabackupjob,sounderstandingthetradeoffsinthesesettingscanbeveryimportant.

Howdoesitwork?

VeeamBackup&Replicationperformscompressiononaper-blockbasis,usingtheblocksizeselectedbythestorageoptimizationsettings.Theproxyreadseachblockfromthesourcediskandappliesthecompressionalgorithmtotheblockbeforetransferringittotherepository.Thissavesnetworkbandwidthbetweentheproxyandrepositoryandallowstherepositorytostorethealreadycompressedblockassoonasitreceivesit.

Therearemultiplecompressionoptionsavailable:

None–thisoptiondisablescompressionforthejob.Theproxyreadsblocksandsendsthemuncompressedtotherepositorywheretheyarewrittentodiskasis.Dedupe-friendly–thisoptionusestheverysimpleRLEcompressionalgorithmthatneedsverylittleCPU.Itcreatessomewhatpredictabledatapatterns,whichisusefulifuserswanttoleverage3rdpartyWANacceleratorswithVeeamand/oradeduplicationappliance(withoutthe"decompressbeforestoring"setting).Thisallowsthenetworkstreamtobemoderatelycompressedwhilestillbeingeffectivelycached.Optimal–thisisthedefaultcompressionusedonVeeamjobsthatleveragesLZ4compression.Itprovidestypicalcompressionratiosaround2:1withfairlylightCPUoverhead.ThislightCPUoverheadallowsforexcellentthroughputwithratesupto150MB/spercoreandevenfasterdecompressionrates.Thisisamostcommonlyusedpracticethatallowsachievingexcellentbalancebetweenperformanceandcompressionsavings.High–thisoptionuseszlibcompressiontunedforlowtomoderateCPUoverhead.Thissettingprovidesforaround10%highercompressionratioscomparedtooptimal,butusesover50%moreCPUhorsepowerwithratesupto100MB/core.IfproxiesarenotCPUbound,thisextrasavingsmaystillbeverymuchworthit,especiallyforlargerrepositoriesorifthebandwidthavailableislessthanthe100MB/slimit(i.e.,1Gblinksorless).Extreme–thisoptionuseszlibcompressiontunedforhighCPUoverhead.ThissettingusesevenmoreCPUandlowersthroughputevenfurthertoaround50MB/core,whileonlytypicallygivingaround3-5%additionalsavings.Itisquiterarelyused,however,incaseswherebandwidthbetweentheproxyandrepositoryislimited,forexample,whenyourunprimarybackupsdirectlythroughWANlinks.

Whentouseit?


203

Veeamcompressionshouldalmostalwaysbeenabled.However,whenusingadeduplicatingstoragesystemasarepositoryforstoringVeeambackups,itmightbedesirabletodisableVeeamcompressionattherepositorylevelbyusingtheDecompressbackupdatablocksbeforestoringadvancedoptioninrepositoryconfiguration.

Enablingcompressionatthejoblevel,anddecompressingoncesenttotherepositorywillreducethetrafficbetweenproxyserverandbackuprepositorybyapproximately50%onaverage.Ifproxyandrepositoryrunsonthesameserver,thecompressionengineisautomaticallybypassedtopreventspendingCPUforapplyingcompression.Theuncompressedtrafficissentbetweenlocaldatamoversusingsharedmemoryinstead.

WhendoIchangethedefaults?

Asarule,thedefaultsettingsprovidedbyVeeamaredesignedtoprovideagoodbalancebetweenbackupsizeandbackupandrestoreperformanceandresourceusageduringthebackupprocess.However,givenanabundanceofresourcesorotherspecificsoftheenvironment,itmightbeusefultochangethedefaultsinparticularcircumstances.Forexample,ifyouknowthatCPUresourcesareplentiful,andbackupsareunabletomakefulluseoftheCPUduetootherbottlenecks(disk/network),itmightbeworthincreasingthecompressionlevel.

Compressionsettingscanbechangedonthejobatanytimeandanynewbackupsessionswillwritenewblockswiththenewcompressionmode.Oldblocksalreadystoredinbackupswillremainintheirexistingcompressionlevel.

BestPractices

Defaultsaregood,don’tchangevalueswithoutunderstandingtheimpact.UsecompressionlevelsaboveoptimalonlyifyouhaveplentyofCPUandunderstandthatmaximumthroughput,especiallyduringfullbackups,willlikelybesignificantlylower,especiallyifthebackupproxyCPUscan’ttakemoreload.Testvariouscompressionlevelsandseehowtheyimpacttheenvironment,butalwaysrememberthebalance.AsinglebackupjobwithafewconcurrentstreamsmayseemfinewithExtremecompression,butmayoverloadallavailableproxyCPUsduringproductionrunofalljobs.Rememberthathighercompressionratiosmayalsonegativelyimpactrestorespeeds.

BitLookerTheoption"Excludedeletedfileblocks"isthethirdconfigurableoptioninjobsettings.Inseveralplacesyouwillseereferencestothisfeatureunderthename"BitLooker".


204

Whenenabled,theproxyserverwillperforminlineanalysisoftheMasterFileTable(MFT)ofNTFSfilesystemsandautomaticallyskipblocksthathavebeenmarkedasdeleted.

Whenupgradingfromversionspriortov9.0,thissettingisdisabledforexistingbackupjobs.Toenableitforexistingjobs,usethefollowingPowerShellcommands.

Add-PSSnapInVeeamPSSnapin;

Foreach($jobinGet-VBRJob){

$job.Options.ViSourceOptions.DirtyBlocksNullingEnabled=$true;

$job.SetOptions($job.Options)

}

ItisalwaysrecommendedtoleaveBitLookerenabled,asitwillreducetheamountofbackupstoragespacerequired.


205

BackupJob

JobLayoutandObjectSelectionVeeamBackupandReplicationallowsyoutoflexiblyselectobjectstoaddtothejob.AttheVirtualMachinesstepofthejobwizard,theAddObjectsscreenoffersvarious“views”intothevCenterarchitecturethatmatchtheviewsprovidedbythevSphereclient.YoucanswitchbetweentheHostsandClusters,VMsandTemplates,DatastoresandVMsorTagsviewsbypressingtheappropriatebuttononthebackupobjectselectionscreen.

Thisscreenalsoprovidesanadvancedobjectexclusiontoolthatallowsyoutoselectaparentobjectandthenexcludechildobjects,orevenindividualdiskswithinaVM.

NoteWhenselectingveryhighlevelcontainerswithmanyvirtualmachines,suchasdatacenters,clustersorlargefolders,itisimportanttokeepinmindthattapearchivejobs,orSureBackupjobswithlinkedjobscannotexcludecertainobjectsfrombeingprocessed

Moreguidelinesonobjectselectionarelistedbelow.

Important:VeeamBackupandReplicationsupportsencryptedVMs(invSphere6.5)buttheresultingbackupswillcontainunencrypteddata.Thusitisstronglyrecommendedtoenableintransitandatrestjoblevelencryptiontoensuresafetyofthedata.FormoredetailsonrequirementsandlimitationsofthebackupofencryptedVMsrefertothecorrespondingsectionoftheUserGuide.

IncreasingDeduplicationRate

IfthetargetrepositoryisnotconfiguredtouseperVMbackupfiles,deduplicationacrossallVMswithinasinglejobisavailable.WhenusingperVMbackupfiles,deduplicationisonlyavailablewithinasingleVMbackupchain,whichreducesitsefficiencybutstillmakesitrelevant.Thefollowingrecommendationappliestojobleveldeduplicationonly.

GroupingVMsrunningthesameoperatingsystemordeployedfromsimilartemplatesintoasinglejobwillincreasededuplicationrate.Jobsizingguidelinesstillapply,anditisrecommendedtomonitorthebackupwindowandthesizeofthejobformanageability.

Containerbasedjobs

BackupJob

206

https://helpcenter.veeam.com/docs/backup/vsphere/encrypted_vms_backup.html?ver=95

Addingresourcepools,folders,datastores,orvSphereTags(vSphere5.5andhigher)tobackupjobsmakesbackupmanagementeasier.Newmachinesthatarememberofsuchconstructsorcontainersareautomaticallyincludedinthebackupjob,andmachinesremovedfromthecontainerareimmediatelyremovedfromjobprocessing.

Whencreatingjobsbasedongroupsorconstructs,ensurethattheconfiguredconstructsdonotoverlap.Overlappingconstructsmaycauseundesiredresults.Forinstance,whencreatingjobsbasedondatastores,VMswithdisksresidingonmultipledatastoresincludedinmorethanonebackupjobwillcausetheVMtobebackedupineachjob.

Tags

Tagsareveryconvenientforapolicydrivenapproachtodataprotection.However,itisrecommendedtofollowtheseguidelines:

MonitorthenumberofVMsautomaticallyaddedtothejobtoavoidtoomanyVMsbeingbackedupwithinasinglejobOnlyonetagcanbeusedtoincludeaVMinajobUsingtags,youcanclassifyVMsbyservicelevels,usingdifferentbackupjobsfordifferentservicelevelsVeeamONEBusinessView(OBV)isaveryconvenienttoolformanagingvSphereTags.OBVallowsforcreatingclassificationrulesandupdatecorrespondingtagsinvCenter.ClassificationscanbedefinedfromCPU,RAM,VMnamingconvention,folder,resourcepool,datastoreetc.OBVcanalsoimportVM/host/datastoredescriptionsfromaCSVfile.ThisfeaturecanbeusefulwhenrefreshingVMwaretags,forexample,toupdateaCMDB.

Exclusions

Itisrecommendedtolimitthenumberofexclusionsinbackupjobs.Whileexclusionscanbeveryuseful,thevirtualinfrastructureisdynamicandchangesrapidly.ItisquitepossiblethataVMgetsmovedtoafolderorresourcepoolthatisexcludedwhichmakesitunprotected.MonitoringProtectedVMswithVeeamONEishighlyrecommended.

AlsorememberthatexclusionshavehigherpriorityoverinclusionsinVeeamBackup&Replication.

CompressionandStorageOptimization

DetaileddescriptionsofcompressionandstorageoptimizationsettingsandtheirinfluenceonthebackupinfrastructureisprovidedintheDeduplicationandCompressionsectionofthisguide.Inalmostallcasesdeduplicationshouldbeleftenabled.VeeamBackup&

BackupJob

207

https://helpcenter.veeam.com/docs/one/reporter/protected_vms.html?ver=95

Replicationusessourcesidededuplicationwhichdecreasestheamountofdatathatmustbetransferredtothetargetrepository.

Whenusingadeduplicationapplianceforstoringbackups,pleaseseetheDeduplicationAppliancessectionofthisguideforadetaileddescriptionofcompressionandstorageoptimizationsettings.

Encryption

AdetaileddescriptionofencryptionsettingsanditsinfluenceonthebackupinfrastructureisprovidedintheEncryptionsectionaboveinthisdocument.

Forgeneralguidelinesaboutencryption,refertotheVeeamUserGuide:Encryptionkeys.

StoragemaintenanceWhiledataamountisgrowingandbackupwindowisdecreasing,forwardincrementalforeverbackupshavebecomeincreasinglyimportantinanybackupsolution.Backupjobswithnoscheduledsyntheticoractivefullbackupsarebecomingmorewidelyadopted.Forwardincrementalwithweeklysyntheticfullbackupsishoweverstillthedefaultsetting.

Thetwomainobjectionstowardsusingaforeverforwardincrementalbackupmodearethefollowing:

Thefirstoneisfullbackupfilefragmentation,leadingtoundesiredVBKfilegrowthovertime,anddegradationofperformanceduetofragmentation.PreviouslyitwasrecommendedtoperformperiodicalactivefullbackupsinordertocreateanewVBKfileandbackupchain.Thiswouldmitigateissuesoffragmentationandremovewhitespaceleftbydeleteddatablocks.

Thesecondobjectionissilentstoragecorruption.Ifeverafileorblockinthechaingotcorruptedbyastoragerelatedissue,allsubsequentconsolidationsorrestoresfromthiscouldbeaffected.

Toaddressbothobjections,followingfeaturesareavailableunderthe"Maintenance"tab,intheAdvancedsettingsofabackupjob.

Fullbackupfilemaintenance-"Defragmentandcompacting"

BackupJob

208

https://helpcenter.veeam.com/backup/vsphere/encryption_keys.html

Fullbackupfilemaintenancewilladdresstwoissues:VBKfilefragmentationcausedbytransforms(forwardincrementalforever,orreverseincremental),andleftoverwhitespacefromdeleteddatablocks.Theseissuesaremitigatedbysynthesizinganewfullbackupfileonthebackuprepositoryi.e.copyblocksfromtheexistingVBKfileintoanewVBKfile,andsubsequentlydeletingtheoriginalfile.Thisprocessmayalsobereferredtoas"compacting".

Howdoesitwork?DuringVBKcompacting,anewVBKfileiscreated.ExistingblocksarecopiedfromthepreviousVBK,requiringfreespaceequivalenttothesizeofanadditionalfullbackupintherepository.IntheRestorePointSimulator,thisspaceispartofthe"Workspace"parameter.WhenusingScale-outBackupRepositoryinPerformanceMode,thecompactingprocessmayutilizemultipleextentsandsignificantlyspeedupthecompactingprocess.

Whentouse?Foreverybackupjobwithfulltransforms.Defragmentationwillbenefitthemostjobsthatareconfiguredtogenerateasinglechainperjob,keepingfilessmallerandrestorespeedoptimalovertime.

Whentoavoid?Whenusingdeduplicationstorage,itisrecommendedtodisablethe"Defragmentandcompact".Asdeduplicationappliancesarefragmentedbytheirverynature,andhaveverypoorsupportforrandomI/Oworkloads,thecompactingfeaturewillnotenhancebackuporrestoreperformance.

Storage-levelcorruptionguard

InadditiontousingSureBackupforrestorevalidation,storage-levelcorruptionguardwasintroducedtoprovideagreaterlevelofconfidenceinintegrityofthebackups.

Howdoesitwork?Whenajobhasfinished,storage-levelcorruptionguardwillperformaCRCverificationforthemostrecentrestorepoint.Itwillvalidatewhetherthecontentofthebackupchainblocksmatchthecontentdescribedwithinthebackupfilemetadata.Ifamismatchisdiscovered,itwillattempttorepairthedatablockfromproductionstorage,assumingtheblockstillexistsandhasnotbeenoverwritten.Ifitexists,thebackupfilewillberepaired.Ifnot,storage-levelcorruptionguardwillfailandmaketheuserawarethatanewfullbackupisrequired,andthatthebackupchainmustberecoveredfromasecondarycopyofthebackup.

Whentouse?Itisrecommendedtousestorage-levelcorruptionguardforanybackupjobwithnoactivefullbackupsscheduled.Syntheticfullbackupsarestill"incrementalforever"andmaysufferfromcorruptionovertime.

Whentoavoid?Itishighlydiscouragedtousestorage-levelcorruptionguardonanystoragethatperformsnative"scrubbing"todetectsilentdatacorruptions.Suchstoragewillautomaticallyhealsilentdatacorruptionsfromparitydisksorusingerasurecoding.Thisis

BackupJob

209

http://vee.am/rps

thecaseformostdeduplicationappliances.

Formoreinformation,pleaseseeVeeamHelpcenter:HealthCheckforBackupFiles.

JobChainingChainingbackupjobsisconvenientincertaincircumstances,butshouldbeusedwithcaution.Forexample,ifajobinsuchchainfailsorstopsresponding,theentirejobchaindeliverspoorbackupsuccessrate.

Acommonwaytohandlemultiplejobsistoletthebuilt-inIntelligentLoadBalancing(ILB)handletheproxy/repositoryresourcesbystartingmultiplejobsinparallelbyusingallavailableproxy/repositoryresources.Thisallowsoptimaltaskschedulingandprovidestheshortestbackupwindow.

LoadBalancingWhenplanningjobsschedule,youshouldconsiderbalancingtheloadonsourceandtargetdisks.Toomanyjobsaccessingthesamediskwillloadthestoragesignificantly;thismakesthejobrunslowerormayhaveanegativeimpactontheVMsperformance.Tomitigatethisproblem,youcanutilizeStorageLatencyControl(orBackupI/OControl)settings.

VeeamhasaloadbalancingmethodthatautomaticallyallocatesproxyresourcesmakingachoicebetweenallproxiesmanagedbyVeeamBackup&Replicationthatareavailableatthemoment.

Formoredetailsonloadbalancing,refertotheVeeamBackup&ReplicationUserGuideatResourcescheduling.

BindingJobstoSpecificProxiesRefertotheUserGuideinordertoexaminetheadvanceddeploymentscenariowithmultipleproxies:Advanceddeployments.

Whileconfiguringabackupjob,youcandisabletheautomaticproxyselection.Instead,youcanselectparticularproxiesfromthelistofproxiesmanagedbyVeeambackupserver,andappointthemtothejob.Thisisaverygoodwaytomanagedistributedinfrastructures;alsoithelpsyoutokeepperformanceundercontrol.

Forexample,youcanbackupaclusterresidingonmultiplebladechassis.Inthiscase,ifyouusevirtualproxies,keeptheproxiesloadwell-balancedandoptimizethenetworktraffic.

BackupJob

210

https://helpcenter.veeam.com/docs/backup/vsphere/backup_health_check.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/resource_scheduling.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/advanced.html?ver=95

Dedicatedproxiescanbealsoveryhelpfulifyouuseastretchedclusteranddonotwantproxytraffictogoacrossinter-switchlink.

Seetheillustrationbelowasagoodstartingpointtoreachandkeepcontrolonhighbackupthroughput.Inthisexample,administratorwantstokeepnetworktrafficasmuchaspossibleinsidethechassis;onlytheproxy-to-repositorytrafficgoesviaanexternallink.

YoucanuseProxyAffinitytoallowonlyspecificproxiestointeractwithagivenrepository.

Tip:Tooptimizeloadbalancinginadistributedenvironmentwherebackupproxiesarerolledouttomultiplesites,itisrecommendedtoselectallproxiesfromthesamesiteinthejob.

BackupJob

211

https://helpcenter.veeam.com/docs/backup/vsphere/proxy_affinity.html?ver=95

BackupCopyJobInsteadofjustcopyingbackupfilestoaseconddestination,Veeamusesamoreintelligentandsecurewayofbringingrestorepointstoasecondbackuptarget.BackupcopyjobsreadspecificVMrestorepointsfrombackupfilesandstorethemasanewbackupfilechainonthedestination.Thesecondchainisindependentfromthefirstchainandaddsthereforeanadditionallevelofprotection.YoucanstoreVMsfrommultiplebackupjobsinthesamebackupcopyjob,oryoucanselectasubsetofVMsfromabiggerbackupjobassourceifyoudonotwanttobackupallVMstothebackupcopyjobdestination.

Everybackupcopyjobcreatesitsownfolderonthetargetbackuprepositoryandstoresitsdatainthislocation.Thefolderhasthesamenameasthebackupcopyjob.

Oncecreated,abackupcopyjobwillimmediatelystartprocessingthelatestexistingrestorepointforallVMsincludedinthejob,aslongasithasbeencreatedlessthanonesynchronizationintervalbeforethestartofthebackupcopyjob.

