Blogs and Podcasts
Bring your knowledge and expertise while creating blogs and podcasts
- 880 Topics
- 7,328 Comments
There are two critical CVEs that affect Veeam Backup & Replication and account for two of the three critical Veeam Backup & Replication CVEs, and the most serious of the products affected. The Critical Veeam Backup & Replication vulnerability notes include: CVE-2022-26500 | CVE-2022-26501CVE-2022-26500, CVE–2022-26501: These two CVEs relate to Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. This carries a CVSS rating of 9.8 and is classified as Critical.Cause? – The vulnerability is caused by the Veeam Distribution Service, running on TCP 9380 by default, allows unauthenticated users to access internal Veeam API functions. An attacker may send input to the Veeam API which may allow uploading and executing malicious code.It is worth nothing that patches are available for Veeam 11a and 10a as follow11a – Build 126.96.36.1991 P20220302: https://www.veeam.com/kb4245?ad=in-text-l
It shouldn’t be news to you that Veeam B&R had 2 critical vulnerabilities (CVSS 9.8/8.8) in March 2022. Patches were released for v10a and v11a at that time.Here’s the corresponding KB article and a post from @Iams3le:Veeam KB4288If you haven’t updated yet, then here’s another good reason.Last week the Cybersecurity & Infrastructure Security Agency (CISA) added both vulnerabilites to their known exploit catalog. This means that attackes are now actively exploiting the vulnerabilities and targeting environments which use Veeam B&R.CISA Known Exploited Vulnerabilites Catalog I hope you don’t need more reasons to keep your Veeam installation up-to-date? Please also keep in mind that any other Veeam build below v10 is also affected. But as those are already End of Fix/Support, they didn’t receive any patches.
Just a quick post on an interesting issue with the Guest Credentials test in Veeam Backup & Replication we’ve seen last week. Instantly after clicking “Test Now” in the Guest Processing section of a certain backup job, an error was displayed."Building list of machines to process Error: (Child group-vXYZ (Folder) for object XYZ was not found)"Normally you see such errors with vSphere when a certain object has been deleted or recreated. While Veeam displays names of objects, internally it works with MoRef IDs. So we’ve checked the job selection, custom credentials and the application aware processing settings. But all listed objects were still valid, especially no folders where used anywhere.We’ve contacted Veeam Support and had a remote session. The support engineer discovered some orphaned VM folders in the exclusions. After removing those, the error disappeared and the credential check worked again. From a logical point I thought those weren’t relevant for the check, so I didn’t c
A quick note on an important point that I missed originally in Microsoft’s announcement. As users are starting to find their basic authentication mechanisms are being actively disabled, Microsoft have provided one last mechanism to prevent a complete outage if you rely on basic authentication currently. Which Protocols Are Impacted? If you’re using basic authentication for any of the following protocols, you might find that suddenly it has stopped working:Exchange ActiveSync (EAS) Exchange Web Services (EWS) IMAP MAPI Offline Address Book (OAB) POP Remote PowerShell RPC I Think This Impacts Me, What Do I Do? Microsoft are offering one final time to re-enable Basic Authentication, via the self-service diagnostics, direct link here.From this link, you can see which protocols are disabled, and choose a specific protocol that you can re-enable. Warning: Microsoft Are Serious This Time Microsoft have stated that any protocols that are re-enabled will be automatically disabled in the first c
Network throttling is not used in every environment. Mostly in connection with branch offices. Here it is essential to not overload the connection to the head quarter. To throttle network before, you had to configure source and destination network and time windows to limit bandwidth for backup traffic.With v12 there are new features:Generally use public addresses for target range. Option to never throttle restore activities. Select a time frame to higher the limit.
