Blogs and podcasts
Bring your knowledge and expertise while creating blogs and podcasts
- 643 Topics
- 5,027 Comments
Veeam Backup for Microsoft Office 365: An object storage decision guide
Its getting hot … and cheap !Welcome back after a longer break since the last blogpost.Meanwhile I`m one of the main responsible german counterparts for Veeam Backup for Microsoft Office 365. Over the last month I saw a lot of different environments with various challenges, while there is a big transformation from on-premise repositories to object storage as well.Today I want to share my experience with the community.Whenever I`m involved in bigger projects, at some point in time we have a price discussion about repository costs with the customer. With the flexibility in Veeam you can choose whatever you want as a repository. There is no „vendor lock-in“ or any risk in loosing data if you want to change f.e the backup software in future.For sure there are some pros & cons when you are choosing your object storage repository. So let me start what you need to consider and why:ConsiderationsSize (always matters...): Your very first step to start your decision journey: Please use our c
Comparison of vSphere Transport Modes
Each time I talk to customers at installation dates or health-checks, I spend some time talking about vSphere transport modes. These are: Direct Storage Access, Storage Integration (I take this as a separate mode), Virtual Appliance and Network mode. This is a topic with a lot of facets still not widely known. Here I will try to compare these transport modes on the basis of some characteristics. Direct Storage AccessSecurity Honestly rather bad. Since production volumes are presented to a Veeam proxy host, a local admin/root can easily delete all volumes within seconds. Much better if the storage system is able to present volumes in read-only mode. Network As the name suggests, backup traffic is kept in storage network. Configuration Effort It is more complex to configure than other modes. This is also because you need to configure different layers like storage switches and arrays. You may have to configure the array with each new volumes for backup too. It could be more tricky to
Be aware: SteelSeries bug grants Windows 10 administrative rights plugging in a device
It is being found that the official app used in installing SteelSeries devices on Windows 10 can be exploited to grant Admin rights as discovered by some security research “Lawrence Amer“. As stated by BleepingComputers, the bug can be leveraged during the device startup process using a link in the License Agreement screen that is opened with SYSTEM privileges. A real SteelSeries device is not necessary to exploit the bug. Also, a bug was discovered in the Razer Synapse software that granted unauthorised admin access. Now, a similar bug was found in SteelSeries software that gives anyone who plugs in a device complete control over a Windows 10 PC with admin rights. Emulating a device also works: This discovery became known after news broke out about the Razer Synapse software as it was able to grant administrative privileges when connecting a Razer mouse or keyboard. This motivated the research from Jorhat, offensive security researcher Lawrence Amer (research team leader at 0xsp) foun
VEEAMON 2021 Delivery of gift
Hi all, Today I received two packages from TNT , being curious I opened them of course.The two packages are from VEEAM regarding the VEEAMON 2021 event. The first one is the Remote Racer, yeah we can play now .The second one is a sweatshirt from the VEEAMON 2021 event as a gift from Alfred, @Kseniya and @Rick Vanover for participating in the community during the event.BTW, a very nice and beautiful sweatshirt including the link to the awesome community and of course Alfred is present What an honour to receive this, I big thank you to Veeam, Alfred, @Kseniya and @Rick Vanover .Very nice receiving packages from Veeam...So for the people still waiting for a VEEAMON 2021 gift, no worries it will be delivered, just be patient . The longer it takes, the bigger the surprise is! regardsNico
[Post digest] Performance Best Practices for VMware Snapshots
Because backup of a vSphere VM almost always involves taking a vSphere snapshot, this VMware blog post will be interesting for every backup administrator. https://blogs.vmware.com/performance/2021/06/performance-best-practices-for-vmware-snapshots.htmlVMware has tested the performance impact of snapshots. Baseline performance is a VM without a snapshot. After that, performance testing is done with 1, 2 and more snapshots. Tested was default IO-tests and java application performance (SPECjbb). Tests included: vVOL, VMFS and vSAN.Test Results:Impact on vVOL depends on the storage system, because snapshots are taken there. VMs on VMFS have a huge performance penalty even with one snapshot. To be more exact: the first snapshot has the greatest impact! vSAN does not suffer much from snapshot with sequential workload. To be honest I think this is interesting to know but has no meaning in reality. SPECjbb does not show worse performance at all.Recommendations:Let snapshots exist as short as p
Windows Server 2022 Released – What to remember before you start upgrading!