Bydefault,VeeamBackup&Replicationkeeps7restorepointsonthetargetbackuprepositoryincaseofsimpleretentionpolicy(seethe“SimpleRetentionPolicy”sectionoftheUserGuidefordetails).IfyouplantouseGrandfather-Father-Son(GFS)retention,refertothe“GFSRetentionPolicy”sectionfordetails.

Backupcopyjobsfilechainslayoutwilldependontherepositoryoption:"PerVMbackupfiles"willgenerateonefilechainpereachVM,otherwiseachainwillbegeneratedpereachjob.

IfabackupcopyjobcannotprocessallrequestedVMsbeforetheendofanincrementalexecutioninterval(bydefault24hours),thejobwillstillcreateabackupfileonthetargetbackuprepository(ormultiplefilesifper-vmchainshavebeenenabled),butsomeVMswillbeleftinconsistentorunprotected.Thismightbecausedbyprecedenceofthebackuptaskoverthebackupcopytask.Thebackupcopyprocesswillresumefromthelastfulldatatransactionduringthenextsynchronizationinterval.

LimitationsofbackupcopyjobsaredescribedinVeeamBackup&ReplicationUserGuideathttps://helpcenter.veeam.com/backup/vsphere/backup_copy_select_point.html.

ImportantNote:JobswithWANaccelerationenabledwillprocessVMssequentially,whilejobsusingdirectmodewillprocessincludedVMsinparallelaccordingtofreetaskslotsavailabilityonbackuprepositories.

BackupCopyJobScheduling

BackupCopyJob

212

https://helpcenter.veeam.com/backup/vsphere/backup_copy_simple_retention.html

https://helpcenter.veeam.com/backup/vsphere/backup_copy_gfs.html

https://helpcenter.veeam.com/backup/vsphere/backup_copy_select_point.html

Bydesign,abackupcopyjobisaprocessthatrunscontinuously.Thisprocessincludesseveralstages.

AcopyjobrestartseverytimeatthedefinedCopyeveryintervalsetting(defaultis12:00AMdaily)andmonitorsfornewrestorepointsoftheselectedVMstoappearinthespecifiedsources.OntheScheduletabitispossibletodefinetimeperiodwhendatatransfersareallowed.Thisisespeciallyhelpful,whentransferringmultipletimesperday(e.g.hourlysynchronizationinterval),oragainwhenthebandwidthusedtotransferthebackupcopyjobscanonlybeusedduringthenight.

Theconceptofthe"interval"isusedtodefinetwoparameters:howoftenthejobshouldbelookingfornewpoints,andfordailyintervalsatwhattimeitshouldstartlookingforpoints.Ifyousetanintervalof1day,thatequalstoinstructthebackupcopyjobthatonceaday,startingattheselectedtime,itshouldbeginlookingfornewrestorepoints.Whentherestorepointisfound,thecopyjobwillcopyit.However,onceasinglepointiscopied,anotherpointforthatVMwillnotbecopieduntilthenextintervalstarts.

Thesynchronizationintervalisimplementedtoprovideapolicydrivenapproachtooffsitecopies.Sincethecopyjobcancontainmultiplesourcebackupjobs,andmostsourcebackupjobsneitherstartnorcompleteatthesametime,thesynchronizationintervalishelpfulindefiningapolicyforwhenitshouldlookforrestorepointsacrosstheincludedsourcejobs.

Anotherreasonforthisdesignisthatyoumayrunlocalbackupsmoreoften(forexample,hourly),butyoumayonlywanttocopydataoffsiteonlydailyorweekly,thusyoucansetthebackupcopy"interval"independentlyofthescheduleofthebackupjobsitisusingassource.

Thebackupcopyjobhasthefollowingphases:

1. Pre-jobactivity—ifenabled,thepre-jobscriptsareexecutedattheverybeginningofacopyinterval.

2. Healthcheck—ifscheduled,backupfileintegrityisverifiedbeforethenextcopyisinitiated.

3. Datatransfer(synchronization)phase—duringthisphase,thebackupcopyjobchecksforanewrestorepointinthesource,createsafileforanewrestorepointatthetargetandstartscopyingthestateofthelatestrestorepointofeachprocessedVMtothetargetrepository.Thedatatransfer(synchronization)phasestartsatspecifictimeconfiguredinthejobproperties(seeSynchronizationIntervals).Youcandefineanyintervalneededinminutes,hoursordays.Moreover,youcanspecifythetimeslotduringwhichdatacanandcannotbetransferredoverthenetwork,thusregulatingnetworkusage(seeBackupCopyWindow).

BackupCopyJob

213

https://helpcenter.veeam.com/backup/vsphere/backup_copy_sync_interval.html

https://helpcenter.veeam.com/backup/vsphere/backup_copy_window.html

4. Transformphase—copyjobsarebynaturerunningin"foreverforwardincremental"mode,andperformtransformoperationsonthetargetbackuprepositoryaccordingly.Additionally,itispossibletoschedulehealthchecksorbackupfilecompactingasdescribedintheBackupJobsection.ThetransformphasebeginswhenallVMsaresuccessfullycopiedtothetarget,orifthesynchronizationintervalexpires.

Note:thetransformprocessitselfputsadditionalpressureonthetargetrepository.InlargeenvironmentswithdeduplicationstorageappliancesusedasbackuprepositoriesorwithbackupcopyjobsprocessingalargenumberofVMsorbigVMs,thetransformprocesscantakeasignificantamountoftime.Fornon-integrateddeduplicationappliances,itisrecommendedtousethe"Readentirerestorepoint..."option.ThisforcestheBackupCopyJobtorunningforwardincrementalwithperiodicalfullbackupscopiedentirelyfromthesourcebackuprepositoryratherthanbeingsynthesizedfromexistingdata.

5. Compactfullbackups—ifenabled,therecentfullbackupfileisre-createdonthesamerepository,writingalltheblocksclosetoeachotherasmuchaspossibletoreducefragmentation.

6. Post-jobactivity—ifenabled,severalpost-jobactivitiesareexecutedbeforethejobenterstheidlephase,suchaspost-jobscriptsandsendinge-mailreports.

7. Idlephase—forthemosttime,thebackupcopyjobremainsintheIdlestate,waitingforanewrestorepointtoappearonthesourcebackuprepository.Whenthesynchronizationintervalexpires,anewintervalstartsatstep1.

Formoreinformation,refertothecorrespondingsectionoftheUserGuide>BackupCopyJob.

JobLayoutandObjectSelection

SourceObjectContainer

Selectfrominfrastructure:thisselectsspecificVMsorcontainersfromthevirtualinfrastructure.TheschedulerwilllookforthemostrecentrestorepointcontainingtheVMswithinthesynchronizationinterval.Theschedulerwilllookforrestorepointsinallbackups,regardlesswhichjobgeneratedtherestorepoint.Iftherestorepointislocked(e.g.thebackupjobcreatingitisrunning),thebackupcopyjobwaitsfortherestorepointtobeunlockedandthenstartcopyingthestateoftheVMrestorepointaccordingtoitsdefinedschedule.Selectfromjob:thismethodofselectionisveryusefulifyouhavemultiplebackupjobsprotectingthesameVMs.Inthiscase,youcanbindthebackupcopyjobtoaspecific

BackupCopyJob

214

https://helpcenter.veeam.com/backup/vsphere/backup_copy_job_task.html

jobyouwanttocopy.ThejobcontainerwillprotectalltheVMsintheselectedsourcejob(s).Selectfrombackup:thismethodisequivalenttotheSelectfrominfrastructuremethod,butallowsforselectingspecificVMsinsidespecificbackups.Thisishelpful,whenonlycertaincriticalVMsshouldbecopiedoffsite.

BackupCopyandTags

AsyoucanselectanyVMtobecopiedfrommultiplebackups,youcanplanforpolicy-basedconfigurations.Forinstance,youmaynotwanttoapplyGFSretentionoversomeVMslikewebservers,DHCP,etc.Inthissituation,youcanuseVMwaretagstosimplifythemanagementofbackupcopyprocess.Tagscanbeeasilydefinedaccordingtothedesiredbackupcopyconfiguration,usingVMwarevSphereorVeeamONEBusinessViewtoapplytags.

InitialsynchronizationWhencreatingtheinitialcopytothesecondaryrepository,itisrecommendedtousebackupseeding(seeCreatingSeedforBackupCopyJob)wheneverpossible.EspeciallywhentransferringlargeamountsofdataoverlessperformantWANlinks,theseedingapproachcanhelpmitigatinginitialsynchronizationissues.

WhileBackupCopyJobsweredesignedforWANresiliency,theinitialcopyismoreerrorprone,asitistypicallytransferringdataoutsidethedatacenteroverlessreliablelinks(highlatency,orpacketloss).Anotherissuethatcanbesolvedbyseedingiswhenthefullbackupislargerthantheamountofdatathatcanbetransferredinaninterval.Eveniftheintervalcanbeextendedtoaccomodatetheinitialtransfer,thismayleadtouploadtimesofevenmultipledays.Seedingcanspeeduptheinitialsyncbyremovingtheneedforthesync.

ThemostfrequentsynchronizationissuesaredescribedintheUserGuide>HandlingBackupCopyJobIssues.

AdditionalOptions

RestorePointLookup

Bydefault,afterarestartofthejobinterval(theCopyeverysetting),abackupcopyjobanalyzestheVMlistithastoprotect,andsearchesbackwardsintimefornewerrestorepointstates.Ifthestateoftherestorepointinthetargetrepositoryisolderthanthestateinthesourcerepository,thenewstateistransferred.

BackupCopyJob

215

https://helpcenter.veeam.com/backup/vsphere/backup_copy_mapping_auxiliary.html

https://helpcenter.veeam.com/backup/vsphere/backup_copy_issues.html

Forexample,ifthebackupjobisscheduledtorunat10:20PM,andthebackupcopyjobusesthedefaultscheduleofcopyingthelatestrestorepointstateeverydayat10:00PM,thestatecopiedbythebackupcopyjobistypicallyonedaybehind.Intheimagebelow,youcanseesomeVMsaffectedbythisbehavior.

Tochangethisbehavior,itispossibletousetheBackupCopyLookForwardregistrykeyasdescribedbelow.Reevaluatingtheexampleabove,usingthisregistrykey,thebackupcopyjobwillstillstartsearchingat10:00PM,butwillnowwaitforanewrestorepointstatecreatedafterthispointintime.

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:BackupCopyLookForwardType:REG_DWORDValue:1

ThefollowingforumthreadprovidesaverygoodexplanationofthebackupcopyschedulerandtheLookForwardregistrykey>VeeamCommunityForums-BackupCopyIntervals

BackupCopyfromBackupCopy

Sincev8,itispossibletouseabackupcopyjobasasourcefordatatransferandtogenerateanotherbackupcopy.Forthis,selecttheVMsfrominfrastructureandspecifythebackuprepositoryholdingtheprimarybackupcopyrestorepointsasthesource.

JobSeeding

Usually,abackupcopyisusedtosenddataremotely.Ifitisnecessarytosenddataoveraslowlink,youcanseedthebackupcopyjobbytakingthefollowingsteps:

1. Createa"local"backupcopyjobandtargetitataremovabledeviceusedasabackup

BackupCopyJob

216

http://forums.veeam.com/veeam-backup-replication-f2/backup-copy-intervals-t24238.html

repository,orcopythebackupfilesafterwards.Runthecreatedbackupcopyjobtocreateafullbackupsetonthisdevice.Notethatalsothe.vbmfilehastobemoved.

2. Oncethebackupcopyjobisover,deletethelocalbackupcopyjobfromtheVeeamconsole.

3. Transporttheremovabledevicewiththecreatedbackupfilestothedestinationsite.4. Copybackupfiletothetargetbackuprepository.5. Importthebackuponthetarget.Ifalreadyimported,performarescan.6. CreatethefinalbackupcopyjobontheVeeamconsole.OntheTargetstepofthe

Backupcopyjobwizard,usetheMapbackuplinkandselectthetransportedbackup—thisbackupwillbeusedasa“seed”.

IfyouareusingaWANacceleratedtransfer,refertotheWANAcceleratorsectionforpropercachepopulationprocedure:https://helpcenter.veeam.com/backup/vsphere/wan_populate_cache.html.

Note:Onlytheinitialfirstrunofareverseincrementalchaincanbeusedwithseeding(butanyforwardincrementalchaincanbeused).Seekb1856formoreinformation.

BackupCopyJob

217

https://helpcenter.veeam.com/backup/vsphere/wan_populate_cache.html


ReplicationJobNote:ThissectionfocusesonreplicatingVMstoyourownvirtualinfrastructure.WhenimplementingCloudConnectreplicationforDRaaSonlysourceconfigurationdetailsofthissectionarerelevanttoendusersideofthedeployment.FormoreinformationonimplementingDRaaSonCloudConnectprovidersiderefertoCloudConnectReferenceArchitecturedocument.

ReplicationjobsareusedtoreplicateVMstoanotherorthesamevirtualenvironment(insteadofcreatingdeduplicatedandcompressedbackupfilesatbackuprun).Veeamcanstoreupto28restorepoints(onVMwareplatforms).

Likebackup,replicationisajob-drivenprocess.Inmanyways,itworkssimilarlytoforwardincrementalbackup:

Duringthefirstrunofareplicationjob,VeeamBackup&ReplicationcopiesawholeVMimageandregistersthereplicatedVMonthetargetESXihost.IncaseofreplicatingtoaclusterahostwithleastVMsregisteredatthemomentwillbeused.Duringsubsequentruns,thereplicationjobcopiesonlyincrementalchanges,andcreatesrestorepointsfortheVMreplica—sotheVMcanberecoveredtotheselectedstate.EveryrestorepointisinfactaregularVMwaresnapshot.Whenyouperformincrementalreplication,datablocksthathavechangedsincethelastreplicationcyclearewrittentothesnapshotdeltafilenexttothefullVMreplica.Thenumberofrestorepointsinthechaindependsontheretentionpolicysettings.

Replicationinfrastructureandprocessareverysimilartothoseusedforbackup.Theyincludeasourcehost,atargethostwithassociateddatastores,oneortwoproxyserversandarepository.Thesourcehostandthetargethostarethetwoterminalpointsbetweenwhichthereplicateddataismoved.

Replicateddataiscollected,elaboratedandtransferredwiththehelpofVeeamdatamovers.Thedatamoversinvolvedinreplicationarethesourceproxy,thetargetproxyandtherepository.Thedatamoverhostedontherepositoryprocessesreplicametadatafiles.

Important!Althoughthereplicadataiswrittentothetargetdatastore,certainreplicametadatamustbelocatedonabackuprepository.Thismetadataisusedbythesourceproxyandthusshouldbedeployedclosertothesourcehostandthereforenocompression/uncompressionprocessingisused.

Thereplicationprocessinvolvesthefollowingsteps:

1. Whenanewreplicationsessionisstarted,thesource-sidedatamover(proxytask)

ReplicationJob

218

performsthesameoperationsasinbackupprocess.Inaddition,incaseswhenVMwareCBTmechanismcannotbeused,thesource-sidedatamoverinteractswiththerepositorydatamovertoobtainreplicametadata—inordertodetectwhichblockshavechangedsincethepreviousjobrun.

2. Thesource-sidedatamovercompressesthecopiedblocksofdataandtransfersthemtothetargetdatamover.Note:Inon-sitereplicationscenarios,thesource-sidetransportserviceandthetarget-sidetransportservicemayrunonthesamebackupproxy.

3. Thetarget-sidedatamoveruncompressesreplicadataandwritesittothedestinationdatastore.

VeeamBackup&Replicationsupportsanumberofreplicationscenariosthatdependonthelocationofthetargethostandwillbediscussedlaterinthissection.

Duringreplicationcycles,VeeamBackup&ReplicationcreatesthefollowingfilesforaVMreplica:

AfullVMreplica(asetofVMconfigurationfilesandvirtualdisks).

Duringthefirstreplicationcycle,VeeamBackup&Replicationcopiesthesefilestotheselecteddatastoretothe<ReplicaName>folder,andregistersaVMreplicaonthetargethost.

Replicarestorepoints(snapshotdeltafiles).Duringincrementalruns,thereplicationjobcreatesasnapshotdeltafileinthesamefolder,nexttoafullVMreplica.Replicametadatawherereplicachecksumsarestored.VeeamBackup&Replicationusesthisfiletoquicklydetectchangedblocksofdatabetweentworeplicastates.Metadatafilesarestoredonthebackuprepository.

Duringthefirstrunofareplicationjob,VeeamBackup&Replicationcreatesareplicawithemptyvirtualdisksonthetargetdatastore.Disksarethenpopulatedwithdatacopiedfromthesourceside.

Tostreamlinethereplicationprocess,youcandeploythebackupproxyonavirtualmachine.ThevirtualbackupproxymustberegisteredonanESXihostwithdirectconnectiontothetargetdatastore.Inthiscase,thebackupproxywillbeabletousetheVirtualAppliance(hotadd)transportmodeforwritingreplicadatatotarget.IncaseofNFSdatastoreattarget,youcanaswelluseDirectStorageaccessmode(DirectNFS)towritethedata.

IftheVirtualAppliancemodeisapplicable,replicavirtualdisksaremountedtothebackupproxyandpopulatedthroughtheESXI/Ostack.Thisresultsinincreasedwritingspeedandfail-safereplicationtoESXitargets.ForinformationonVirtualAppliancemode,seehttps://helpcenter.veeam.com/docs/backup/vsphere/virtual_appliance.html?ver=95.

ReplicationJob

219

https://helpcenter.veeam.com/docs/backup/vsphere/virtual_appliance.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/virtual_appliance.html?ver=95

Ifthebackupproxyisdeployedonaphysicalserver,ortheVirtualApplianceorDirectNFSmodecannotbeusedforotherreasons,VeeamBackup&ReplicationwillusetheNetworktransportmodetopopulatereplicadiskfiles.ForinformationontheNetworkmode,seehttps://helpcenter.veeam.com/docs/backup/vsphere/network_mode.html?ver=95.

TheDirectSANmode(aspartofDirectStorageAccess)canonlybeusedtogetherwithreplicationtargetsincaseoftransferringthick-provisionedVMdisksatthefirstreplicationrun.AsreplicationrestorepointsarebasedonVMwaresnapshots,thatarethinprovisionedbydefinition,VeeamwillfailbacktoVirtualAppliance(HotAdd)modeorNetworkmode,ifconfiguredatproxytransportsettings.DirectSANmodeorbackupfromstoragesnapshotscanbeusedonthesourcesideinanyscenario.

Note:VeeamBackupandReplicationsupportsreplicatingVMsresidingonVVOLsbutVVOLsarenotsupportedasreplicationtargetdatastore.ReplicationofencryptedVMsissupportedbutcomeswithrequirementsandlimitationsoutlinedinthecorrespondingsectionoftheUserGuide.ReplicationofencryptedVMsisNOTsupportedwhenthetargetisVeeamCloudConnect.

OnsiteReplication

Ifthesourceandtargethostsarelocatedinthesamesite,youcanuseonebackupproxyfordataprocessingandabackuprepositoryforstoringreplicametadata.Thebackupproxymusthaveaccesstobothsourcehostandtargethost.Inthisscenario,thesource-sidedatamoverandthetarget-sidedatamoverwillbestartedonthesamebackupproxy.Replicationdatawillbetransferredbetweenthesetwodatamoversandwillnotbecompressed.