Complementing my last post highlighting the Veeam software releases reaching end of support in 2023, I’m once again providing an expanded list of software that Veeam works with, that will be approaching end of life in 2023. Why does this matter when I’m just trying to protect the data? Times change, and software changes with them, until it’s no longer supported. At any point, a patch to an operating system, a .NET framework update, or anything else really, could end up with the software no longer being backed up properly, or not working at all in production. Without valid support there’s no process to get a fix, and whilst your backup software may still be in support with Veeam, if the vendor won’t fix the problem, it’s time to start panicking.With this in mind, let’s explore the software & operating systems being declared end of life in 2023 so we can start planning our upgrades/migrations if necessary. Microsoft We may as well start with one of, or potentially the largest softwar
Scenario:Very recently a customer asked me if Veeam could leverage Data Domain mtree replica for DR purposes.Of course, the answer is YES! While this idea is not new, I thought it would be a good reminder of Veeam’s backup import capabilities. Steps:You must use Data Domain repository on the source site. It most likely will be declared as a DDboost share. The mtree should be replicated to the DR site. Note that the mtree replica will be Read Only! The mtree replica needs to be exposed as a share over your protocol of choice (CIFS, DDboost), so it can be defined in the DR VBR server. In this example, I chose DDboost.Note again that this DDboost share is Read Only! The last step is to declare that DR DDboost share and import backups You should now be able to access these backups from the “Disk (Imported)” section. Remember that you will have to manually rescan that repository in order to refresh new “mtree replicated” restore points.
The following error can occur in Veeam Enterprise Manger during catalog replication. Catalog replication is needed to transfer guest indexing information from the VBR server to the Enterprise Manager server.By default, replication task runs automatically after each backup job. You can trigger it manually within Enterprise Manager GUI. Just enter the Configuration section, select Settings and press Update Now.Log files can be seen beneath Sessions.Meta-file errorThis error is about the meta-file that does not contain a certain attribute.Cause and solutionThere is a meta-file for catalog replication on Enterprise Manager server. In some situations it may happen that this file is empty. I do not know exactly under what circumstances this can happen but the solution is simple. Just delete, or rename the empty file. File is located on the Enterprise Manager server in directory C:\VBRCatalog\Replication\InConnectors and is named VbrServerName.uuid.con.The next replication task should not sto
Veeam ONE v12 has been launched, and it is massive! Among so many other great features, I would like to extend today and focus on this particular new security feature, Auditing, as per the What’s New:When I saw that functionality, I was already so excited to see what level of audit we would have.How to enable Veeam ONE v12 Auditing?It is really easy under the Server Settings, you will find the section called Auditing, then mark what is most relevant for you. I would mark all of them:After we enable them, we can quickly go to our traditional Microsoft Windows Events Log, and we will find a new section called Veeam ONE. Inside this category, we can find different events, with event category, etc.:If you explore a bit more, you could filter by Event ID, so as a quick example:Event ID: 10006 - These are authentication anomalies, meaning wrong user/password. Event ID: 2 - These are usually Veeam ONE Settings changes, like a new password added, a new report saved/created, etc. Event ID: 3 -
In 2020, Microsoft announced the vNext editions of their popular SharePoint, Skype for Business, Project, and Exchange Server applications, due for release in the second half of 2021. However, as of the time of publication, only SharePoint and Project Server Subscription Editions are available.The other products have had their delays greeted with a wall of silence from Microsoft, until now. Whilst there’s still no word on if/when we’ll see Skype for Business Subscription Edition, the Microsoft Exchange team have provided an in-depth breakdown of what’s going on with Exchange Server Subscription Edition, and honestly, I’m impressed with their transparency. The Exchange Team Recommend Exchange Online, and 2019?It should come as no surprise that Microsoft recommend Exchange Online, after all, who knows Exchange better than Microsoft? But in Microsoft’s latest Exchange blog post, we see Microsoft also endorsing Exchange Server 2019 where there is a requirement to not utilise Exchange Onlin