Microsoft dropped a surprise on us today by releasing Windows Server 2022 to no fanfare at all. It’s been released today 18th August 2021, it will have mainstream support until the 13th October 2026 and will be considered end of life on the 14th October 2031 (how are we talking about the 2030’s already?!). This is evidenced in Microsoft’s updated Windows Server Release Information document.If you’re looking to grab an evaluation copy of Windows Server 2022 you can do so here. Alternatively if you have a suitable agreement with Microsoft you can also download a copy from VLSC or MSDN.Interested to learn what’s new in Windows Server 2022? You can check out Microsoft’s post on the subject here. IMPORTANT: Microsoft are making TPM 2.0 support mandatory, if you’re looking to install onto existing hardware, be sure you meet the hardware requirements. Supported Platforms Realistically it’s going to be premature to start migrating your entire environment to Windows Server 2022, but in the inte
3 cloud monte
Another video from the quick and nerdy series. This video is half how-to half showcase of the true flexibility of Veeam and cloud data protection. It starts with taking a backup of an EC2 instance with VBAWS, using a VBR server to backup copy job to a SOBR with Wasabi and finally using that Wasabi bucket to Natively restore to Azure. This one had a lot of moving parts so it went a little over the 10-15 minute structure but it’s worth a watch!
Monitoring of Capacity Tier Jobs and Tasks
Greetings Community,I have been working for a few weeks on parsing all things Veeam Logs, deep stuff that is for sure. On this specific Post I want to cover the Monitoring of the Capacity Tier Jobs and Tasks.This is work in progress, so I am writing this post seeking help from you, to try it on your lab, or on your environments (always remembering it is Community Stuff and not supported)System RequirementsYou should have Telegraf+InfluxDB+Grafana installed Grafana should be the version 8.0.2 - In case you have an inferior version, or superior, please just run this sudo apt-get install grafana=8.0.2 You should have telegraf installed on the VBR, I hope properly configured sending metrics to your InfluxDB. Ping me if need anything. But it is really simple. The telegraf.conf at the end should contain this at the end of the file (this is the fairy dust that makes us fly :))# Offload Job - ID and final status[[inputs.tail]] files = ["C:\\ProgramData\\Veeam\\Backup\\*\\Offload*.log"] from_
VMCA 2022 Released!
Afternoon everyone! I just found out that Veeam have released the VMCA 2022 course and exam. We’ve had a few discussions around this exam within the community as originally Veeam were intending for everyone to take the VMCA 2022 course prior to sitting the exam, however between then and now they’ve changed it. I checked my portal this morning and it showed the “Step 1. Attend a training course” as ticked. I checked with my account manager that this was intentional and they confirmed it’s no longer mandatory to redo the course if you’ve already got a VMCA v1.To find out more simply go to: Get Veeam Certified Now! and then click on the “Veeam Certified Architect” tab. FAQs:I took the VMCA v1 training course but never took the exam, what should I do? The VMCA v1 is expected to retire on 31st December 2021, either sit the exam or take the VMCA 2022 training course and work on that instead. Should I take the training course? Of course, it’s not always cost-effective for some people to take
What You Didn’t Know (or forgot) About Veeam Replication
Do you actively use Veeam Replication?If so, how long has it been since you’ve implemented it? For me, I don’t currently use it, but am in the process of getting it going again after about an 8yr hiatus. Not too much has changed since then, but there has been some enhancements you might not’ve known about, or some behavior you either didn’t know about or forgot. Below, I will be sharing some tidbits & behaviors I feel you should be aware of when making design decisions when implementing Veeam Replication.Before getting into the “Don’t Know/Forgot” items, let me briefly review how Replication works from a high-level. First, they are a job-driven task. You’ll need to set up a job and configure various settings. Next, depending on the source data you’re wanting to replicate, you can either replicate data directly from your production environment, or from other locations. I’ll touch more on this later. Lastly, the first run of Replication creates a fully functional VM on the target, an