ReplicationJob

220

https://helpcenter.veeam.com/docs/backup/vsphere/network_mode.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/network_mode.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/encrypted_vms_replication.html?ver=95

OffsiteReplication

ThecommonrequirementforoffsitereplicationisthatoneVeeamdatamoverrunsintheproductionsite(closertothesourcehost),andanotherdatamoverrunsinaremotesite(closertothetargethost).Duringbackup,thedatamoversmaintainastableconnection,whichallowsforuninterruptedoperationoverWANorslowlinks.

Thus,toreplicateacrossremotesites,deployatleastonelocalbackupproxyineachsite:

1. Asourcebackupproxyintheproductionsite.2. Atargetbackupproxyintheremotesite.

Thebackuprepositorymustbedeployedintheproductionsite,closertothesourcebackupproxy.

Tip:ItisrecommendedtoplaceaVeeambackupserveronthereplicatargetsidesothatitcanperformafailoverwhenthesourcesideisdown.Whenplanningoff-sitereplication,consideradvancedpossibilities—replicaseeding,replicamappingandWANacceleration.Thesemechanismsreducetheamountofreplicationtrafficwhilenetworkmappingandre-IPstreamlinereplicaconfiguration.

Foroffsitereplication,opentheconnectionsbetweentheVeeambackupcomponents:

TheVeeambackupservermusthaveaccesstothevCenterServer,theESXihosts,thesourcebackupproxyandthetargetbackupproxy.ThesourcebackupproxymusthaveaccesstotheVeeambackupserver,thesourceESXihost,backuprepositoryholdingthereplicametadata,thetargetproxy,andthesourcevCenterServer.ThetargetbackupproxymusthaveaccesstotheVeeambackupserver,thesourceproxy,thetargetESXihost,andthetargetvCenterServer.

ReplicationJob

221

ThesourceproxycompressesdataandsendsitviatheWANtothetargetproxy,wherethedataisuncompressed.Notethatyoualsocanseedthereplicabysendingthebackupfilesoffsite(usingsomeexternalmedia,forexample)andthenonlysynchronizeitwithincrementaljobruns.

Inthisscenario:

TheVeeambackupserverintheproductionsitewillberesponsibleforbackupjobs(and/orlocalreplication).TheVeeambackupserverintheDRsitewillcontrolreplicationfromtheproductionsitetotheDRsite.

Thus,indisastersituation,allrecoveryoperations(failover,failbackandother)willbeperformedbytheVeeambackupserverintheDRsite.Additionally,itmaybeworthinstallingtheVeeamBackupEnterpriseManagertohavevisibilityacrossthetwoVeeambackupserverssothatyouonlyhavetolicensethesourcevirtualenvironmentonce(usedfrombothbackupservers)

Tip:Planforpossiblefailovercarefully.DNSandpossiblyauthenticationservices(ActiveDirectory,forexample,orDHCPserverifsomereplicatedVMsdonotusestaticaddresses)shouldbeimplementedredundantacrossbothsides.vCenterServer(andvCD)infrastructureshouldbeaswellconsideredforthefailoverscenario.Inmostcases,VeeamdonotneedavCenterServerforreplicatargetprocessing.ItcanbebestpracticetoaddtheESXihostsfromthereplicatargetside(only)directlytoVeeamBackup&ReplicationasmanagedserversandtoperformreplicationwithoutvCenterServeronthetargetside.InthisscenarioafailovercanbeperformedfromtheVeeamconsolewithoutanworkingvCenterServeritself(forexampletofailoverthevCenterServervirtualmachine).

ReplicationJob

222

Replicationbandwidthestimationhasalwaysbeenachallenge,becauseitdependsonmultiplefactorssuchasthenumberandsizeofVMs,changerate(atleastdaily,perRPOcycleisideal),RPOtarget,replicationwindow.Fullinformationaboutthesefactors,however,israrelyathand.Youmaytrytosetupabackupjobhavingthesamesettingsasthereplicationjob,andtestthebandwidth(asthebackupjobwilltransferthesameamountofdataasthereplicationjob).VeeamONE(specificallyInfrastructureAssessmentreportpacks)mayhelpwithestimatingchangeratesandcollectingotherinformationabouttheinfrastructure.

Also,whenreplicatingVMstoaremoteDRsite,youcanmanagenetworktrafficbyapplyingtrafficthrottlingrulesorlimitingthenumberofdatatransferconnections.SeeVeeamBackup&ReplicationUserGuideformoreinformation:https://helpcenter.veeam.com/docs/backup/vsphere/setting_network_traffic_throttling.html?ver=95.

Tip:ReplicationcanleverageWANaccelerationallowingamoreeffectiveuseofthelinkbetweenthesourceandremotesites.Formoreinformation,seetheUserGuidehttps://helpcenter.veeam.com/docs/backup/vsphere/wan_acceleration.html?ver=95orthepresentdocument(the“WANAcceleration“sectionabove).

ReplicationfromBackups

Whenusingreplicationfrombackup,thetargetVMisupdatesusingdatacomingfromthebackupfilescreatedbyabackuporbackupcopyjob.

Insomecircumstances,youcangetabetterRTOwithanRPOgreaterorequalto24hours,usingreplicasfrombackup.AcommonexamplebesidetheusageofproactiveVMrestores,isaremoteofficeinfrastructure,wherethelinkbetweentheremotesiteandtheheadquartersprovideslimitedcapacity.

Inthiscase,thedatacommunicationlinkshouldbemostlyusedforthecriticalVMreplicassynchronizationwithachallengingRPO.Now,assumingthatabackupcopyjobrunsforallVMseverynight,somenon-criticalVMscanbereplicatedfromthedailybackupfile.ThisrequiresonlyoneVMsnapshotandonlyonedatatransfer.

ReplicationJob

223

https://helpcenter.veeam.com/docs/backup/vsphere/setting_network_traffic_throttling.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/wan_acceleration.html?ver=95

YoucanfindadditionalinformationaboutreplicafrombackupintheappropriatesectionoftheVeeamBackup&ReplicationUserGuide:https://helpcenter.veeam.com/backup/vsphere/replica_from_backup.html?ver=95

Tip:Thisfeatureissometimesnamedandusedasproactiverestore.TogetherwithSureReplica,itisapowerfulfeatureforavailability.

BackupfromReplica

ItmayappearaneffectivesolutiontocreateaVMbackupfromitsoffsitereplica(forexample,asawaytooffloadaproductioninfrastructure);howeverthisdesignisnotatallvalidbecauseofVMwarelimitationsconcerningCBT(youcannotuseCBTiftheVMwasneverstarted).Thereisaverywelldocumentedforumthreadaboutthissubject:http://forums.veeam.com/vmware-vsphere-f24/backup-the-replicated-vms-t3703-90.html.

ReplicationJob

224

https://helpcenter.veeam.com/backup/vsphere/replica_from_backup.html?ver=95

http://forums.veeam.com/vmware-vsphere-f24/backup-the-replicated-vms-t3703-90.html

Application-AwareImageProcessingWhenconfiguringVeeambackupandreplicationjobs,youcanspecifyhowthetransactionally-consistentbackupimagesofVMwareVMsshouldbecreated.TwomethodsareavailableforbringingVMfilesystemandapplicationsintoconsistentstate:VMwareToolsquiescenceandVeeam'sproprietaryapplication-awareimageprocessing(usingMicrosoftVSSorLinuxscripts).Keyfeaturesofbothmethodsareillustratedbythefollowingtable:

Feature VMwareToolsQuiescence


SupportforconsistentbackuponWindowsguest Yes Yes

SyncdriverforLinuxguest Yes No

Supportforapplication-awarebackup Limited Yes

Pre-VSSpreparationforspecificapplications(e.g.Oracle) No Yes

Supportforapplicationlogtruncation(MicrosoftSQLServerandExchangeServer)

No Yes

SupportforscriptsYes(needtobeplacedonVMguest)

Yes(canbecentrallydistributed)

InteractionwithuserviaUI Notneeded Notneeded

Errorreporting WithinVMguestOS

Centralized,onVeeambackupserver

HowVeeamGuestOSProcessingWorks1. First,VeeamBackup&ReplicationperformsguestOSinventorytofindoutifthereisa

VSS-awareapplicationrunninginsideaVM.2. VeeamBackup&Replicationrunspre-freezescript(ifany)fortheMicrosoft

Windows/LinuxguestOSwithapplicationsthatutilizeothermeansofVMquiescence.3. ThenVSSquiescenceoftheVMisperformed,includingrestoreawarenesssettings.4. VMsnapshotiscreated.5. VSSunfreeze(“thaw”)isperformed.


225

6. VeeamBackup&Replicationrunspost-thawscript(ifany)fortheMicrosoftWindows/LinuxguestOS.

7. Backupdatatransferandsnapshotcommitisperformed.8. Finally,logfiletruncationisperformedwithVSS(forMicrosoftSQLServerand

ExchangeServer)orusingnativeOraclecommands(forOracledatabasesonLinux).

SelectingGuestProcessingOptionsWhenontheGuestProcessingstepofthejobwizard,youarepresentedwiththevarietyofoptions(asdescribedindetailintheUserGuide(https://helpcenter.veeam.com/docs/backup/vsphere/backup_job_vss_vm.html?ver=95).

Notethatyoucanusepre-andpost-jobscriptingtoautomatejobglobalsettingsfromtheVeeamBackup&Replicationserveritself.ItisrecommendedtousetheVMguestprocessingoptionsforinteractionwithVMs.

Toselectthenecessaryoptions,refertothetablebelow.


226

https://helpcenter.veeam.com/docs/backup/vsphere/backup_job_vss_vm.html?ver=95

VMguestOStype

Linux(withapplicationsandknownuserforGuestOSprocessing)

WindowsandVMware

VSS-supportedapplications(without

knownuserforGuest

OSprocessing)

WindowswithVSS-aware

applications

Windows(noVSS-aware

applications)

Linuxwithapplications

GuestOSprocessingisapplicable

Y Y Y Y Y

UseVMwareToolsquiescence

N Y N N N

VMwareToolsquiescencewithVMwareScriptprocessing

Y N N N N

EnableVeeamApplication-AwareImageProcessing

N N Y N N

EnableVeeamApplication-AwareImageProcessingandInGuestScripts

N N N Y N

DisableVeeamApplication-AwareImageProcessing

N N N N Y


227

TocoordinateproperVSSandindexingactivities,VeeamBackup&ReplicationdeploysasmallexecutablecomponentinsideaVM.ItisinstalledonlyduringVSSquiescenceprocedureandremovedimmediatelyaftertheprocessingisfinished,producingverylowimpactonVMperformanceandstability.AsforconnectionmethodforaccessingVMguestOS,VeeamfirsttriestoconnecttotheVMovernetworkusingRPCandthenbyVMwareVIXchannelthroughVMwareTools(forWindowsguestonly).

GuestInteractionProxyDependingontheguestVMoperatingsystemand/orVeeamBackupandReplicationEditiondifferentserversmaybeselectedtoperformguestprocessingstepandinitiateconnectiontoaVMasperthetablebelow.

Edition Windows Linux

Standard Backupserver Backupserver

Enterprise Guestinteractionproxy Backupserver

EnterprisePlus Guestinteractionproxy Backupserver

AnyWindowsservermanagedbyVeeamBackupandReplicationcanbeselectedtoactasguestinteractionproxybutthepreferencewouldbegiventotheserverthathasIPaddressinthesamesubnetassubjectVM.ThisfunctionalityallowsforhavingonlysmalllimitedrangeofportstoallowthroughthefirewallsinrestrictedenvironmentsandforthatreasonitisrecommendedtohaveguestinteractionproxiesinallVMsubnetsthatarenotsupposedtobedirectlyaccessiblefromthenetworkwhereVeeambackupserverresides.

Fordetailsonnetworkconfigurationrefertothesection"Requiredports"below.

Tip:IfthebackupserverhasnonetworkconnectiontotheVMsanddeployingadditionalguestinteractionproxiesisnotpractical/possible(forexample,serviceproviderenvironments),orderinwhichbackupserverorguestinteractionproxytriestocommunicatetoaVMcanbechangedusingthefollowingregistrykey:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:InverseVssProtocolOrderType:REG_DWORDValue:0-tryconnectionthroughRPC,failovertoVIX(default)Value:1-tryconnectionthroughVIX,failovertoRPC

RPCconnectionsmeansinjectingthefileviathe"ADMIN$"shareonthetargetVM.SeeVeeamKnowledgeBasearticleathttp://www.veeam.com/kb1230formoreinformation.ConsiderthatthisisaglobalsettingthatwillbeappliedontheVeeambackupserverlevel


228


andaffectsalljobswithapplication-awareimageprocessing.

GuestAccessCredentialsDependingontheVMguestOSprocessingoptionsselected(enabledordisabledapplication-awareimageprocessing)andontheguestaccessmethod,youmayneedtosupplyaccesscredentialsfortheguestOS,asdescribedinthetablesbelow.

Tip:ToverifythecredentialsyousuppliedontheGuestProcessingstepofthejobwizard,clickTestNowbutton.

WindowsOS

Application-AwareImageProcessing(AAIP)

VMwareTools

Quiescence

VeeamviaVIX

VeeamviaRPC

Disabled(crash-

consistent)

MembershipinthelocalAdministratorsgroup

Useraccountnotneeded

No Yes Notneeded

Enterusernameas<servername>\Administratoror<domain>\Administrator

No Yes No No

UACcanbeenabled Yes Yes Yes Yes

VMwareToolsmustbeinstalledanduptodate Yes Yes Yes No

LinuxOS

LinuxguestOSprocessing VMwareToolsQuiescence

VeeamviaSSH

Disabled(crash-consistent)

Rootuseraccount No Yes No

Userrequiressudorights No Yes No

Certificate-basedauthenticationavailable No Yes No

VMwareToolsmustbeinstalledanduptodate Yes Yes No

RequiredPorts

1

2


229

ThefollowingportsshouldbeopenbetweentheVeeambackupserverandVMforguestOSprocessing:

ForWindowsVMs-remoteRPCports,includingDynamicPortRange(TCPports1025to5000-forMicrosoftWindows2003,49152-65535-forMicrosoftWindows2008andnewer);TCP\UDPports135,137-139,445.ForLinuxVMs–SSHport(defaultisTCPport22)

Fordetails,refertotheVeeamBackup&ReplicationUserGuide(https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95).

SizingSinceguestprocessingproducesverylowimpactonVMperformance,nospecialconsiderationsonsizingarerequired.IfyouuseVSSprocessingwithVMwareToolsquiescenceorVeeamin-guestprocessing,youneedfreespaceoneachdriveoftheVMforthesoftwareVSSsnapshot.PleasecheckMicrosoftrequirementsformoreinformation.

FileexclusionsAnotheroperationVeeamBackupcandoonguestOSlevel(NTFSonly)isexcludingcertainfilesorfoldersfromthebackup.Alternativelythejobcanbeconfiguredtoincludeonlyspecifiedfilesorfoldersinthebackup.

ThisfunctionalityoperatesverysimilarlyandsharesalotofcharacteristicswithexcludingWindowspagefileanddeletedfileblocks.Itmayhelpreducesizeofthebackupfilesorimplementadditionaldataprotectionstrategiesforspecificdata.Backupsforwhichthisoptionwasenabledremainimage-levelandhypervisorAPIsareusedtoretrieveVMdata.FileexclusionfeatureusesacombinationofNTFSMFTdataandguestfilesystemindexescollectedbyin-guestcoordinationprocesstodeterminewhichvirtualdiskblocksbelongtotheexcludedfilesandthusshouldnotbeincludedinthebackup.

Fullfile/folderpaths,environmentvariablesorfilemaskscanbeusedtodefineexclusions.FormoredetailsonconfiguringexclusionsanditslimitationsrefertothecorrespondingUserGuidesection.

Note:Genericfileexclusions(definedforhighlevelfolders)aremosteffective.FilemasksexclusionsrequireguestfilesystemindexesandgeneratingindexesmayputadditionalstressonguestVMandwillincreasebackuptime.Forthisreasonitisrecommendedto


230

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/guest_file_exclusion.html?ver=95

avoidusingfilesystemmasksespeciallyonfileserverswithlargenumber(thousands)ofsmallfilesandusehighlevelfolderexclusionsinstead.Whenusingincludefilters,fileexclusionsarecreatedforeverythingelseandcantakesignificanttime.

Howfileexclusionworks

ForeachVMinajobthathasexclusionsenabledVeeamBackupandReplicationperformsthefollowingoperations:

1. VirtualmachineNTFSMFTisreadintothememorycacheonthebackupproxy,datablocksthatstoreexcludedfilesaremarkedasdeleted.

2. WhensendingdatablockstotargetrepositorydataisreadbothfromtheVMsnapshotandmemorycacheonthebackupproxy.TargetrepositoryreconstructsVMdiskswithoutexcludedVMblocks.

3. VirtualmachineNTFSismodifiedusingthedatainthecacheontheproxyandinformationaboutexcludeddatablocksissavedinthebackupfileorreplicametadata.ThisinformationisnecessaryasCBTisnotawareofwhichblockswereexcludedandisusedtodeterminewhichblocksshouldbeprocessedduringthenextbackupsession.

OnlythisaccountisabletobypasstheUACpromptforlaunchingprocesseswithadministrativeprivileges.Ifnotapplicable,see .

Whenperformingapplication-awareimageprocessingonWindowsviaVIX,UACmustbeentirelydisabled,unlesstheuseraccountisthelocaladministratoraccount(SIDS-...-500).

12

2


231


VirtualLabApplianceOverviewTheVirtualLabapplianceoperatesasagatewaytooffernetworkconnectivitybetweentheVeeambackupserverandtheisolatedvirtualmachinesintheVirtualLab.Itcanalsobeusedtoprovideaccesstootherclientscomingfromtheproductionnetworkusingstaticmapping.IfVMsrunningintheisolatednetworkneedInternetaccess,theVirtualLabappliancecanactasaproxyserver.


232

WhenaSureBackupjobisexecutedthestaticroutestoreachthemasqueradednetworksaretemporarilyaddedtotheroutingtableontheVeeambackupserver.Toreviewtheroutingtable,youcanopenacommandpromptontheVeeambackupserverandexecute:

routeprint-4

YoumayrunthiscommandbeforeandafterstartingtheSureBackupjobtocomparethedifferences.

TheroutesareaddedjustaftertheVirtualLabappliancehasbootedandhasbeencorrectlyinitializedbytheVeeambackupserver.Asstaticroutesareadded,thiswillensuretheVirtualLabapplianceisthegatewayforallpacketsdestinedtothemasqueradenetworks.

Toavoidnetworkreconfigurationofphysicalcomponents,placethebackupserverandtheVirtualLabapplianceinthesamenetworksubnet.

CheckVeeamBackup&Replicationdocumentationforconfigurationdetails:

vPowerUsersGuide

RecoveryVerificationhelp

HowSureBackupJobWorksSureBackupleveragesthecapabilitiesoftheVirtualLabappliancetocreateanisolatedenvironmentwheredifferenttestscanbeexecutedagainstVMs.TheseVMsarepoweredondirectlyfromthebackupfilesusingthevPowertechnology.