IntroductionWith backup direct to object being one of the most anticipated features in v12 AND with the ever-increasing number of cyber-threats, it is paramount to secure access to our buckets.In this series of posts, I will explore v12's direct to object capabilities and offer some suggestions to batten down the hatches.Note: For this post, I will use Wasabi and Minio as my Object Stores of choice. While some slight variations are expected, keep in mind that the same concepts should apply to any S3 compatible target. Restrict bucket access with a simple User IAM policyYou can find the Amazon S3 Object Storage Permissions in the User Guide for VMware vSphere and kb3151 highlights the required steps.Let's review what that looks like in Wasabi's console. For this example, I will configure a simple S3 bucket without immutability. Step 1: Create the policy as described in kb3151This policy grants access to the <<orossisecurebucket01>> bucket to the identity it is associated wit
I thought I posted the following post already. But it seems I missed to do so. I also saw @PValsecchi posted similar content already But I think I add some other details here, so I hope it is okay to post my stuff too. What is it aboutOne of the new v12 features will be the possibility to move backups between repositories. It’s not just new that this will be an option in the GUI, also fast cloning information will be moved. This means that synthetic fulls will not need more space on target repository than it uses on source! This feature is very useful when it comes to replacing old repository hardware with new one.How to move backup job dataIn beta there are several ways to move backups from one repository to another. One way is to right-click Job Name beneath Disk and select Move backup.The following windows will ask about the destination repository.I could see all repository types of my test environment: ReFS, XFS, object storage and Scale-Out backup repositories. When movement runs
This is part two of the blogpost. Part one can be found here: SOBR Archive Tier – Explained and Configured – Part 1 of 4 | Veeam Community Resource HubIn this part will will discuss the reason behind having different tiers and how they appear within Microsoft Azure. Hot or Cool? – what’s it all aboutS3 storage or blob storage as it is also called is offered by the hyperscalers in various flavors that basically differ in speed of access and the cost charged for the in- or egress of data as well as its storage. We can generally decide between hot, cool and archive for Microsoft Azure. This translates to Standard and Standard-IA (=infrequently accessed) with Amazon AWS. The concept behind is the same. In the following I will stick to the terminology as of Azure.The capacity tier of the SOBR allows us to leverage either “hot” or “cool” storage tiers from the portfolio the hyperscaler offers. Both tier modes have the same access methodology (API) and the main difference is:Hot: Higher stora
In the second part of the series “Migrating VBR to PostgreSQL [Part 2]” we will have a look at the migration itself. First of all:Update Veeam via the recommended way:https://helpcenter.veeam.com/docs/backup/vsphere/upgrade_vbr.html?ver=120You will not be able to migrate the database with the upgrade itself.After the upgrade, you can use the following guide to migrate the configuration database to PostgreSQL: https://helpcenter.veeam.com/docs/backup/vsphere/vbr_config_migrate_to_postgresql.html?ver=120This howto describes the 5 easy steps to do the migration based on the guide above. If you want to know how to install the PostgreSQL on a external Debian-based server check the howto in part 1 of this small series: https://community.veeam.com/blogs-and-podcasts-57/migrating-vbr-to-postgresql-part-1-4277 Step 1 Stop and disable all your jobs to make sure nothing change while you are doing the migrate. Step 2 Create a configuration database backupGo to Main Menu → Configuration Backup: Ena