Yet another Windows print spooler zero-day Vulnerability: Mitigate Windows Print Spooler Remote Code Execution – CVE-2021-36958
Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer. As stated by Microsoft, an attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges.I you wish to have more detailed information on the development of this vulnerability, when it was first discovered, its workaround and patches released so far, please visit the following links.Unlike the previous exploits, this vulnerability affects for the Windows print spooler, Windows print drivers, and Windows Point and Print. For a detailed guide, please refer to this link. Here is a link to the video (Twitter trend) as discovered by Benjamin Delpy. How do you mitigate this issue? There isn’t a patch (update) as at the time of this writing. The good thing is, there is always a workaround.– You can disable the Print Spooler service or allow your device to install printers
Veeam Legend SWAG Revealed & Unboxed!
SPOILER Warning if you’re awaiting your swag, don’t watch the video!I was lucky enough to be selected as a Veeam Legend this year and luckier still to be one of the first to receive the swag by the amazing @Kseniya & @Rick Vanover (and of course Alfred).Check out my unboxing video below to see all the goodies If you’re still on the fence about the Veeam Legend programme, it’s been an amazing experience so far, I whole heartedly recommend it!
NKGG decides to dump AUTH0 and leverage a home grown Keycloak deployment for Kasten Authentication
Big News compliance Junkies have taken over NKGG’s and JuniorJoe’s company!!NKGG’s and JuniorJoe’s company was grabbed in a hostile takeover. A group of venture compliance junkies are now at the helm. The firm is now call Drdisasters.com. They specialize in taking DR testing to the limit so that it conforms completely with a compliance junkie’s dream, that is, Drdisasters.com will test your DR Plan by creating real life DR situations for your company. The next time an auditor asks, “how sure are you that the DR plan will work?” you can answer well we burned down our server room and implemented our DR plan and it worked wonderfully!!Now more than ever NKGG had to finalize his Kasten authorization setup. Come audit time the compliance gang would surely drill him on every aspect and he needed full control. Time to ditch the external authentication service and create his own.After some research he decided on using keycloak and the bitnami helm chart: https://bitnami.com/stack/keycloak/helm
Failed to connect to Veeam Backup and Replication server: How to fix Remote Channel Sink UriNotPublished, remote connection refused, and failed to start the service
Veeam Backup and Replication is comprehensive data protection and disaster recovery solution which is capable of creating image-level backups of virtual, physical servers, cloud machines, and restoration as well. You may encounter the following errors when installing the Veeam backup and replication tool “VEEAM service is unable to start, error 1064: An exception occurred in the service when handling the control request”. Therefore, I will be showing you the steps on how to resolve this issue very quickly. Here is a detailed link to this post.If you are here reading this troubleshooting guide "new Veeam Backup server but then Veeam won’t start", this means you must have recently installed Veeam Backup and Replication Server or must have recently upgraded it. As you can see from the images below, these are some errors I encountered while installing Veeam Backup and Replication in my test environment before deployment.The "Failed to start service / connect to Veeam" and "connection refus
Live-experience : restore guest files with Veeam vs competitor