BootingtheVirtualLabAppliance

1. VirtualLabapplianceconfigurationfileisbuiltandmappedtotheVirtualLabapplianceasanISO.

2. VirtualLabappliancenetworkinterfacesarereconfiguredforappropriateisolatednetworks.

3. TheVirtualLabapplianceispoweredon.

4. TheSureBackupjobwaitsforIPconfigurationtobepublishedandstabilizedthroughVMwareTools.

5. AstaticroutefortheconfiguredmasqueradednetworksisaddeddynamicallytotheroutingtableoftheVeeambackupserver.ThosestaticroutesdefinetheIPaddressoftheVirtualLabapplianceasthegatewaytowardsthemasqueratednetworks.


233

https://www.veeam.com/veeam_backup_9_0_evaluators_guide_vpower_vsphere_en_pg.pdf

https://helpcenter.veeam.com/docs/backup/vsphere/recovery_verification_overview.html?ver=95

BootingVirtualMachines

1. IftheApplicationGroupisbasedonbackups,VeeampublishesandregistersVMsusingVeeamvPowerNFSfromtherepositorycontainingthebackupfile.ThisstepisskippediftheVMsarereplicas.

2. VeeamreconfigurestheVMsandconnectsthemtotheisolatedportgroupsoftheVirtualLab.IfanetworkconnectionisconfiguredtobeconnectedtoaportgroupthatisnotavailableintheVirtualLab,thosenetworkaredisconnectedautomatically.

3. VeeamcreatesasnapshotfortheVMsinordertoredirectwriteoperationstoaproductiondatastoreselectedduringtheVirtualLabconfiguration.

4. Ifthedomaincontrollerroleisselected,registrysettingsareinjectedintheVMtoensuretheNETLOGONservicewillnotshutdownduetomissingpeercommunication.

5. VMsarepoweredon.

6. DuringbootVMwareToolsannounceIPconfigurationofVMs.TheSureBackupjobwaitsforthisinformationtostabilize.

Note:IfVMwareToolsarenotinstalledonthevirtualmachinethejobwillwaitforthedurationofMaximumallowedboottimeconfiguredfortheVMs.ThiswillslowdownSureBackupjobssignificantly.Therefore,itisalwaysrecommendedtoinstallVMwareToolsonaverifiedVM.

TestingVirtualMachines

1. VMwareToolsheartbeatisusedforverifyingthattheVMOSissuccessfullystarted.SureBackupwillwaitapredefinedamountoftimefortheheartbeattoregisterhoweverifaheartbeatisseenbeforethetimeoutperiodexpiresthetestscontinueautomatically.

2. PINGtestsareinitiatedaccordingtothemasqueradednetworkconfiguration.ThepingissentfromtheVeeambackupserverusingthestaticroutesaddedduringthejobexecution.SincethemasqueradenetworkisnotpartoftheVeeambackupserver'sownsubnet,thepacketissenttothegatewaymatchingtheVirtualLabnetwork(usuallythevirtuallabappliance).

3. Application-specifictestingusesscriptsandisenabledbasedontherolesassignedtoaVMintheapplicationgroupconfiguration.Thebuilt-inroleswillcheckcorrespondingTCPportsforagivenservice.Thebuilt-inroleforSQLServerprovidesadditionaltesting(seenextsection),andcustomscriptsmaybeusedforthirdpartyapplications.RequestsaresentfromtheVeeambackupserver,andtheroutingtothevirtualmachineishandledbytheVirtualLabproxyappliance.

1


234

4. CRCverificationisoptionallyavailableandisdisabledbydefault.Ifenabled,itwillensureallcontentofthebackupfileisconsistentwiththehashvaluesatthetimetheywerewritten.ThisconsistencycheckisusingtheCRCalgorithmforhashing.

Note:Thisfeaturereadstheentirebackupfile,andrequiressignificanttimetocomplete.

IfLinkedJobsareconfiguredfortheSureBackupjob,linkedVMswillstartbootingonceallvirtualmachinesexplicitlydefinedwithintheApplicationGrouphavebeensuccessfullybootedandverified.Rememberthatbydefault3VMsaretestedatthesametimeinaLinkedJob.Theremaybemorethan3VMslinked,butthefollowingoneswillstayinthetestingqueue.ThelimitcanbeadjustedintheSureBackupjobconfigurationwizard,andmaybeincreasedifthebackuprepositorycanhandletheloadaccordingly.

Guestpredefinedroles

Whenaddingaguestimagetotheorthelinkedjob,itispossibletoassignapredefinedrole,forwhichVeeamBackupwillautomaticallyconfigurebootoptionsandrunadefaultsetofapplicationtestaccordingly,followingrulesdescribedinbelowtable.


235

https://helpcenter.veeam.com/docs/backup/vsphere/surebackup_job_joblink_vm.html?ver=95

Role Defaultstartupoptions Defaulttestscript

DNSServer

600smaximumboottime120sapplicationtimeout

Connectiontestonport53

DomainController(authoritativeornonauthoritative)



GlobalCatalog



MailServer

1800smaximumboottime120sapplicationtimeoutConnection

testonport25

SQLserver


Run“USE”SQLcommandagainstalldefineddatabasesontheserver

VeeamBackupforOffice365



WebServer

600smaximumboottime120sapplicationtimeoutConnection

testonport80

Note:YouwillnoticethattheDomainControllerstartupmode(authoritativeornot)cannowbechoosen.Veeamwillmarktheserveraccordinglysoitbootsintheselectedmode.ThisisespeciallyusefulifmanyDCneedstobetestedinasingleSureBackupjob.Pleaseremindthatifasingle(orthefirst)DomainControllerisbooted,itmightusetheauthoritativemode.SubsequentDomaincontrollersmustthenusenon-authoritativemodeandwillthensynchronizefromtheauthoritativeone.

CheckingSQLServerDatabaseAvailability


236

AdedicatedVisualBasicscriptisincludedtoallowfortestingwhetheralldatabasesonagiveninstanceareavailable.ThisscriptisavailableintheVeeaminstallationfolderastheVeeam.Backup.SqlChecker.vbsfile.

Bydefault,thescripttriestoretrieveandcheckallinstances;youcanoptionallyconfigureoneormorespecificinstancestobetested.Thescriptenumeratesalldatabasesandchecksifthesedatabasesareavailable,usingtheUSE<db>statement.

Whenrunningscriptsthatrequireauthentication,whenexecutedthescriptwillimpersonatetheserviceaccountunderwhichtheVeeamBackupServiceisrunning(defaultisSYSTEM).Tospecifydifferentcredentialsconfiguretheminthe'Credentials'tabintheApplicationGroupsettings.

Important!Toensuresuccessfulauthenticationitisrequiredforthespecifiedusertohavepublicaccesstoalldatabases.

TheSqlChecker.vbsscriptalsoacceptstwoadditionalparameterstouseSQLauthenticationinsteadofWindowsbasedauthentication.InordertouseSQLauthenticationyouneedtoaddacustomtestscriptinsteadofthebuilt-inSQLServerrole,andspecifythefollowingpathandarguments:

Name:SQLcheckerPath:BrowsefortheVeeam.Backup.SqlChecker.vbsfileArguments:%log_path%%vm_ip%sasa_account_password


237

CreatingCustomRoles

Thoughthereareanumberofbuilt-intestsintendedforapplication-leveltesting,youmayneedtodevelopadditionalscriptsfortestingproprietaryapplications.Thisistheproceduretodoso:

1. OpentheVeeaminstallationfolderandlookintheSbRolesfolder.AllrolesaredefinedintheXMLfilesavailableinthisfolder.

2. Tocreatecustomroles,duplicateoneoftheabovementionedfilesandmodifythe<Id>tagusingaUUIDgenerator(suchashttps://www.uuidgenerator.net).UsethisconfigurationfiletospecifytheGUIsettings.

WhencreatingcustomrolesforLinux-basedapplicationsyoumayneedtoexecutethegeneratedcodelocallywithintheVM.Todoso,use\Putty\plink.exeshippedwiththeproductandlocatedintheVeeamBackup&Replicationinstallationdirectory.

WhenexecutingbashscriptslocallyonaLinuxvirtualmachineusingplink.exe,theexitcodesarepassedtotheSureBackupjob,enablingcorrecterrorreporting.Ifusingplink.exeincombinationwithaSSHprivatekey,youshouldconnectmanually(onetime)totheVMviaSSHusingputty.exefromtheVeeambackupserverinordertoacceptthetargetVMSSHfingerprint;otherwise,theSureBackupjobwillwaitforthisinputandultimatelytimeout.

Note:Youcanuseputtygen.exetocreateaprivatekey.


238

https://www.uuidgenerator.net

AnotheroptionfortestingserviceavailabilitywithVeeam.Backup.ConnectionTester.exeisdescribedinhttp://www.veeam.com/kb1312.

CommonIssues

WhenperformingSureBackup,therearefewcommonissuesyoumaycomeacross.MostoftheseissuesaredescribedinVeeamknowledgebasearticles:

WhenrestoringWindows2008R2virtualmachineswiththeVMXNET3networkadapter,theresultingvirtualmachineobtainsanewNIC,andallnetworksettingshavetobeadjustedmanually.ThesolutionisexplainedinVeeamKB1570

WhenusingDHCPwithleasesboundtoMACaddresses,ensurethatthevNICMACaddressisconfiguredasstatic.OtherwisetheVMwillbootwithaMACintheVirtualLab,andtheVMmaygetadifferentIPaddress>SettingastaticMACaddressforavirtualNIC

SomeLinuxdistributionsuseudevforassigningnamestoNICs.IftheMACaddresschangesduringreplicationorInstantVMRecovery,theNIC'sconfigurationfilemaynotbeapplied.Formoreinformation,pleaseseeRHEL6SureBackup

TroubleshootingMode

IfyouneedtotroubleshootVirtualLab,itisrecommendedtostartsessionsintheTroubleshootingMode.Todoso:

1. OpenupStatisticsforaSureBackupjob.

2. Right-clicktheVMyouwanttotroubleshoot.

3. SelectStart.

TheSureBackuplabwillnowstartintroubleshootingmode,whichmeansthaterrorswillnotcausetheVirtualLabtoshutdownimmediately.

IftheselectedVMisinanapplicationgroup,thisVMandpreviousonesarestarted.IftheVMispartofalinkedjob,theentireApplicationGroupandtheselectedVMisstarted.

ThismodeisespeciallyhelpfulduringanimplementationphasewhilemeasuringapplicationboottimesviavPowerNFS,orimplementingcustomverificationscripts.Whenyouhavefinishedtroubleshooting,youcanstoptheSureBackupsessionmanually.

Tip:OntheVirtualLabappliance,ICMPtrafficisblockedonallnetworkinterfacesconnectedtoisolatednetworks,unlessyoucheckthe"Allowproxyappliancetoactasinternetproxyforvirtualmachinesinthislab".Thismayleadtoundesiredbehaviorofsome


239




https://forums.veeam.com/vmware-vsphere-f24/rhel6-surebackup-t11681.html#p63750

systems,astheywillbeunabletopingtheirgateway.

VirtualLabinComplexEnvironmentsWhenusingstandardvSwitchesinaVMwarevSphereinfrastructure,theVirtualLabproxyapplianceandtheisolatednetworksmustrunonthesameESXihost("BasicSingle-Host"and"AdvancedSingle-Host"configurations).ThereasonisthatstandardvSwitchesandtheirportgroupsareboundtoonesinglehost.SincetheVirtualLabportgroupsareisolatedbynature,thesenetworksarenotknownatthecorenetworkintermsofVLANtaggingorrouting.

WhenDistributedvSwitch(dvSwitch)isavailable,portgroupscanspanmultipleESXihosts("AdvancedMulti-Host"configuration).DistributedvSwitchesaretypicallyrequiredwhenusingVirtualLabforreplicas(SureReplica)asreplicaswilloftenspanmultiplehosts.vSphereDistributedResourceScheduler(DRS)mayalsodistributeVMsacrossmultiplehostswithinaclusteroncetheyarestarted.

Important!PleasecheckthefollowinghelparticleandthelinksatthebottomofthewebpagebeforeyouconfigureVirtualLabsforDistributedvSwitch:AdvancedMulti-HostVirtualLabs.

EveninenvironmentswhereDistributedvSwitchisavailable,makesurethattheVeeambackupserverandtheVirtualLabproxyapplianceareplacedinthesameVLANtopreventnetworkpackets(senttothemasqueradingIPsubnets)frombeingrouted.


240

https://helpcenter.veeam.com/docs/backup/vsphere/surereplica_advanced_mutihost.html?ver=95

MostDRdatacentersareconfiguredwithdifferentIPnetworksfromproductiontoallowfor“active-active”configurations.Insuchcases,layer3(L3)isusedfornetworkingconfigurationandroutingisinplacetoestablishcommunicationsbetweentheproductionsiteandtheDRsite.

Formoreinformation,pleaseseetheBackupServerPlacementsectionofthisguide.


241

.FormoreinformationaboutDomainControllerrestore,pleaseseethecorrespondingthreadinVeeam↩

CommunityForums>VeeamB&Rv5recoveryofadomaincontroller

1


242

https://forums.veeam.com/veeam-backup-replication-f2/veeam-b-r-v5-recovery-of-a-domain-controller-t7000-105.html#p83808

OverviewofApplicationsSupportVeeamBackupandReplicationfeaturesnativesupportforseveralapplications,providingfullsupportforbackupandrestore.Applicationswithnonativesupportcanbeeasilyprotectedandsubsequentlyrestoredaswell,sometimesrequringadditionalconfigurationormanualoperationsdependingontheapplication.Thissectionisdedicatedtocoveringspecificsofimplementingprotectionforsomeofthem.

Itispossibletoensuredatasafetyandtransactionalconsistencyforapplicationsnotcoveredinthisguideusingpre-freezeandpost-thawscriptsthatwillexecuteinsideofthevirtualmachine.Subjectapplicationhastoprovidethewaytoprepareitselfappropriately.

Generallyspeakingpre-freezeandpost-thawscriptshaveto(dependingonthecapabilitiesoftheapplication):

Pre-freeze-freezetransactionsorcreateapplication-levelconsistentsnapshotofitsdata.Alternativelyapplicationservicescanbeshutdownbutthisinvolvedshortuserservicedowntimeandthusisnotdesirable.Post-thaw-unfreezetransactionsordeletesnapshotcreatedbypre-freeze(whereapplies).Incaseserviceswereshutdowntheyshouldbestartedagain.

Certainapplicationsdonotrequirethesestepsastheyincludeself-healingmechanicsormaintaintransactionalconsistencybyothermeans,applicationdocumentationhastobecheckedand/orapplicationvendorhastobecontactedforspecificsonachievingthis.

Notethatinadditiontoconfiguringapplicationconsistencyforsuchapplications,restoreprocesshastobeproperlyplannedasadditionalstepswouldhavetobefollowedtorestorethemaswell.UsingU-AIR(UniversalApplicationItemRecovery)functionalityallowsforperformingrestoresofanyapplicationsincludingcustomin-housebuiltprovidedthenativeapplicationmanagementtoolsareused.

OverviewofApplicationsSupport

243

https://www.veeam.com/pdf/guide/veeam_backup_9_5_uair_wizard_user_guide_en.pdf

ActiveDirectoryVeeamBackupandReplicationnativelysupportsbackupofMicrosoftActiveDirectorycontrollersandallowsforimagelevelandgranularADitemsrestore.

PreparationForMicrosoftActiveDirectory,checkthetombstonelifetimesettings,asdescribedinVeeamExplorersUserGuideatVeeamHelpCenter(https://helpcenter.veeam.com/docs/backup/explorers/vead_recommendations.html?ver=95).

JobconfigurationForbackupandrestoreofdomaincontrollerstoworkproperlyapplicationawareimageprocessingopptionhastobeenabledinthejobproperties.FormoredetailsrefertothecorrespondingsectionoftheUserGuide.

RestoreandfailoverItisagoodpracticetoimplementreduntantActiveDirectoryconfigurationwithseveraldomaincontrollerswhichhelpseliminatesinglepointoffailure.DependingontheActiveDirectoryarchitectureitmightmakesensetorebuilddomaincontrollerthatwaslostinsteadofrestoringitfromthebackup.OneofsuchcasesisifFSMOrolesfromthelostdomaincontrollerwereseizedonanotherone,thenitisbettertodeployanewVMinsteadofrestoringaserverwhichstillthinksitisholdingtherole.Finallyifyouareredeploying,makesureallFSMOrolesarebeingheldbyacontrollerandthatyoucleanupthemetadataofthecontrollerthatisnotcomingback.

RecoveryverificationTherearetwoDomainControllerrolesavailableinapplicationgroupconfiguration-forauthoritativeandnon-authoritativerestore.Whentestingrecoveryofonedomaincontrolleronlychoosingrolewithauthoritativerestorewillspeedupverificationprocess.

ActiveDirectory

244

https://helpcenter.veeam.com/docs/backup/explorers/vead_recommendations.html?ver=95


ActiveDirectory

245

MicrosoftExchangeVeeamBackupandReplicationsupportsvarietyofExchangeconfigurationincludingDAGdeployments.FormoredetailsrefertothecorrespondingsectionoftheUserGuide.

PreparationDAGclusteredconfigurationsmayrequireadjustingclustertimeoutstoavoidfailoversduringbackupasperKB1744.

JobconfigurationForbackupandrestoreofExchangeserverstoworkproperlyapplicationawareimageprocessingopptionhastobeenabledinthejobproperties.FormoredetailsrefertothecorrespondingsectionoftheUserGuide.

GranularitemrestoreWhenmountingExchangedatabaseVeeamExplorerforExchangereplaysrelevantlogfileswhichmaysignificantlyincreasetimeneededformountoperationincasethereisalotoflogstoreplay.AslaggedDAGtechnologyreliesonkeepinglotsofExchangelogsexpectVeeamExplorertakingsignificantamountoftimetomountEDBswhenperformingitemrestorefromlaggedDAGmailboxservers.

MicrosoftExchange

246



MicrosoftSQLServerInadditiontotheimagelevelbackupofaVMthatwillincludefullbackupoftheSQLdatabasesVeeamBackupandReplicationcanperformadditionalbackupoftransactionlogs.ThisprocessisdescribedinthecorrespondingsectionoftheUserGuideindetails.

PreparationTransactionlogsareprocessedperiodicallyandstoredintemporaryfolderinsideoftheVMbeforeshippingtorepository/shippingserver.Defaultlocationofthetemporaryfolderis%allusersprofile%\Veeam\Backup.TochangetemporaryfolderuseSqlTempLogPath(STRING)registryvalueasdescribedatHowItWorks:SQLServerandTransactionLogBackup:

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\VeeamBackupandReplicationKey:SqlTempLogPathType:REG_SZDefaultvalue:undefined

Forthelistofallregistrykeysresponsibletofine-tuningMSSQLserverbackup(forexampleexcludingcertaindatabasesfromprocessing)refertoKB2182.

AsrestoreisintegralpartofSQLServerprotection,specialattentionshouldbepaidtoplanningVeeamExplorerforSQLconfiguration,specificallynetworkconnectivitybetweenmountserverandstagingserversinrestrictedenvironments.PortsusedforcommunicationbetweenthemarelistedintheUsedPortssectionoftheUserGuide.