This Friday - I am presenting on SysAdmin Day 2022 with Sagi Brody - one of the Veeam Vanguards.But I need YOUR HELP - What is your best SysAdmin Story? I will feature it on the show and stream. Tell me a good one - I’ll share it! You can join the show to see if your session is featured also! This Friday at 11:00 AM New York time, Sagi and I will be LIVE on 4 Veeam social feeds (LinkedIn, Facebook, YouTube and Twitter) with a special stream. Join us on the LinkedIN feed here.I have a story that, for now, I will only refer to as “The Coworker” and Sagi will share his best SysAdmin Day story as well.But what is your best SysAdmin Day story? Do you have a save the day moment? What about those pesky dev is actually production situations? Believe it or not - the SysAdmins are still heroes. I would love to hear your stories and any appreciation story to go with it.Speaking of appreciation…. Veeam’s celebration of SysAdmin Day puts some prizes on the line. We are doing a lucky draw where you
Nowadays a lot customers are using M365 and that’s a good choice!What are the most important components of this SaaS solution :Exchange online Sharepoint Online Teams Onedrive for Business Wow, instead of having your data on-premise we have it now in the public cloud!Is that a good idea?Yes, it’s running on a big high available infrastructure, always available and everywhere available whether we are at the office or at home.We are rid of upgrades – maintenance – security patches, just pay on a monthly base and Microsoft does the rest for us.True?Absolutely not !!!Hmm, what do we still have to do as a customer?Taking care of the backups of all your data in M365 !!!Is Microsoft not doing this for us, in our monthly fee?Not at all! That is one of the biggest misconceptions : Microsoft is not taking care of everything.In short : the customer is responsible for their own data in M365.Microsoft is not taking care of your data and is not taking backups and will never restore your data if need
Here I am talking about backup encryption, which is performed by Veeam. Not by a hacker. It is a good idea to enable this feature.Why to monitor this? A attacker could enable backup encryption or change existing encryption key without being noticed. If so, backup jobs continue to run without any problem. But you are not able to use them for restore because you simple cannot decrypt them! For monitoring encryption password changes reports Backup Objects Change Tracking and Backup Infrastructure Audit can be used. With this reports you see when encryption password was created or modified.To control if somebody selected another encryption password from the list, use the report Job Configuration Change Tracking. For more information see my full feature blog post here: https://vnote42.net/2022/02/09/monitor-hardened-repository-with-veeam-one-v11a/
VMware has announced on August 3rd that vSphere ESXi 7.x is the last version supporting Apple Mac platform.https://kb.vmware.com/s/article/88698Reasom is that Apple is moving away from the x86 processor platform.With 7.0 the MacOS platform will be supported until EOL. Guest OS support for Mac is discontinued, too. macOS guest operating system may only be operated in VMs on vSphere ESXi hosts installed on Apple Mac hardwarehttps://kb.vmware.com/s/article/2015161
Oracle Retention for RMAN and Veeam Plugin Backup When it comes to RMAN, Veeam acts as a storage location utilized by the Oracle SBT interface. Therefore, it is RMAN retention settings that are utilized to manage the backups generated when using the Veeam Plugin backup protection.Typical retention for application aware backup will focus on the most recent restore points and mark backups to be pruned per familiar Veeam retention policies and retention methods.With Oracle, an incremental strategy employs a combination of incremental level 0, incremental level 1 and incremental level 1 with cumulative incremental or stand alone full. Each of these backup types dictate what data RMAN will identify and capture to create backup sets.Data captured during any one of these types can be manipulated as desired by the user. Typically, an incremental level 0 backup will capture all files necessary to restore and recover a database including the Initialization or SPFILE, Control File, all databa
Hello, everyone,I wanted to share the sizing of an accelerated WAN infra and the differences between WAN Low bandwidth mode vs WAN High bandwidth mode. The DR consists of 6 replica VMsSizing for Low bandwidth under 100 MBhttps://helpcenter.veeam.com/docs/backup/vsphere/wan_accelerator_sizing.html?zoom_highlight=sizing&ver=110 Using RVTool extract the list of VMs with the total Original VM on Source Vmware Tenant side: 1649 GB = 1.649 TB · The connection between the client and the DR is a 100 Mb.Server1 1024 GB Digest 2% 20.48 Microsoft Windows Server 2012 (64-bit) Server2 200 GB Digest 2% 4 Microsoft Windows Server 2012 (64-bit) Server3 150 GB Digest 2% 3 Microsoft Windows Server 2016 (64-bit) Server4 200 GB Di
Login to the community
Log in with your Veeam account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.