This is a short story I recently experienced with a customer of mine…Some months ago we got a request from Veeam 😉 with an opportunity for a new customer. This customer was using a lot of standalone Hyper-V hosts in combination with Oracle databases and was using a competitor software as their backup solution.They were not happy about the stability of the product and neither about the delivered support of the backup-vendor. Therefore they were searching for other backup-vendors and of course they ended up at Veeam.They contacted Veeam because they wanted more information about the product and if Veeam could deliver a design that perfectly matches the requirements of the customer. Veeam transferred this opportunity to my company (being a gold MSP).The accountmanager of my company and myself had a meeting with this customer to know what their requirements were. Afterwards I created a design that perfectly matched all their requirements and even more 😉. The customer was very happy with
Automatically create vSphere roles to use with Veeam Backup & Replication V11
Good day everyone !In November 2020 I created a PowerCLI script which creates a vSphere role with cumulative permissions for Veeam Backup & Replication version 10.In the meantime VBR v11 was released and I needed to update that script and wanted to create “new awareness” of it. The fact that I see A LOT of Administrator@vsphere.local users being used with adding the vCenter to Veeam makes me nervous, that’s why I wanted to fight against this with a simple script so no one needs to manually go through the privileges. Now there is no excuse to use highly privileged user accounts !This PowerShell / PowerCLI script lets you create a new vCenter server role with all the cumulative privileges and permissions to use them with Veeam Backup & Replication V11.The privileges used are based on the recommendations out of the Veeam Help Center which you can find here: Cumulative Permission for VMware vSphere – Veeam Help CenterSimply execute the script and follow the steps to fill in the rel
Veeam - Hitachi Storage Plugin Installation How-To
Recently on July 21st, there was a new storage plugin release by @Veeam for the Hitachi storage arrays. It can be found here - Veeam - Hitachi Plugin. This plugin allows you to connect Veeam to your Hitachi storage arrays to leverage the SAN-based snapshots for your backups. Hitachi has also released documentation which can be found here - Hitachi - Veeam Plugin.Hitachi Plug-In for Veeam Backup & Replication supports integration with the following storage systems:VSP E590, E790, E990 (93-03-01-60/00 or later), VSP F350, F370, F700, F900 (88-07-01-x0/00 or later), VSP G350, G370, G700, G900 (88-07-01-x0/00 or later), VSP 5000 series (90-05-01-00/00 or later)Today I am going to walk through the installation and configuration of the plugin within the Veeam software. This will show how easy the plugin is to install and configure within the Veeam environment. One thing to note is that you need to take a look at the Hitachi documentation so that you can configure the access for the
BitLocket Back Door: TPM Only
This is a recent research by security specialists of the Dolos Group to determine if an attacker can access the organisation network from a stolen device and also perform lateral network movement.They were handed a Levovo Laptop preconfigured with the standard security stack for this organization. No prior information about the laptop, test credentials, configuration details, etc were given. They stated it was a 100% blackbox test.Once the got hold of the device, they headed straight to work and performed some reconnaissance of the laptop (BIOS settings, normal boot operation, hardware details, etc) and noted a lot of best practices were being followed, negating many common attacks. For example:Pcileech/DMA attacks were blocked because Intel’s VT-d BIOS setting was enabled. All BIOS settings were locked with a password. The BIOS boot order was locked to prevent booting from USB or CD. Secureboot was fully enabled and prevented any non-signed operating systems. Kon-boot auth bypass did
NKGG leverages AUTH0 external authentication to protect the Kasten setup from Junior Joe!