JobconfigurationWhenbackingupAlwaysOnavailabilitygroupmakesureallclusternodesareprocessedbythesamebackupjobfortransactionlogsprocessingandrestorestoworkproperly.Considerincreasingclustertimeoutsincasefailoveroccursduringthebackup,similartoExchangeDAGasperKB1744.

Granularitemrestore

MicrosoftSQLServer

247

https://helpcenter.veeam.com/docs/backup/vsphere/sql_backup_hiw.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/sql_backup_hiw.html?ver=95


https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#explorers


Incertainscenariosuseofstagingserverisnecessary(seehttps://helpcenter.veeam.com/docs/backup/explorers/vesql_staging_server.html?ver=95).Whenstagingserverisusedtransactionlogsfromthebackuparetransportedtostagingserverandreplayedthere.ForthattoworkensurethatstagingserverhasenoughdiskspaceinADMIN$sharetostorealllogfiles.

Ifyouhavespecialfeatures/enhancements/configurationsettingsontheproductionMicrosoftSQLand/orMicrosoftSharePointservertobeprotectedwithVeeam,thesecustomsettingsshouldbeimplementedonthestagingSQLServer,too.

Onespecialcaseofcustomsettingsthatmustbeconfiguredonstagingserverisencryption.Whenperformingrestore/exportofencrypteddatabasepleaserefertoKB2006fordetailsonconfiguringthestagingserver.

MicrosoftSQLServer

248

https://helpcenter.veeam.com/docs/backup/explorers/vesql_staging_server.html?ver=95



JobconfigurationForbackupandrestoreofSharePointserverstoworkproperlyapplicationawareimageprocessingopptionhastobeenabledinthejobproperties.FormoredetailsrefertothecorrespondingsectionoftheUserGuide.AsSharePointdeploymentsmayspreadacrossseveralserversmakesuretofamiliarizeyourselfwiththeRequiredMicrosoftSharePointBackupJobSettingssectionoftheUserGuide.

GranularitemrestoreExplorerforSharePointreliesontheabilitytorestoredatafromSharePointSQLdatabase,refertothecorrespondingsectionofthisguideonbestpracticestoSQLServerrestorefordetailsrelevanttothatprocess.

ForinformationonrestrictionsandlimitationsofSharePointrestorerefertothecorrespondingsectionoftheUserGuide.


249


https://helpcenter.veeam.com/docs/backup/explorers/vesp_bu_job_settings.html?ver=95

https://helpcenter.veeam.com/docs/backup/explorers/vesp_recovery_specials.html?ver=95

OracleVeeamBackupandReplicationnativelysupportsbackupofOracledatabaseserversandallowsforimagelevelandgranularOracledatabasesrestore.

Note:32-bitOracleinstanceson64-bitLinux,andOracleRACarenotsupported.

PreparationOnlydatabasesinARCHIVELOGmodewillbebackeduponline,databasesinNOARCHIVELOGmodewillbeshutdownwhichwillcausedatabaseavailabilitydisruption.

Logsarestoredtemporarilyontheguestfilesystembeforetheyareshippedforprocessing.ThismaycauseundesiredbehaviorifthereisnoenoughspaceavailableindefaultlocationandchangingtemporarylocationfromdefaultisrecommendedasperKB2093.

WhenbackingupOracleonLinux,thebackupserverisusedforinitiatingconnections,whereasaGuestInteractionProxywillbeselectedforOracleonWindows.

AsrestoreisintegralpartofOracleprotection,specialattentionshouldbepaidtoplanningVeeamExplorerforOracleconfiguration,specificallynetworkconnectivitybetweenmountserverandstagingserversinrestrictedenvironments.PortsusedforcommunicationbetweenthemarelistedinthecorrespondingsectionoftheUserGuide(https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#explorers).

Permissions

CertainlevelofaccessisexpectedfromtheuseraccountconfiguredforperformingOraclebackup.RefertothecorrespondingsectionoftheUserGuidefordetails(https://helpcenter.veeam.com/docs/backup/explorers/veo_connection_to_source_server.html?ver=95).

WhenprocessingLinuxinstances,thesameuseraccountspecifiedforapplicationawarenessisusedtoprocesstheOraclebackup.ForWindowsinstances,youmayspecifytwoseparateaccounts.

Note:ItisnotpossibletousedifferentaccountstoaccessdifferentOracleinstancesrunningonthesameVM,makesurespecifiedcredentialscanbeusedtoaccessallinstancesonaVMinthosecases.

OracleDatabase

250


https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#explorers

https://helpcenter.veeam.com/docs/backup/explorers/veo_connection_to_source_server.html?ver=95

WindowsOS

UseraccountusedtoconnecttoaVMshouldhavelocaladministratorprivilegesonguestVMandread/writeaccesstodatabasefilesonfilesystemlevel.

InadditionthisaccountorseparateOracleaccountincaseitisdifferentshouldhaveSYSDBArights,thiscanbeachievedbyaddingittoora_dbalocalgroup.

LinuxOS

RootaccountoraccountelevatedtorootshouldbeusedtoconnecttoaVM.Automaticaddingtosudoerscanbeenabledfortheaccountbutnotethatsudoersfileentrywillnotberemovedautomatically.PersistentsudoersfileentrywithNOPASSWD:ALLoptioncanbeaddedmanually,forexample:

oraclebackupALL=(ALL)NOPASSWD:ALL

Thisaccountshouldbeincludedintheoinstall grouptoaccessOracledatabasefileshierarchy,andtoasmadmingroup(whereapplies).

InadditionthisaccountorseparateOracleaccountincaseitisdifferentshouldhaveSYSDBArights,thiscanbeachievedbyaddingittodbalocalgroup.

JobconfigurationRefertothecorrespondingsectionoftheUserGuide(https://helpcenter.veeam.com/docs/backup/vsphere/replica_vss_transaction_oracle_vm.html?ver=95)fordetailsonconfiguringOracledatabasebackupandtransactionlogsprocessing.

AvoidusingaggressivelogstruncationsettingsfordatabasesprotectedwithDataGuardasitmayaffectlogssynchronizationtosecondaryserver.DataGuardshouldhaveenoughtimetotransportlogsremotelybeforetheyaretruncatedthusgenerallyhaving"Deletelogsolderthan"optionlessthan24hoursisnotrecommended.

Jobworkflow

OracleonLinuxbackupworkflow

1. Coordinationcomponentwhichwillperformallthenecessarystepsisinjectedintothe

1

OracleDatabase

251

https://helpcenter.veeam.com/docs/backup/vsphere/replica_vss_transaction_oracle_vm.html?ver=95

guestVM.ThiscomponentisthesameastheoneusedforLinuxapplication-awareimageprocessingingeneral.

2. Performapplicationdiscovery.ThisisdoneusingnativeOSmethods,coordinationcomponentqueries/etc/oraInst.locandreadsinventory.xmlwhichisthencomparedto/etc/oratabinformation.

3. Statusandversionofinstance(s)isfetched.4. DiskgroupinformationisretrievedforASMinstances.5. Logmodeisidentified,thisinformationwilllaterbeusedfordecisionsonhowexactly

thedatabasehastobeprocessed.Databasefiles,CDB(Oracle12only)andcurrentDBIDinformationisretrieved.

6. AtthissteparchivelognecessaryinformationwascollectedandVeeamwillstartdoingactualbackup,modifyingdatabasestate-currentarchivelogisarchivedandallarchiveloginformationisretrieved.

7. PFILEbackupiscreatedandarchivedintothebackupmetadata.8. Additionalinformationiscollectedandrecorded(currentDBID,SCN,SequenceIDs,

databaseuniquename,domain,recoveryfiledestination,basiclistenerinformationandcurrentarchivelog).

9. Coordinationcomponentisshutdownandthenrestartedagaintofinalizethebackup:databaseisputintobackupmodeanddatabasesnapshotiscreated.

OracleonWindowsbackupworkflow

BehavioronWindowsdependsonthestateofVSSwriter,Oracleversionanddatabasetype.

VSSenabled VSSdisabled

Pluggabledatabase

Oracle11

OracleVSSwriterisengaged,NOARCHIVELOGdatabasesareshutdownandexcludedfromVSSprocessing

SameworflowasforLinux

N/A

Oracle12

OracleVSSwriterisengaged,NOARCHIVELOGdatabasesareshutdownandexcludedfromVSSprocessing

SameworflowasforLinux

SameworkflowasforLinux,VSSwriterisskipped

RestoreandfailoverBeforethebackupthedatabase(inARCHIVELOGmodeonly)isputintobackupmode,thishastobetakenintoconsiderationwhenperformingrestore-restoringdatabaseserverVMisnotenoughforrestoringtheservice,databasehastobeputoutofbackupmode:

OracleDatabase

252

ALTERDATABASEENDBACKUP

GranularitemrestoreOraclerestoreusingVeeamExplorerforOracleusesacombinationofexecutingcommandsviaSSHorRPCdependingontheplatform,andusingtheRMANclient.VMdisksaremountedtotargetserverusingiSCSI(Windows)orFUSEandloopdevice(Linux).Onlydatabasefileswillberestored,notinstancefiles.Instancefilesmayberecoveredthroughfile-levelrecoveryifneeded.

Ensuretheaccountusedtoconnecttotarget/stagingserverhasenoughpermissionsonoperatingsystemanddatabaseasdescribedinthecorrespondingsectionofUserGuideorearlierinthisguide.

Note:WhenrestoringtoLinuxensurethataccountusedtoconnecttorestoretargetserverhasvalidshell.

Restoreworkflow

WhenperformingrestoreVeeamExplorerfollowsthefollowingsteps:

1. Oracleinstance/databasediscoveryisperformedandinformationiscollected,thatincludespathvalidationanddiskspaceavailabilitychecks.

2. VMdisksaremounted.3. Targetdatabaseisshutdownanddropped,configurationiscleaned(configurationand

temporaryinstancefiles).4. Databaseisstartedfromthetemporarylocation,ifthatfailsanotherrestoreattemptis

performedwithsafesetofparameters.5. Aftersuccessfulteststartfromtemporarylocationdatabaseisrestoredtoproper

locationusingautomaticallygeneratedRMANscript.6. Restorecontrolfilesarerestoredafterthat.Databaseisupdatedtospecifictransaction

priortothatincasepointintimewasselectedforrestore.7. FastRecoveryAreaparametersarerestoredanddatabaseisupgradedaccordinglyif

restoring32-bitinstanceto64-bit.8. TofinalizerestoremountedbackupisremovedfromRMANrepository,restored

databaseisrestartedandnewDBIDisgenerated.Remainingbitsoftheconfigurationarerestoredaswell-parameterfileisrestoredtoproperpathalongwithpasswordfile,DBNAMEischangedifneeded,logsareresetandonlinelogsarerecreated.

OracleDatabase

253

https://helpcenter.veeam.com/docs/backup/explorers/veo_connection_to_target_server.html?ver=95

OracleDatabase

254

MySQL/MariaDBBackupandrestoreofMySQLandMariaDBiscoveredinthiswhitepaper:https://www.veeam.com/wp-consistent-protection-mysql-mariadb.html.

MySQL

255

https://www.veeam.com/wp-consistent-protection-mysql-mariadb.html

DominoBackupandrestoreofIBMLotusDominoiscoveredinthisVeeamwebinar:https://www.veeam.com/videos/backing-up-non-vss-aware-applications-ibm-lotus-domino-4867.html

IBMNotes/Domino

256

https://www.veeam.com/videos/backing-up-non-vss-aware-applications-ibm-lotus-domino-4867.html

SAPHANAPre-freezescriptscanbeusedtocreateHANAsnapshotbeforethebackupstarts.ThissnapshotcanbeusedastransactionallyconsistentstateofdatabaseafterrestoringHANAVM.

AnexampleofensuringdatabaseconsistencyforSAPHANAisdescribedonVeeamcommunityforums:https://forums.veeam.com/veeam-backup-replication-f2/sap-b1-hana-support-t32514.html.

SAPHANA

257

https://forums.veeam.com/veeam-backup-replication-f2/sap-b1-hana-support-t32514.html

POCGuideOrganizationsaremodernizingtheirdatacentersinordertoprovisionITservicesfaster,strengthensecurityandcontrol,andloweroperationalcosts.Whilebuildingmoderndatacenters,organizationsinvestinservervirtualization,modernstorageapplicationsandcloud-basedservices.However,businessesarefacingnewdemandsfromendusersincludingaccesstodataandapplications24/7,nopatiencefordowntimeordataloss,andexponentialdatagrowthat30-50%peryear.

Thisopensagap—anavailabilitygap—betweentherequirementsoftheAlways-OnBusiness andIT’sabilitytoeffectivelydeliveravailability.Infact,82%ofCIOssaythereisagapbetweenthelevelofavailabilitytheyprovideandwhatendusersdemand.

Veeambridgesthisgapbyprovidingcustomersanewkindofsolution--AvailabilityfortheModernDataCenter,whichdeliversRTPOof<15minutesforallapplicationsanddata.

Organizationsnowcanleveragetheirinvestmentsinthemoderndatacentertomeetnewdemandsofthealways-onbusiness.

ThissectionofthedocumentwilldemonstratehowVeeamsolutioncanbeusedthroughoutanentiredatacenteravailabilityproject,beginningwiththefirstassessmentphasetotheprojectimplementationfromthetechnicalperspective.

TM

POCGuide

258

Note:Whiletheseguidelinesfocusonenterprisecustomerswithmorethan100hostsor1,000virtualmachines,VeeamAvailabilitySuiteisapplicabletoanyinfrastructuresize.

POCGuide

259

AssessmentBeforestartingaproject,itisveryimportanttounderstandcustomers’needs,visionandtheITenvironment.Whilethefirsttwocanbetheoutcomeofaninitialprojectmeeting,theITenvironmentcanbeanalyzedwithVeeamONE,whichisapartoftheVeeamAvailabilitySuite.

Thefollowinginformationisveryimportantandcanhelptostreamlinetheprojectandproactivelypreventsituationsthatimpacttheenvironment:

VeeamONEMonitor

Alertstab

CheckintheAlertstabofVeeamONEMonitoriftherearespecificerrorsthatneedtobeaddressedbeforeyoubringextraloadtotheenvironmentwithbackupprocessingthatcancausebusinesscriticalsituations.Use"AllDeploymentProjects"areaintheReportertoolwhenplanningtoaddextraresourceintotheenvironment,thiswillgiveagoodindicatoroftheeffectthenewsystemswillmaketothecurrentsetup

VeeamONEReporter

StorageLatency

Assessment

260

Thisreportwillhelpyouidentifystoragesystemsthatareunderheavypressureoratitsmaximumload.LetVeeamONErunatleast24hoursandcheckiftherearehighlatencysituations.

ChangeRateEstimation

Assessment

261

ThisreportwillhelpyouidentifyVMswithahighchangerateattheblocklevel(relevantforincrementalbackups).Youcanlaterconfigurethebackuporreplicationjobtoprocessthematthebeginningofthebackupwindow,toaddressthelongerjobruntimes.Ingeneral,thisreportwillgiveyounumbersforbackuptargetstorageplanning.

VMConfigurationAssessment

Assessment

262

ThisreportwillhelpyouassessVMsreadinessforperformingbackupwithVeeamBackup&Replication.ItanalyzesconfigurationofVMsinthevirtualenvironmentandshowspotentialissuesandpossiblelimitationsthatcancausethebackupprocesstofailorpreventVMsfrombeingproperlybackedup.

InfrastructureOverview

ActiveSnapshots

Assessment

263

VMwaresnapshotsareoftendonetosaveaspecificstateoftheVMforsometime.Whiletheyarecreatedveryeasily,administratorsforgettodeletethemovertime.Togetherwithadministrators,youcanreleaseallsnapshotsthatarenotneededanymore.Thiswillhelppreventdatastoredowntimesbecauseofsnapshotsfillingupthewholephysicalstorage.

OrphanedSnapshots

Assessment

264

ThisreportdetectsVMsnapshotsthatarestillactiveondatastoresbutdonotshowupintheVMwareSnapshotManager.VeeamBackup&ReplicationanditsSnapshotHunterwillcorrectthissituationbyconsolidatingthesesnapshots,whichcanbringextraloadatthefirstbackupPOC.WestronglyrecommendthatyoutunetheVMwareenvironmentandconsolidateallorphanedsnapshotsbeforeyoustartaBackup&Replicationproject.

InfrastructureChangesbyUser

InthelaterPOCphase,createaseparateaccountforaVMwareuserandusethisaccountforallauthenticationoperationsinVeeamBackup&Replication.WiththeInfrastructureChangesbyUserreport,youcantrackanddocumentallchangesdonebythisuser.

Inventory

Assessment

265

Thisreportprovidesthemostcompleteandup-to-dateconfigurationinformationonallobjectsinthevirtualenvironment.Itcanbeusedofflineattheplanningphasetoaddressanyvirtualinfrastructure-relatedquestions.

TherearemanyadditionalinterestingreportsintheVeeamAvailabilitySuite.

CheckouttheVMwareOptimizationorHyper-VOptimizationsectionsofVeeamONEReporter.AgoodexampleistheGarbageFilesReportthatcanidentifypossiblewastedspaceondatastores.Insomecases,ithelpedtofreeup10TB+ofspaceonthetier1storage.

Assessment

266

https://helpcenter.veeam.com/docs/one/reporter/vmware_optimization.html?ver=95

https://helpcenter.veeam.com/docs/one/reporter/hyperv_optimization.html?ver=95

AcceleratedEvaluationManycustomersdecidetodoasmallscaleProofofConcept(POC)afterseeingtheirfirstlivedemonstrationandpresentationmeetingswithpartnersorVeeamSystemEngineers.TheideaistogetstartedwiththeinterfaceofVeeamBackup&Replicationandtotestifeverythingworksasexpected/presentedwithinthecustomer’senvironment.

Asenterpriseenvironmentsaresometimesverycomplicatedfromthefirewallandstorageperspective,inmostcasescustomersdecidetodoaPOCinsmalltestenvironments.Typically,atestenvironmentincludes:

ESXihosts,vCenterServer,VeeamBackup&Replicationserver10-20VMsrunningvariousbusinessapplications

ItispossibletocarryoutaVeeamBackup&ReplicationPOCinsuchenvironmentwithonlyasingleVeeambackupserveronaVMwith8coresand8-16GBofRAM.(Sincethistestisfocusedontheuserinterfaceexperience,nospecialpreparationisneededfromtheperformanceperspective.)

CustomersoftendrivethisPOCthemselves.Toassistcustomerswiththistask,VeeamhaspublishedagoodEvaluator'sGuidethatincludesconfigurationscreenshotswithminimalrequiredbackgroundinformation.

OnethingtorememberwhenrunningaPOCwithVeeamisthatyouwanttotestsomethingwithmeaning,testingabackupbecauseitbacksupisimportanthoweverhavingagoalisalsoimportant.

EvenforasmallPOCaplanisessential,writeupcanbeassimpleas:

Howmanymachines,setaspecificnumberandrecordtheirnames.Whatapplicationsareyoutestingandwhy,whatisthecriteriaforsuccessoneachmachine.Whattypesofrecoveryareyougoingtotestandwhy(Veeamcurrentlyhas57waystorecover).Whatareyourexpectationsfromthetestingprocess.Whatfunctionalitydoyouwanttoseeinaction.

WeallknowVeeamwillprotectvirtualmachines,theaimofyourPOCshouldbetoseehowwellitlivesuptoyourexpectationatdoingspecifictypesofprotectionandrecovery.

SeeVeeamHelpcenterforEvaluator'sGuide:

VMwarevSphereenvironments


267

http://helpcenter.veeam.com/evaluation/backup/vsphere/en/

MicrosoftHyper-Venvironments


268

http://helpcenter.veeam.com/evaluation/backup/hyperv/en/

EnhancedEvaluationBasedontheinformationgatheredduringtheassessmentphaseandcustomerrequirements,youmaydesignasolutiononpaperandpossiblyimplementit.Mostlikelysuchdesignsaregoingtochangeovermultiplerevisionsduringtheimplementationphaseaftercommunicatingwithotherdepartmentse.g.security,networkingandstorageteams.Itmayalsohappenthatthecustomercomesupwiththenewdemandsbasedonnewfindings.Thismaydelayintheimplementationandultimatelyleadtoincreasedcost.

ThischapteraboutTheEnhancedEvaluationshouldhelpyouavoidingsuchsituations.WewillexplainhowtheapproachusedbyVeeamarchitectscanhelpyousimplifyandstreamlinethedesignphaseandsteerallprojectparticipantstowardsthesamegoals.Thiswilloptimizetheimplementationphaseandultimatelycutcostduetolesstimespentrevisingthedesignandrealigningstakeholders.

EnhancedEvaluation

269

EnhancedEvaluation-WorkshopExampleThissectiondescribeshowtoconductaninfrastructurediscoveryandassessmentsessionwithacustomer.BelowisanexampleofhowVeeamArchitectsholdsuchmeetingsthiswithcustomers.Theexamplebelowisjustoneexampleofmanypossiblewaysofthemeetingcontent;pleasehavealookatotherchaptersofthisguidetoprepareforsuchmeeting.

InfrastructureDiscovery1. Startwiththefirstmaincustomerdatacenter.Figureoutthefollowing:

i. Virtualizationplatformandversionii. Mainstoragesystem,type,connectioniii. Isstoragevirtualizationused(betweenthestoragearraysandhypervisor)?

2. Nextwouldbethesecondcustomerdatacenter(ifavailable)

i. Isthisthesameplatformasthemaindatacenter,ifnotwhatisit?ii. Arethereanystoragereplication/mirroringinvolved?iii. IsActive/Activeclusterused?Forproperbackupproxyimplementationandbackupmodeselection,itisimportanttoknowwherethedatathatyouwanttobackupislocated,andwhetheryoucanaccessalldatafromasinglesite.

3. Obtaininformationaboutnetworkconnections:

i. Isthere10GbELAN?ii. IsthereaWANconnectionbetweenthe2datacenters?iii. WhatistheVMKernelInterfacephysicallinkspeed?iv. IsvCenterServerphysicalorvirtual?Whereisitlocated?ThisisnecessarytoknowifyouplantousetheVirtualApplianceorNetworkbackupmode.10GbEgivesyoufasterprocessingfortheNetworkmode.Tolearnmore,seethe“BackupProxy”chapter.

4. Definetheamountofproductiondata:

i. NumberofVMs(thiscanhelptodesignjobs)ii. Useddata(thiscanhelptodefinethebackuptargetandconfigurejobssettings)iii. NumberofESXihostsandnumberofusedsockets(thisregardsVeeamlicensing).iv. Numberofclustersv. Otherinformation

WorkshopExample

270

5. CreatethefirstVeeamimplementationdraft/samplescenario:

i. Startwiththerepository,discussingcustomerdemands.Intheexample,customerwantedtohavethebackupdatainbothdatacenters.Ifso,youcoulddecidetoimplementrepositoriesonbothsides(halfofthedataoneachside)andusethebackupcopyjobtomovedatatothesecondsite.

ii. Discussproxyimplementation.ThecustomeragreedtoimplementphysicalproxyserversconnectedtotheirFibreChannelnetwork.Asthecustomerusedthick-provisionedVMwareVMdisks,thisensuredafastandreliablebackupandrestore.Checkoutthe“BackupProxy”sectionofthisguidetodeterminethebestproxyimplementationandselectatransportmodefortheenvironment.

iii. Planforthebackupserver.Inthisexample,itwasplacedonaVMandreplicatedtotheseconddatacenter.(TheunderlyingdatastoreoftheVMwasnotreplicatedtothesecondsite,onlytheVM.)

iv. Addotherrequiredcomponents.ThecustomerwasalreadyusingtwoIBMTS3500librariesforlong-termretentionwiththeexistingbackupsoftware(agents).Theypreparedapartitiononeachlibrarywith4xLTO6drivesforusewithVeeam.Youwouldproceedandconnectthemtothe2physicalservers(havingtheproxyandrepositoryrolesassigned),andadditionallyassignthetapeserverroletotheseservers.

6. DefineOS/applications:

i. Createalistofusedoperatingsystems.ii. Createalistofallapplicationsstartingwiththemostcritical.Findoutwhether

MicrosoftSQLandMicrosoftSharePointareused,asitcaninfluencetheversionandtypeoftheMicrosoftSQLServeronwhichtheVeeamconfigurationdatabasemustbedeployed(ExpressEditionmaybenotsufficient).

7. Definebusiness-criticalapplications/VMstoplanforavailability.Planningforbackupisveryimportantforthem,asthismainlyinfluencetheRPOandstabilityofexistingapplications.Itisevenmoreimportanttoplanfordisasterrecoveryscenarios.

i. DefinethenumberofVMsthatarebusinesscritical.ii. FindoutwhetherslowerperformanceisOKatdisasterrecovery(considerusing

InstantVMRecovery).

Inthisexample,thecustomerusedathirdsmalldatacenterwithasinglestoragesystem(Quorum)forthestoragevirtualization.Duringthediscussionthecustomeridentified50VMsthatwerebusiness-criticalandneededfullperformanceevenatdisasterrecovery.Thus,inthenextstep,youwouldadd2ESXihoststothatQuorumdatacenterandreplicatethese50VMseveryhourtothatdatacenter.Theconnectionspeedistobe10GbE.So,incaseofdisasterrecoverythecustomercouldjustbootupallVMswithfullspeed.

WorkshopExample

271

Important!ItisveryimportanttouseallavailableVeeampossibilitiestoimplementthebestRTOandRPOtimesincustomer’senvironment.

FortheVMrecoveryscenario,youcanmixclassicVMrestore(bestforsmallVMs),InstantVMRecovery(bestforhugedataservers)andVMreplicafailover(bestfordatabasesystemswithextremeI/Orequirements).Togetherwiththecustomer,checkthe“possiblefailureareas”(singlestoragesystem/wholedatacenter/1datastore)anddecideifthedesignedVeeamimplementationfitsintotheseneedsandisinlinewiththebudget.

NetworkandFirewallVeeamAvailabilitySuiteisveryflexibleandletsyouimplementdifferentbackupinfrastructureschemes.Firewallscanbeusedbetweenallbackupinfrastructurecomponents.TheonlyexceptionisRPCinspectionfunctionality:itcancausedelaysinconnections,andVeeamBackup&Replicationcanrunintotimeouts.However,thebestpracticeistoplacebackupinfrastructurecomponentsinthesamenetworksegmentasthecorrespondingVMwarecomponentstoallowforefficientandfastusageofthenetworkbandwidth.

Proxy/RepositorySystemsProxyandrepositoryserversshouldbeplacedintheVMKernelnetworks.VeeamBackup&ReplicationusestheVMKernelinterfacestoreadoutconfigurationdataanddiskdata(incaseofNBD),andtomapVeeamvPowerNFSdatastoresforfastrecovery(InstantVMRecovery).

Backup&ReplicationServerAsthebackupservercommunicatesmainlywiththevCenterServerandotherbackupinfrastructurecomponents,itshouldbeplacednexttothevCenterServerinmostcases.Thebackupinfrastructureforthissamplescenariowouldlookasfollows:

WorkshopExample

272

VeeamONEVeeamONEcomponentsshouldbeplacednexttothevCenterServerandshouldbeabletoreadfromthebackupserverandESXihosts(overtheCIMprotocol)aswell.SeeVeeamONEdocumentationformoreinformation:VeeamONEDeploymentGuide.

EnterpriseManagerWhenVeeamBackupEnterpriseManagerisusedwithSelf-RestoreServices,itshouldbeplacedintheinternalDMZinmostcases.

RestorePoints

WorkshopExample

273

https://helpcenter.veeam.com/docs/one/deployment/about.html?ver=95

Inthesamplecase,thecustomerneededdailybackupwith14restorepoints;thepointsweretobeheldon2sites(copiedwithbackupcopyjob).Thecustomeralsowantedtooffloadtheweeklyfullbackupsontapeandholdthemforaperiodslightlylongerthanoneyearinbothtapelibraries.

ThecustomeralsoneededtoreplicatethemostcriticalVMstotheQuorumdatacenterhourly,between7:00and19:00.Thenumberofreplicationrestorepointstobemaintainedwasthemaximumpossible(here28restorepoints).

Inmanyarchitecturemeetings,planningfortheretentionpoliciesisthemosttime-consumingpartasyouarelikelytoengagedifferentadministratorsandmanagementteammembersfromdifferentdepartmentsinthisprocess.Theseteammembershavetotranslatetheirfile-basedexistingrestorepointpoliciesintoanewway(image-levelbackup).Itisamatterofconcernbecausealongerretentionchainwillresultinexpensivestoragespacecosts.

Important!RemembertoagreeonbackingupMicrosoftSQLServertransactionlogswithVeeamBackup&Replication.

Ifspeakingaboutthestoragesizing,thetoolatVeeamRestorePointsCalculatorcanhelptoillustratetheretentionchainsondiskandestimatetherequiredcapacity.

WorkshopExample

274

http://rps.dewin.me/

EnhancedEvaluation-PreparationAfterhavingagreedanddiscussedthepointsintheWorkshopExamplesection,proceedwiththeenhancedPOCtodemonstratethatVeeamAvailabilitySuitecanworkincustomer'senvironmentwithexcellentspeed.

Typically,theenhancedPOCiscarriedoutunderthefollowingconditions:

Theenvironmentisclosetotheproductionenvironment,withallfirewallsinplace.Involvedstoragesystemsaresimilartotheproductionstoragesystems.Veeamstorageintegrationisusedwheneverpossible.Todemonstratethegoodworkingloadbalancingandscalability,100-200VMsarebackedup/replicated.Allmajorapplicationsarebackeduptotestallrestorescenarios.

Preparationsteps1. PrepareforthePOCplanningwiththeVeeamUserGuideandthisdocument.2. CompleteaPOCdocumentincludingallyourdesignsandplans,includingchosen

serversforthetestsandwhytheyareimportant.Setacriteriaforsuccessoneachmachineandwhatistested.

3. Checkoutthenecessaryfirewallportsandhelpthecustomerwiththeinternalfirewallchangerequests.RefertothecorrespondingsectionsintheUserGuideandthisdocument.

Tip:Performfirewallplanningverycarefully:ifsomethingismisconfigured,thismayblocktheentirePOC.Inmostcases,itisnoteasytodetectproblemsandintroducefirewallchanges,whenthePOCisalreadyrunning.However,itisagoodideatoaskthecustomertohavethefirewalladministratorathandincaseyouneedanurgentchange.

4. CreateaseparatevCenterServeraccountforVeeamONE(read-only+datastorebrowsing+CIM)sothatyouareabletotrackwhatusersdo.

5. Ifyouwanttousethestorageintegrationfeature,checkoutthecorrespondingchapterinthisguide,setupthestorageandtheSANnetworktogetherwiththestorageadministrators.LimitthescopeofstoragesystemrescantothevolumesusedinthePOC.

6. IfyouwanttouseSureBackup,makesurethatavirtualizedDomainControllerispresentifneeded(e.g.forMicrosoftExchange).

Preparation

275

7. Letthecustomerprepareallusedantivirussystemsupfrontsothatyoudonotrunintotrouble.Checkthe"Antivirus"sectionofthisguideandVeeamKB1999.

8. AskthecustomertoprepareadecentperformingstoragesystemforthePOC.Avoidlow-endNASappliancesforenhancedevaluations.

9. Letthecustomerpreparealloperatingsystemsanddatabaseinstallations.SetupVeeamBackup&Replicationandbackupinfrastructurecomponentstogetherwiththecustomerandplacethefolderscorrectly.

10. Ensurethatthedocumentrelatingtoallthetestingisaccurateanduptodateincludingallsuccesscriteriaforeachmachinebeingtested.ThiswillkeepcontrolforPOC,eachtestandaschedulecanbebuiltaroundthetestingavoidingrandomtestingoffeatures.

Preparation

276

https://veeam.com/kb1999

AutomationThebiggertheenvironment,themoreautomationisneededtoreducetheadministrationeffort.Forexample,ifyouareoperating40branchofficeswithindependentVeeaminstallations,youmaywanttorolloutandconfigurebackupserverswithscripts,andautomaticallycreatejobsinthesamelocation.Anotherexampleisautomaticjobcreationfor2,000-3,000VMswithexactlythesameconfigurations,whichcanlimituser-causedmisconfiguration.

CommandlineFollowingoperationsaremanagedthroughtheWindowscommandline:

Installation-LinktoHelpCenterUpdates-LinktoHelpCenter

PowerShellOperationsinVeeamBackup&ReplicationcanbeautomatedwithVeeamPowerShellsnap-ininthefollowingareas:

ConfigurationJobcreation/jobeditingWorkingwithexternalschedulers(UC4/TWSandother)tostartVeeamjobsRestoresReportingDatacentermigration(quickmigrationorreplication)

ThePowerShellpluginisavailablewithallcommercialversionsoftheproduct.

Note:PowerShellpluginisalsoavailablewithVeeamBackupFREE,althoughlimited:http://www.veeam.com/blog/veeam-backup-free-edition-now-with-powershell.html

Ourcustomersandpartnersusethisfunctionalitytoscaleoutbackupinfrastructureenvironmentstonearly100,000VMsunderasingleVeeamBackupEnterpriseManagerinstancewithmultiplebackupserverslocatedindifferentdatacenters.

ThebeststartingpointtogetintouchwiththeVeeamPowerShellpluginistoreadtheVeeamPowerShellUserGuide>VeeamHelpCenter-PowerShellReference.

Automation

277

https://helpcenter.veeam.com/docs/backup/vsphere/silent_mode.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/update_unattended.html?ver=95

http://www.veeam.com/blog/veeam-backup-free-edition-now-with-powershell.html

https://helpcenter.veeam.com/docs/backup/powershell/getting_started.html?ver=95

YoucanfindhelpforthescriptsintheVeeamCommunityForums-PowerShellsection.Ifyouneedsomeexamples,refertothefollowingthread:GettingStartedandCodeExamples

RESTfulAPIIntheVeeamEnterpriseManager,thereisaswellRESTfulAPIthatallowsyoutocreateworkflowsinorchestrationtoolsortointegrateVeeamBackupEnterpriseManager(self-services)inyourown“cloud”portal.Specifically,thisisanoptionthatcomeswithEnterprisePlusEditionsandisfocusedonthehostingbusiness.

Hereisalistofexternalresources:

VeeamHelpCenter-RESTfulAPIReferenceVeeamCommunityForumsVeeamHelpCenter-BeginnerExample

Automation

278

http://forums.veeam.com/powershell-f26/

https://forums.veeam.com/powershell-f26/getting-started-and-code-examples-t13372.html

https://helpcenter.veeam.com/docs/backup/rest/overview.html?ver=95

http://forums.veeam.com/restful-api-f30/

https://helpcenter.veeam.com/docs/backup/rest/beginner_example.html?ver=95

InfrastructureHardeningRunningyourVeeamBackup&Replicationinfrastructureinasecureconfigurationisadauntingtaskevenforsecurityprofessionals.ThischapterprovidespracticaladvicetohelpadministratorstohardentheirinfrastructurefollowingsecuritybestpracticessothattheycanconfidentlydeploytheirVeeamservicesandlowertheirchancesofbeingcompromised.

Hardeningisaboutsecuringtheinfrastructureagainstattacks,byreducingitsattacksurfaceandthuseliminatingasmanyrisksaspossible.Oneofthemainmeasuresinhardeningisremovingallnon-essentialsoftwareprogramsandutilitiesfromthedeployedVeeamcomponents.Whilethesecomponentsmayofferusefulfeaturestotheadministrator,iftheyprovide‘back-door’accesstothesystem,theymustberemovedduringthehardeningprocess.

Butalso,creatingvisibilityinwhatgoesonintheinfrastructureispartofhardeningyourinfrastructure.Makingsureyouwillnoticewhenanattackis/orhastakenplaceandthenmakingsurelogsandtracesaresavedforlaw-enforcementandsecurityspecialistswhenneeded.

ProtectProtectingyourinfrastructuresuccessfullyisallaboutunderstandingwhatandwhomyouareprotecting,yourVeeaminfrastructure,against.Ifyouknowwhatandwhomyouareprotectingagainst,makesiteasiertotakethecorrectcountermeasures.Oneofthosecountermeasuresishardening.

LookingatthedifferentVeeamBackup&Replicationcomponentsyouhavetoprotectthefollowingcomponents:

VeeamBackupserverUserAccountsBackuprepositoriesBackupdataflows

ConsidertheVeeamBackup&ReplicationservertobetheNumber1targetonyourinfrastructureanditshouldhaveveryrestrictedaccess.Asageneralrulethebackupserveristhesinglegreatesttargetahackercanclaimonyournetwork.Alsothebackuprepositorieswhichholdsthebackupfilesareaprimarytarget.


279

HardeningWithinthehardeningprocessofyourVeeaminfrastructurethereareafewstepseveryoneshouldalwaysconsiderandactupon,namely:

1. SecurebyDesign

2. RemoveUnusedComponents

3. ConsoleAccess

4. RolesandUsers

5. RequiredPermissions

6. Encryption

7. Backup&ReplicationDatabase

8. Segmentation

9. Visibility

10. RecoveryStrategy

SecurebyDesignOverlycomplexdesignsbecomeharderfortheITteamtomanageandoverlookanditmakesiteasierforanattackertoexploitandstayintheshadows.Simplerdesignsthatcanbeeasilyoverviewedareinbasismoresecure.Addingsecuritytoanalreadyexistinginfrastructureismuchharderandcostlythanthinkingaboutitwhiledesigninganeworrefreshinganexistinginfrastructure.Inavirtualinfrastructure,itisgoodusetobuildupaMasterimagewhichhasbeenhardenedfromthestart.RemovingallknownattackvectorsandonlyopenupaccesswhenVeeamcomponentsareaddedandneedsspecific(port)openingsorextrasoftwaretofunctionproperly.Thiswayallbuildsareconsistentandkeptup-to-datewhichmakesitsecureinthebasis.