The Notorious Kube Genius Geoff had a problem.After saving the company's Kasten setup by doing a DR restore he was told that Junior Joe’s full access to the cluster would be removed but he still needed access to Kasten to perform his duties which involved only certain functions with policies. NKGG referenced the Kasten documentation concerning Authentication and decided it was time to leverage Open ID connect to do this and in that manner limit Junior Joe’s access.https://docs.kasten.io/latest/access/authentication.html#openid-connect-authenticationThis was going to be no walk in the park. NKGG had never ventured into this area of IT before so he decided to read up on the protocol itself and found a great free resource:https://auth0.com/resources/ebooks/the-openid-connect-handbookThe handbook was offered by Auth0 and they had a free plan to start out with so NKGG decided to give their service a try. You can sign up for free here:http://Auth0: Secure access for everyone. But not just a
Veeam Backup & Replication Monitoring Feature: Tape Drive Alerts
Everyday is a school day, and today I found out something really cool that Veeam was doing, that I never knew about because “It Just Works”.I had an alert generated from a customer system today that I had never seen before. Now I’ve seen plenty of alerts for different backup issues, whether they’re caused by networks, BSODs, disk space constraints etc, but I got surprised by this completely new one. A Tape Drive Alert, but of an unexpected variety Warning: “TapeDrive alert: The voltage supply to the tape drive is outside the specified range.”As I said above, I’d never seen this warning before! I didn’t know that Veeam was tracking such attributes of the tape drives it uses. So I set about looking up the root cause of the problem and busted out some “Google-Fu” to find who else had these issues in the past and I found this page of Veeam Documentation:Tape Drive Alerts – Veeam Backup Guide for vSphereThis web page has all of the alert codes, the severity of the issue, a description about
How to install Veeam Backup and Replication 11 Community Edition with a dedicated SQL Server
Veeam Backup and Replication is comprehensive data protection and disaster recovery solution which is capable of creating image-level backups of virtual, physical servers, cloud machines, and restoration as well. The technology used in the product optimizes data transfer and resource consumption, which helps to minimize storage costs and the recovery time in case of a disaster. Veeam Backup and Replication provides a centralized console for administering backup, restore, and replication operations in all supported platforms (virtual, physical, and cloud environments). The prerequisite requires you to have a SQL Server already running in your environment. Please see "how to download and install Microsoft SQL Server 2019 Express Edition and Microsoft Management Studio on Windows Server", how to install Microsoft SQL Server 2019 and MsSQL Command line tools on Ubuntu Linux, and how to install MSSQL Server 2019 Developer Edition and SQL Server Management Studio on Windows. With Veeam Back
Why does Microsoft require additional system requirements? How to check if you have Secure Boot and TPM enabled
Windows 11 enables security by design from the chip to the cloud. Recently, Windows 11 was announced to raise security baselines with new built-in hardware security requirements that will give customers the confidence that they are even more protected from the chip to the cloud on certified devices. Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware. Also, Windows 11 makes it easier for customers to get the most protection from these advanced attacks out of the box with the requirement of a TPM 2.0 chip to help ensure they benefit from security backed by a hardware root-of-trust. You may want to see Measured Boot, Secure Boot, Trusted Boot, and Early Launch Anti-Malware: How to secure the Windows 10 boot process, and Windows 11 Feature-specific, Hardware and Software Requirements: How to upgrade to Windows 11 from Windows 10 as a Windows Insider. Windows 11 focuses on increasing
PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attacks on AD CS
Recently, Lionel Gilles, a French-based Offensive Computer Security researcher based in Paris, France published a PoC tool on NTLM Relay Attack known as PetitPotam that exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect users. Here is an example of such documents: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers. Below are some related guides: Active Directory Authentication methods: How do Kerberos and NTLM work? how does cached domain logon work?, and What is Pass the Hash Attack and how to mitigate the attack. PetitPotam takes advantage of servers where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations below outline to customers how to protect their AD CS servers from such attacks and help in mitigating the W
CVE-2021-36934 "HiveNightmare" Serious SAM - Windows 10/11 Elevation of Privilege Vulnerability
Hi all,a new 0Day vulnerability for Windows 10 clients has been released, the article also recommends deleting all the vss restore points and recreating themSecurity Update Guide - Loading - MicrosoftCheck Windows 10 for SeriousSAM and HiveNightmare Vulnerability Fix - Virtualization Howtohttps://github.com/GossiTheDog/HiveNightmarecommad check : icacls c:\windows\system32\config\samWorkaroundsRestrict access to the contents of %windir%\system32\configCommand Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:eWindows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:eDelete Volume Shadow Copy Service (VSS) shadow copiesDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point (if desired).Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backu
Already have an account? Login
Login to the community
Log in with your Veeam account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.