ConsidertheVeeamBackup&ReplicationservertobetheNumber1targetonyourinfrastructureanditshouldhaveveryrestrictedaccess.Asageneralrulethebackupserveristhesinglegreatesttargetahackercanclaimonyournetwork.

RemoveUnusedComponents


280

Removeallnon-essentialsoftwareprogramsandutilitiesfromthedeployedVeeamcomponents.Whiletheseprogramsmayofferusefulfeaturestotheadministrator,iftheyprovide‘back-door’accesstothesystem,theymustberemovedduringthehardeningprocess.Thinkaboutadditionalsoftwarelikewebbrowsers,java,adobereaderandsuch.AllpartswhichdonotbelongtotheoperatingsystemortoactiveVeeamcomponents,removeit.Itwillmakemaintaininganup-to-datepatchlevelmucheasier.

VeeamBackup&ReplicationServer

RemovetheBackup&ReplicationConsolefromtheVeeamBackup&Replicationserver.Theconsoleisinstalledlocallyonthebackupserverbydefault.SwitchofftheVeeamvPowerNFSServiceifyoudonotplanonusingthefollowingVeeamfeatures:SureBackup,InstantRecovery,orOther-OSFileLevelRecovery(FLR)operations.

HowtoremovetheVeeamBackup&ReplicationConsole

TheConsolecannotberemovedthroughtheinstallerorbyusingAdd/RemoveinWindows.Openacmdpromptwithadministrativeaccess.Onthecommandprompttype:wmicproductlistbrief>installed.txtthiswillcreateatextdocumentwithallinstalledproductsandtheirrespectiveProductCodes.

ForuninstallingVeeamBackup&ReplicationConsole,firstde-installallVeeamExplorers:

VeeamExplorerforMicrosoftExchangeVeeamExplorerforMicrosoftSharepointVeeamExplorerforMicrosoftActiveDirectoryVeeamExplorerforMicrosoftSQLVeeamExplorerforOracle

Youcanuninstallthesecomponentsbyusing:msiexec/x{ProductCode}

ExampleforuninstallingtheVeeamBackup&Replicationconsoleis:msiexec/x{D0BCF408-A05D-45AA-A982-5ACC74ADFD8A}

EnterpriseManager

WhenEnterpriseManagerisnotinusede-installitandremoveitfromyourenvironment.

ConsoleAccessTheVeeamBackup&Replicationconsoleisaclient-sidecomponentthatprovidesaccesstothebackupserver.TheconsoleletsseveralbackupoperatorsandadminslogintoVeeamBackup&Replicationsimultaneousandperformallkindofdataprotectionanddisaster


281

recoveryoperationsasifyouworkonthebackupserver.

InstalltheVeeamBackup&Replicationconsoleonacentralmanagementserverthatis,positionedinaDMZandprotectedwith2-factorauthentication.DoNOTinstalltheconsoleonthelocaldesktopsofbackup&recoveryadmins.

RolesandUsersDeployanAccessControlpolicy,managingaccesstomanagementcomponentsiscrucialforagoodprotection.Usetheprincipleofleastprivilege.Providetheminimalprivilegeneededforsomeoperationtooccur.Anattackerwhogainedhigh-privilegeaccesstobackupinfrastructureserverscangetcredentialsofuseraccountsandcompromiseothersystemsinyourenvironment.Makesurethatallaccountshaveaspecificroleandthattheyareaddedtothatspecificgroup.

Containmenttokeeptheattackersfrommovingaroundtooeasily.Somestandardmeasuresandpoliciesare:

Donotuseuseraccountsforadminaccess,reducingincidentsandaccidentsGiveeveryVeeamadminhisownadminaccountoraddtheiradminaccounttotheappropriatesecuritygroupwithinVeeam,fortraceabilityandeasyaddingandremovalOnlygiveoutaccesstowhatisneededforthejobLimituserswhocanloginusingRemoteDesktopand/orVeeamBackupConsoleAdd2-factorauthenticationtohighlyvaluableassetsMonitoryouraccountsforsuspiciousactivity

Aroleassignedtotheuserdefinestheuseractivityscope:whatoperationsinVeeamBackup&Replicationtheusercanperform.Rolesecuritysettingsaffectthefollowingoperations

Passwordmanagementpolicy

UseacleverPasswordmanagementpolicy,whichworksforyourorganization.Enforcingtheuseofstrongpasswordsacrossyourinfrastructureisavaluablecontrol.It’smorechallengingforattackerstoguesspasswords/crackhashestogainunauthorizedaccesstocriticalsystems.

Selectingpasswordsof10characterswithamixtureofupperandlowercaseletters,numbersandspecialcharactersisagoodstartforuseraccounts.

ForAdminaccountsadding2-factorauthenticationisalsoamusttosecuretheinfrastructure.


282

https://helpcenter.veeam.com/docs/backup/vsphere/users_roles.html?ver=95

Andforserviceaccountsuse25+characterscombinedwithapasswordtoolforeasiermanagement.AnAdmincancopyandpastethepasswordwhenneeded,increasingsecurityoftheserviceaccounts.

Lockoutpolicy

UseaLockoutpolicythatcomplementsacleverpasswordmanagementpolicy.Accountswillbelockedafterasmallnumberofincorrectattempts.Thiscanstoppasswordguessingattacksdeadinthewater.Butbecarefulthatthiscanalsolockeveryoneoutofthebackup&replicationsystemforaperiod!Forserviceaccounts,sometimesitisbetterjusttoraisealarmsfast.Insteadoflockingtheaccounts.Thiswayyougainvisibilityintosuspiciousbehaviortowardsyourdata/infrastructure.

RequiredPermissionsUsetheprincipleofleastprivilege.Providetheminimalrequiredpermissionsneededfortheaccountstorun.TheaccountsusedforinstallingandusingVeeamBackup&Replicationmusthavethefollowingpermissions.

IfVMwarevCenterServerisaddedtothebackupinfrastructure,anaccountthathasadministratorpermissionsisrequired.Insteadofgrantingadministratorpermissionstotheaccount,youcanconfiguremoregranularpermissions.Veeamhasidentifiedtheminimumpermissionsrequiredforthevarioussoftwarefunctions.Reviewthe"RequiredPermissions"document(notchangedsinceV9.0)andconfiguretheaccountsusedbyVeeamBackup&Replicationtomeettheserequirements.

Particularly,backupproxiesmustbeconsideredthetargetforcompromise.Duringbackup,proxiesobtainfromthebackupservercredentialsrequiredtoaccessvirtualinfrastructureservers.Apersonhavingadministratorprivilegesonabackupproxycaninterceptthecredentialsandusethemtoaccessthevirtualinfrastructure.

PatchingandUpdates

Patchoperatingsystems,software,andfirmwareonVeeamcomponents.Mosthackssucceedbecausethereisalreadyvulnerablesoftwareinusewhichisnotup-to-datewithcurrentpatchlevels.SomakesureallsoftwareandhardwarewhereVeeamcomponentsarerunningareup-to-date.OneofthemostpossiblecausesofacredentialtheftaremissingguestOSupdatesanduseofoutdatedauthenticationprotocols.Tomitigaterisks,followtheseguidelines:


283

https://helpcenter.veeam.com/docs/backup/vsphere/required_permissions.html?ver=95


EnsuretimelyguestOSupdatesonbackupinfrastructureservers.InstallthelatestupdatesandpatchesonbackupinfrastructureserverstominimizetheriskofexploitingguestOSvulnerabilitiesbyattackers.

ChoosestrongencryptionalgorithmsforSSH.TocommunicatewithLinuxserversdeployedaspartofthebackupinfrastructure,VeeamBackup&ReplicationusesSSH.MakesurethatfortheSSHtunnelyouuseastrongandprovenencryptionalgorithm,withsufficientkeylength.Ensurethatprivatekeysarekeptinahighlysecureplace,andcannotbeuncoveredbya3rdparty.

EncryptionBackupandreplicadataisahighlypotentialsourceofvulnerability.Tosecuredatastoredinbackupsandreplicas,followtheseguidelines:

Ensurephysicalsecurityoftargetservers.Checkthatonlyauthorizedpersonnelhaveaccesstotheroomwhereyourtargetservers(backuprepositoriesandhosts)reside.

Restrictuseraccesstobackupsandreplicas.Checkthatonlyauthorizedusershavepermissionstoaccessbackupsandreplicasontargetservers.

Encryptdatainbackups.UseVeeamBackup&Replicationinbuiltencryptiontoprotectdatainbackups.Toguaranteesecurityofdatainbackups,followEncryptionBestPractices.

Backupandreplicadatacanbeinterceptedin-transit,whenitiscommunicatedfromsourcetotargetoveranetwork.Tosecurethecommunicationchannelforbackuptraffic,considertheseguidelines:

Isolatebackuptraffic.Useanisolatednetworktotransportdatabetweenbackupinfrastructurecomponents—backupserver,backupproxies,repositoriesandsoon.(alsoseesegmentation)

Encryptnetworktraffic.Bydefault,VeeamBackup&Replicationencryptsnetworktraffictravelingbetweenpublicnetworks.Toensuresecurecommunicationofsensitivedatawithintheboundariesofthesamenetwork,youcanalsoencryptbackuptrafficinprivatenetworks.Fordetails,seeEnablingNetworkDataEncryption.

Backup&ReplicationDatabase


284

https://helpcenter.veeam.com/docs/backup/vsphere/encryption_best_practices.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/enable_network_encryption.html?ver=95

TheBackup&Replicationconfigurationdatabasestorescredentialstoconnecttovirtualserversandothersystemsinthebackup&replicationinfrastructure.Allpasswordsstoredinthedatabaseareencrypted.However,auserwithadministratorprivilegesonthebackupservercandecryptthepasswords,whichpresentsapotentialthreat.

TosecuretheBackup&Replicationconfigurationdatabase,followtheseguidelines:

Restrictuseraccesstothedatabase.CheckthatonlyauthorizeduserscanaccessthebackupserverandtheserverthathoststheVeeamBackup&Replicationconfigurationdatabase(ifthedatabaserunsonaremoteserver).Encryptdatainconfigurationbackups.Enabledataencryptionforconfigurationbackuptosecuresensitivedatastoredintheconfigurationdatabase.Fordetails,seeCreatingEncryptedConfigurationBackups.

SegmentationAddlocalprotectionmechanics,inadditiontotheborderfirewalls,intrusiondetection,patchingandsuch.Youcanmakeuseoflocalmechanisms,likeup-to-dateanti-malware,firewallsandnetworksegmentation.Thiswayyoucreatedifferentrings-of-defenseslowinganattackerdown.

Agoodpracticeistoplacethebackuprepositoriesinaspecialsegmentnotaccessiblebyanyuser.Likeforinstancetheproductionstorageisonlyavailabletothevirtualinfrastructurecomponentsandapplicationservers.Notdirectlyaccessiblebyanyuser!

TosegmentyourinfrastructureandVeeamBackup&Replicationcomponents,makesurethefirewallsonthelocalserverinstallationshavethecorrectPortsopened.

YoucanalsodeployVMwareNSXasacountermeasurewithmicro-segmentationtomakesuretheattacksurfaceisasnarrowaspossiblewithoutblockingeveryonetousetheservices.Visibilityintothenetworkandalldataflowsiscrucialtohelpyouprotectalldifferentrings/cellswithinyourinfrastructure.YoucanaddtheVeeamcomponentstoNSXpoliciestomakesuretheycancommunicatewitheachotherwithoutopeningituptoanyuser.

Ports

TrynottouseobscureportsandothertrickstotryandhideVeeamportsandprotocolsinuse,whilethismaylooklikeagoodchoice.Inpracticethisoftenmakestheinfrastructurehardertomanagewhichopensotherpossibilitiesforattackers.Obscurityisnotsecurity!

YoucancheckwhichportsareinusebywhichserviceonaWindowssystembyusing:


285

https://helpcenter.veeam.com/docs/backup/vsphere/config_backup_encrypted.html?ver=95


https://blogs.vmware.com/networkvirtualization/2016/06/micro-segmentation-defined-nsx-securing-anywhere.html/

netstat-bona>portlist.txtyoucanopenthetextfilewithforinstancenotepadportlist.txt

VisibilityToknowwhenyouareunderattackorhavebeenbreacheditisvitaltohavevisibilityinthewholedataflowpath.Youshouldbeabletoknowwhatis‘normalbehavior’andwhatisNOT.MonitoryouraccountsandVeeaminfrastructureforsuspiciousactivity.Placevirtualtrip-wires,likee.g.creatinganon-usedadminaccountwithalarmstiedtoit.Whenanyactivityonthataccountisobserved,itwilltriggeraredalertinstantly.Thereareseveralsystemsouttherethatcanhelpyoubyalertingsuspiciousbehaviorsoyougetawarethatsomeoneissnoopingaroundandistryingtogainaccesstoyourinfrastructure.VisibilityisKey!

Itisimportanttogetalertsassoonaspossiblewhiledefendingagainstotherattackslikeviruses,malwareandransomware.Thebiggestfearoftheseattacksisthattheymaypropagatetoothersystemsfast.Havingvisibilityintofore.g.potentialransomwareactivityisabigdeal.

ExampleSystemsthatcouldhelpyoucreatevisibilityare:

AsystemthatdetectspossibleransomwareactivityisVeeamONE9.5.Thereisapre-definedalarmcalled“Possibleransomwareactivity.”ThisalarmwilltriggerifthereisahighCPUutilizationcombinedwithlotsofwritestodisk.

VMwarevRealizeNetworkInsightcantakeVMs,objects,groupingsandtheirphysicalelementsandeasilyfingerprinttheapplicationanddeterminetheinternalandexternalflows,theclientconnections,etc.thiswayyougetananalysisofwhatis‘normal’behaviorandwhatisnot.

VMwarevCenterwithalertsthataretriggeredonvirtualtrip-wires.

RecoveryStrategyHavearecoverystrategyinplace,beforeyoufindoutyourinfrastructureisbreachedyoushouldknowwhattodowhenbeingcompromisedthroughattacks.Backupyourdataandmakesurethebackupscannotbeaccessedbyanattackertowipethemout.Anoffsitecopy(air-gap)orread-onlyonanymediaishighlyrecommendedtosurviveanyattack.

The3-2-1-0backuprule


286

https://www.veeam.com/wp-veeam-availability-suite-protection-against-ransomware-threats.html

The3-2-1ruleisverygeneralanditworksforalldatatypes(individualandcorporate)andallenvironmenttypes(physicalandvirtual).WhenbackingupVMwareorHyper-VenvironmentswithVeeam,thisrulebecomesthe“3-2-1-0backuprule”where0means“0errors”duringtheautomaticrecoverabilityverificationofeverybackupwithVeeam’sSureBackup.

VeeamBackup&Replication™canhelpyoutofulfillall3-2-1-0backuprulerequirements.

Haveatleastthreecopiesofdata:SetupBackupJobstocreateseveralbackupsforeachofyourVMwareorHyper-VVMs.

Storethecopiesontwodifferentmedia:Veeamisstorage-agnostic,meaningitsupportstapes,disks,thecloudandmore.Youcanstoreyourbackupstoanyofthelistedmedia.

Keeponebackupcopyoffsite:SetupBackupCopyJobstotransferyourbackupoffsitefasterwithbuilt-inWANacceleration,oruseVeeamBackupCloudEditiontostoreyourbackupstooneof15publicclouds,includingWindowsAzure,AmazonGlacier,GoogleCloudStorageandmore.

EducateyourStaff

Bydeployinganemployeeawarenesstrainingyoumakesurethatyouremployeesareawareofstrangebehaviorandoftheircriticalrolesinprotectingtheorganization’sservicesanddata.ThisisnotonlyfortheITdepartment,butforeveryonewithintheorganization,becauseeveryorganizationisbecominganITcompanyrapidly.


287

https://www.veeam.com/blog/how-to-follow-the-3-2-1-backup-rule-with-veeam-backup-replication.html

Backup&ReplicationAnatomyYoumighthaveabasicunderstandingofhowVeeamBackup&Replicationcomponentsinteract,butdoyouknowwhathappensindetailwitheachcomponentwhenyoubackupaVM,doastandardVMrestore,anInstantVMRestore,aWindowsFile-Levelrestore,orreplicateaVM?Thenextsectionsarededicatedtoexplainingindetailwhatactuallyhappensduringtheseprocesses.

Backup&ReplicationAnatomy

288

BackupThissectionprovidesastep-by-stepdescriptionofaVMwarevirtualmachinebackupprocessimplementedinVeeamBackup&Replication.

1.InitializationPhase

AbackupjobcanbestartedautomaticallyormanuallyintheVeeamBackup&Replicationconsole,VeeamBackupEnterpriseManagerwebconsole,bymeansofPowerShell,RESTfulAPIandother.

Intheinitializationphase,VeeamBackup&Replicationpreparesresourcesnecessaryforabackupjob.Tohelpyoubetterunderstandfirewallsettingsandconnectioninitiationflow,theprocessisillustratedbythediagram(seebelow):

1. Whenabackupjobisinitialized,theVeeamBackupManagerprocessisstartedontheVeeambackupserver.

2. VeeamBackupManagerreadsjobsettingsfromtheVeeamBackupconfigurationdatabaseandcreatesalistofVMtaskstoprocess(onetaskstandsforoneVMdisk).

3. VeeamBackupManagerconnectstotheVeeamBackupService.TheVeeamBackupServiceincludesaresourceschedulingcomponentformanagingalltasksandresourcesinthebackupinfrastructure.Theresourceschedulercheckswhatresourcesareavailable,andassignsbackupproxiesandrepositoriestoprocessthatjobtasksusingVeeam'sloadbalancing.

4. Afterthenecessarybackupinfrastructureresourceshavebeenassigned,VeeamBackupManagerconnectstotheTransportServicesonthetargetrepositoryandonthebackupproxy.TheTransportServices,intheirturn,starttheVeeamDataMovers.Onthebackupproxy,anewVeeamDataMoverisstartedforeachtaskthattheproxyisprocessing.

5. VeeamBackupManagerestablishesaconnectionwithVeeamDataMoversonthebackuprepositoryandbackupproxy,andsetsanumberofrulesfordatatransfer(suchasnetworktrafficthrottlingrules,andsoon).

6. VeeamDataMoversonthebackupproxyandrepositoryestablishaconnectionwitheachotherfordatatransfer.

Backup

289

7. VeeamBackupManagerconnectstothevCenterServerorESXihostandgathersmetadataaboutVMsandhostsengagedinthebackupprocess.Atthisstep,noconnectionbetweentheVeeambackupserverandVMguestnetworksisestablished.

2a.GuestProcessingforWindows-BasedVMs

ForVMswithMicrosoftWindowsguestOS,VeeamBackup&Replicationobtainsinformationabouttheguest’sIPaddressesfromVMwareTools.VeeamusestheseIPaddressestoconnecttotheguestOSandperformin-guestprocessingtasks(ifapplication-awareimageprocessingisenabled).

IfitisnotpossibletoconnecttotheguestOSortheconnectionisblockedbyafirewall,VeeamBackup&ReplicationtriestoestablishaconnectionusingVIX,asdescribedinsection2b.

Backup

290

2b.GuestProcessingforWindows-BasedVMs(VIX)

IfthereisnonetworkconnectivitytotheVMguestOS,VeeamBackup&ReplicationusesthecommunicationchannelprovidedbyVMwareTools(VIX)tointeractwiththeguestOSandperformin-guestprocessingtasks.

2c.GuestProcessingforLinux/Unix-BasedVMs

Backup

291

Ifpre-freezeandpost-thawscriptsareenabledinthebackupjobproperties,VeeamBackup&Replicationobtainsinformationabouttheguest’sIPaddressfromVMwareTools.VeeamusesthisIPaddresstoconnecttotheguestnetworkoverSSHandperformin-guestprocessingtasks.ScriptsresideonthebackupserverandareinjectedintheguestOSatthetimeofbackup.

IfthereisnonetworkconnectivitywithaLinux-basedVM,VeeamBackup&ReplicationwillnotfailovertotheVIXcommunicationchannel.Insuchcases,asanalternativemethod,youcanuseVMwareToolsquiescenceandletVMwareToolsrunthenecessaryscriptsthatwillneedtobecreatedinsidetheguestOS(seelocationdetailsforWindows/Linuxguestat:https://pubs.vmware.com/vsphere-50/topic/com.vmware.datarecovery.admin.doc_20/GUID-6F339449-8A9F-48C0-BE70-91A2654A79D2.html.

However,itisrecommendedtouseVeeam’sfunctionalitytocallpre-freezeandpost-thawscripts,asthismethodismorecontrollablebytheVeeamcode:allerrorsthatoccurduringthebackupprocessarewrittentoVeeamlogs(notVMwareTools).

3.CreatingaVMSnapshot

Now,VeeamBackup&ReplicationrequeststhevCenterServerorESXihosttoinitiateaVMsnapshotcreation.AVMsnapshotisrequiredtouseVMwareVADPbackupmethodsandleveragefeatureslikeVMwareChangedBlockTracking(CBT).

4.ReleasingtheGuestOSActivities

Backup

292

https://pubs.vmware.com/vsphere-50/topic/com.vmware.datarecovery.admin.doc_20/GUID-6F339449-8A9F-48C0-BE70-91A2654A79D2.html

RightaftertheVMsnapshotistaken,allquiesceddiskI/OactivitiesintheguestOSareresumed.

5.VMDataTransport

ToreadandtransferdatafromtheVMsnapshot,VeeamBackup&Replicationcanuseoneofthefollowingtransportmodes:

DirectSANAccess

VirtualAppliance(HotAdd)

Network(NBD)

Formoreinformationabouteachtransportmode,seeVeeamBackup&ReplicationUserGuideoracorrespondingsectionbelow.

5a.DirectSANAccessDataTransportMode

IntheDirectSANAccessmode,VeeambackupproxyconnectstotheESXihostwheretheVMresides,andreadsthenecessaryVMconfigurationfiles(suchas*.vmx).BackupproxiesuseVMconfigurationdetailstoreadVMdatadirectlyfromtheSAN.

5b.VirtualApplianceDataTransportMode

Backup

293

https://helpcenter.veeam.com/docs/backup/vsphere/transport_modes.html?ver=95

IntheVirtualAppliancetransportmode,VeeambackupproxyconnectstotheESXihostwheretheVMresides,andreadsthenecessaryVMconfigurationfiles(suchas*.vmx).VMdisksasofthesnapshotstatearehot-addedtoavirtualizedVeeambackupproxy.TheproxyreadsVMdataandunmapstheVMdiskswhenfinished.

5c.NetworkDataTransportMode

IntheNetworktransportmode,VeeambackupproxyconnectstotheESXihostwheretheVMresides,andreadsthenecessaryVMconfigurationfiles(suchas*.vmx).Inthismode,thesamedatachannelisusedtoreadVMdiskdata,too.

Backup

294

6.CommittingVMSnapshot

AfterVeeambackupproxyfinishesreadingVMdata,VeeambackupserverrequeststhevCenterServerorESXihosttoinitiateaVMsnapshotcommit.

Backup

295

VMRestoreThissectionprovidesastep-by-stepdescriptionofafullvirtualmachinerestoreprocessimplementedinVeeamBackup&Replication.


Intheinitializationphase,VeeamBackup&ReplicationpreparestheresourcesnecessaryforfullVMrecovery.Itperformsthefollowingsteps:

1. StartsthenecessaryprocessesontheVeeambackupserver.

2. ChecksavailablebackupinfrastructureresourcesandassignsaproxyserverfortransferringrestoredVMdatatothetargethost/datastore.

3. CommunicateswithTransportServicesonthebackupproxyandbackuprepositorywherethebackupfilesreside.\TransportServices,intheirturn,startVeeamDataMovers.VeeamDataMoversonthebackupproxyandrepositoryestablishaconnectionwitheachotherfordatatransfer.

4. ConnectstothevCenterServerorESXihostwheretherestoredVMwillberegistered.

2.RestoringVMConfiguration

VMRestore

296

VeeamBackup&ReplicationretrievesVMconfigurationdatafromthebackupandrestoresitonthechosenESXihost/datastore.Next,itinstructsVMwarevSpheretoregistertherestoredVMonthehost.IfauserselectstochangeVMconfiguration(forexample,diskformatornetworksettings)duringrestore,Veeammakesthenecessaryamendments.

3.CreatingVMSnapshot

VeeamBackup&ReplicationrequeststhevCenterServerorESXihosttoinitiateaVMsnapshotcreationontherestoredVM.

Important!AsnapshotisnottakenifaVMisrestoredtoaVVOLdatastoreduetovSphereVDDKlimitations(seehttp://pubs.vmware.com/Release_Notes/en/developer/vddk/65/vsphere-vddk-650b-release-notes.html).

VMRestore

297

http://pubs.vmware.com/Release_Notes/en/developer/vddk/65/vsphere-vddk-650b-release-notes.html

4.VMDataTransport

VeeamBackupManagerinstructsVMwarevSpheretocreatevirtualdisksfortheVM.

TowriteVMdiskdatatothetargetdatastore,VeeamBackup&Replicationcanuseoneofthe3transportmodes:

DirectSANAccess

VirtualApplicance(HotAdd)

Network(NBD)

Formoreinformationabouteachtransportmode,seeVeeamBackup&ReplicationUserGuideandthecorrespondingsectionsofthisdocument.

4a.DirectSANAccessDataTransportMode

ThismodeisavailableonlyforVMsthathavealldisksinthickprovisioning.

IntheDirectSANAccessmode,VeeamBackup&ReplicationconnectstotheESXihostwheretherestoredVMisregistered.TheESXihostlocatestheVMdisks,retrievesmetadataaboutthedisklayoutonthestorage,andsendsthismetadatatothebackupproxy.ThebackupproxyusesthismetadatatocopyVMdatablockstothedatastoreviaSAN.

VMRestore

298

https://helpcenter.veeam.com/docs/backup/vsphere/transport_modes.html?ver=95

4b.VirtualApplianceDataTransportMode

IntheVirtualAppliancetransportmode,VMdisksfromthebackuparehot-addedtoavirtualizedVeeambackupproxy.TheproxyconnectstotheESXihostwheretherestoredVMresidesandtransfersdiskdatatothetargetdatastorethroughtheESX(i)I/Ostack.Whenthedatatransferprocessisfinished,disksareunmappedfromthebackupproxy.

VMRestore

299

4c.NetworkDataTransportMode

IntheNetworktransportmode,VeeambackupproxyconnectstotheESXihostwheretherestoredVMresides,andwritesVMdiskdatatothetargetdatastorethroughtheLANchannel.

5.CommittingVMSnapshot

AftertheproxyfinisheswritingVMdiskdata,VeeamBackup&ReplicationrequeststhevCenterServerorESXihosttoinitiateasnapshotcommitfortherestoredVM.

VMRestore

300

VMRestore

301

InstantVMRecoveryThissectionprovidesastep-by-stepdescriptionoftheInstantVMRecoveryprocessimplementedinVeeamBackup&Replication.


Intheinitializationphase,VeeamBackup&ReplicationpreparesresourcesnecessaryforInstantVMRecovery.Itperformsthefollowingsteps:

1. StartstheVeeamBackupManagerprocessontheVeeambackupserver.

2. CheckswiththeVeeamBackupServicewhetherthenecessarybackupinfrastructureresourcesareavailableforinstantVMRecovery.

3. CommunicateswiththeTransportServiceonthebackuprepositorytostartVeeamDataMover.

2.NFSMapping

Whenbackupinfrastructureresourcesareprepared,VeeamBackup&ReplicationmapsanemptyNFSdatastoretotheselectedESXihost.ItusestheVeeamvPowerNFSServiceforthispurpose.

InstantVMRecovery

302

Next,VeeamBackup&ReplicationcreatesintheVeeamNFSdatastoreVMconfigurationfilesandlinkstovirtualdiskfiles.Virtualdiskfilesremaininthebackupontherepository,whileallchangestothesefilesarewrittentothecachefile.

3.RegisteringandStartingVM

TheVMrunsfromtheVeeamNFSdatastore.VMwarevSpheretreatstheVeeamNFSdatastoreasanyregulardatastore.Forthisreason,withtherecoveredVMyoucanperformallactionsthatvCenterServer/ESXisupportsforregularVMs.

TomigrateVMdiskdatatoaproductiondatastore,useVMwareStoragevMotionorVeeamQuickMigration.Fordetails,seeVeeamBackup&ReplicationUserGuide.

InstantVMRecovery

303

https://helpcenter.veeam.com/docs/backup/vsphere/migration_job.html?ver=95

InstantVMRecovery

304

WindowsFile-LevelRestoreThissectionprovidesastep-by-stepdescriptionofMicrosoftWindowsfile-levelrestoreprocessforaVMwarevirtualmachineimplementedinVeeamBackup&Replication.


Intheinitializationphase,VeeamBackup&ReplicationpreparesresourcesnecessaryforMicrosoftWindowsfile-levelrestore.Itperformsthefollowingsteps:

1. CheckswiththeVeeamBackupServicewhetherthenecessarybackupinfrastructureresourcesareavailableforMicrosoftWindowsfile-levelrestore.

2. StartsVeeamDataMoversontheVeeambackupserverandbackuprepository.

3. MountsthecontentofbackupfilestothebackupserverwiththehelpofVeeam’sproprietarydriver.

Thebackupfilesremainonthebackuprepository.GuestfilesinsidethebackupcanbeaccessedinVeeamBackupbrowserorMicrosoftWindowsFileexploreronthebackupserver,mappedbydefaultintheC:\VeeamFLRfolder(canbechangedviaregistrykey).

2a.RestoringWindowsGuestOSFiles(Network-Based)

TorestoreguestfilesbacktotheoriginalVM,VeeamBackup&ReplicationestablishesaconnectionwiththeVMGuestOS.ItobtainsinformationabouttheguestIPaddressfromVMwareTools.VeeamusesthisIPaddresstoconnecttotheguestOSandperformin-guestfilerecovery.


305

2b.RestoringWindowsGuestOSFiles(Networkless)

IfthereisnonetworkconnectivitywiththeVMguestOS,VeeamBackup&ReplicationusesthecommunicationchannelprovidedbyVMwareTools(VIX)tointeractwiththeguestOSandperformin-guestfilerecovery.

3.DismountingBackupContent


306

AfterallrestoreactivitiesarecompletedandtheuserclosestheVeeamBackupbrowser(orthebrowserisclosedbytimeout),thecontentofthebackupfilesisdismountedfromthebackupserver.


307

ReplicationThissectionprovidesastep-by-stepdescriptionofaVMwarevirtualmachinereplicationprocessimplementedinVeeamBackup&Replication.

Inmanyaspects,thereplicationinitializationphaseissimilartotheinitializationphaseofthebackupprocess.VeeamBackup&Replicationstartsthenecessaryprocesses,buildsthelistofVMstoreplicate,assignsbackupinfrastructureresourcesforthejobandstartsVeeamDataMoversontwobackupproxies(sourceandtarget)andthebackuprepositorythatisusedforstoringreplicametadata.

Next,VeeamBackup&Replicationperformsin-guestprocessingtasks,triggersVMsnapshotcreation,registersareplicaVMonthetargethostandperformsdatatransferfromthesourcehostanddatastoretothetargethostanddatastore.Thesourceandtargetproxiescanuseoneof3availabledatatransportmodesforreadingdatafromsourceandwritingdatatotarget.

ThisdiagramillustratesthereplicationprocesswiththeNBDtransportmodeusedforreadingandwritingVMdata.ForexamplesoftheDirectSAN/NFSAccessandHotAddtransportmodes,seethe“BackupAnatomy”sectionaboveinthisAppendix.

NotethatVeeamusesbackuprepositorytostorereplicametadata.

ThefollowingdiagramillustratesapossibleplacementoftheVeeamBackup&Replicationcomponentsinadistributedenvironment,withaWANlinkbetweentheproductionandDRsites.

Replication

308

Replication

309

SizingandSystemRequirementsAppendixThisappendixisacumulativesectiononbasesizingmetrics,thereismuchmoretosizingaVeeamInfrastructureandperformingtothehighestlevel.Thesefigureshereareguidelinestofollowasastartingpoint.Eachsectionisinmuchmoredetailinitsrelativechapterintheguide,pleasereadeachsectionfirstandyouwillgainaninsightastowhythesenumbersarerecommended.

SizingwithVeeamiscumulativeinrespecttoconfigurations,ifyouwanttocreateanall-in-oneappliance(ApplianceModel)addalltheresourcerequirementstogether(CPU+Memory)tounderstandwhatintotalyouwillneed,thesamegoesifyouonlywishtohaveproxyandrepositoryinonehost.

PleasealsobearinmindthatthesefiguresreflectVeeam’sresourcerequirement,youmusttakethehostssystemrequirementsintoyourcalculation,thiswilldependonwhatyouareusingwhichiswhywehavenotdetailedithere.

VeeamBackupandReplicationmanagementserverresources.

RecommendedVeeambackupserverresourceconfigurationis:

MinimumResources

TheminimumComputeis2CPUcores.Minimummemory,10GBRAM.MinimumHDDspaceis60GB(inclusiveofLogs,vPowerNFS,VBRsoftware)Recommendationsforsizing.1CPUcore(physicalorvirtual)and5GBRAMper10concurrentlyrunningjobs.Forperjobbackupfiles:30VMsperjobForperVMbackupfiles:300VMsperjobBaseHDDis40GBforsoftwareinstalllocationPlanfor3GBlogfilespaceper100virtualmachines,witha24hourRPOvPowerNFSlocationwithreservecapacityof10GB(100GBperTBofspaceifyouplantodomanyrecoveriesorplanningSureBackuptestsrunningmanyvm’satthesametime)Extraspaceforguestindexingprocessingawindowshost:100MBper1Millionfiles(tempfilespace)ExtraspaceforguestindexingprocessingaLinuxhost:50MBper1Millionfiles(tempfilespace)

SizingSummary

310

StoragespaceforGuestindexingbeforeEnterprisemanagerflush:2MBper1millionfiles(compressed)

ProxyServerResources

Whensizingaproxyserverremember,theabilitytoexecuteataskontheproxywillbeaffectedbytherepositoriesabilitytoprocessallthetasksfromtheproxiesininfrastructure.Ifarepositoryhas20cores,thenthemaximumprocessedtaskswillbenomorethan20tasksfromanyproxyorgroupofproxiesinthebackendfabricofVeeam.

RecommendedVeeamProxyServersconfigurationsis:

1CPUcorepertask(ataskisavirtualharddrive)2GBRAMpertaskMinimumof500MBofHDDworkingspacepertask

Thisisbasedonaroundedfigureofferingapproximately30VMsinasinglebackupjobwhichwillfinisharoundan8hoursbackupwindowifinaperjobbackup,ifaperVMrepositoryisusedmorecanbeadded.PleasereadthesizingandrepositorysectionforafulldetaileddescriptionofparallelizationofworkloadsinaProxy.

RepositoryServerResources

Thisisnotaboutsizingforcapacityofyourrepositorybuttheresourcesrequiredtoaccommodatetheworkloadsformbackupsandrestores.

Whensizingarepositoryserverremember,theabilitytoexecuteataskontherepositorywillbeaffectedbytheproxy’sabilitytoprocessallthetasksfromtheproxy’s.Ifarepositoryhas20cores,thenthemaximumprocessedtaskswillbenomorethan20tasksfromanyproxyorgroupofproxiesinthebackendfabricofVeeamtothatrepository.

RecommendedVeeamRepositoryServerconfigurationsis:

1corepertask4GBpertaskHarddrivespaceiscalculatedbasedoffretentionpoints,typeofbackupused(full,Incremental,synthetic,foreverforwardincrementalorreverseincremental.)

Thereisamuchmoredetailedsectionintheguide.

SQLServerDatabaseSizingGuide

SizingSummary

311

VeeamBackup&ReplicationmayconsumehighamountsofCPUandRAMwhileprocessingbackuporreplicationjobs.ToachievebetterperformanceandloadbalancingitisnecessarytoprovidesufficientRAMandCPUresources.Ifpossible,followtheseguidelines:

ConcurrentJobs CPUs Memory

Upto25 2CPUs 4GBRAM

Upto50 4CPUs 8GBRAM

Upto100 8CPUs 16GBRAM

Note:ConcurrentlyrunningjobsincludeanyjobtypewithacontinuousschedulesuchasBackupCopyJobs.Whenrunningmorethan100jobsconcurrentlyincreasecomputeresourcesinlinewiththetableabovetomeettheresourceneedoftheworkload.VeeaminstallationpackageincludesSQLserver2012ExpressEdition,thebasiclimitationsofthissoftwareareasfollows:

Eachinstanceusesonlyupto1GBofRAMEachinstanceusesonlyupto4coresofthefirstCPUDatabasesizecannotexceed10GB

IfanyofthebelowapplyconsiderusingSQLstandardorEnterpriseeditions

Whenprotectingmorethan500VMsWhenusingFilestoTapejobsextensivelyWhenunabletoconfigureanexternalstagingserverWhendatabasesareusingadvancedfeaturesofMicrosoftSQLServer

SizingSummary

312

NetworkingDiagramsThereisadetailedlistofportsusedbyVeeamBackup&ReplicationavailableintheUserGuide,butsometimesamorevisualapproachishelpful–youcanusethediagramsbelowforthatpurpose.

NetworkingDiagrams

313


BackupServer

BackupServer

314

ProxyServerThefollowingportsarerequiredfortheproxyserver.

ProxyServer

315

RepositoryServerThefollowingportsarerequiredfortherepositoryserver.

ThefollowingportsarerequiredforvPowerNFS.

RepositoryServer

316

RepositoryServer

317

StorageIntegrationsThefollowingportsarerequiredforintegratedstorage.

StorageIntegration

318

DataValidationThefollowingportsarerequired,whenusingSureBackup,SureReplica,orOn-demandSandboxfromStorageSnapshots.

DataValidation

319

Application-awareImageProcessingThefollowingportsarerequiredforapplication-awareimageprocessingoverthenetwork.Ifnetworkportsarenotavailable,thebackupserverwillfailovertousingVIXviaVMwareTools.

Application-awareImageProcessing

320

EnterpriseManagerThefollowingportsarerequiredforEnterpriseManager

EnterpriseManager

321

table of contents - learnvmware.online · welcome to the best practices guide for veeam backup...

Documents