VBR v11 - Step by step: Installation & Configuration Best Practices - PART 1


Userlevel 7
Badge +7

The virtual machines I use for the deployment are generated from a Template (Golden Image) through a configuration file unattend.xml 

Answer files (unattend.xml)

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs 

What is Windows System Image Manager?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766347(v=ws.10) 

Useful links for sizing

Veeam Architects Site 

https://www.veeambp.com/ 

Veeam Size Estimation Tool (VSE)

https://vse.veeambp.com/#/ 

The Restore Point Simulator

http://rps.dewin.me/ 

Veeam Ports Calculator

https://www.veeambp.com/ports/ 

REFS Calculator

http://dewin.me/calculator/ 

Bandwidth Calculator

http://rps.dewin.me/bandwidth/ 

Pricing calculator for small business

https://www.veeam.com/pricing-calculator 

NAS Calculator
https://cloudoasis.com.au/nas-calculator/ 
Veeam Clikable Demos
https://veeamclick.be/ 

Prerequisite:

 

System Requirements - Veeam Backup Guide for vSphere

Create Active Directory service account for Veeam Backup Active Directory Aware

YourDomain.local\Svc_veeam

INSTALLATION

 

Veeam Backup & Replication support for VMware vSphere

KB2443: Veeam Backup & Replication support for VMware vSphere

 

  • vSphere Version 5.5  Minimum Veeam Backup & Replication version 7.0 R2  (build 7.0.0.771)
  • vSphere Version 7.0 U2 11 P20210525  Minimum Veeam Backup & Replication version  (build 11.0.0.837 P20210507)

 

Veeam Backup & Replication support for MS HyperV

Platform Support - Veeam Backup Guide for Hyper-V

 

STORAGE SETUP & CONFIURE ISCSI ON Vmware

VMWARE ESXi setup ISCSI + SCV3000 storage DELL set up 

Configure ISCSI vSphere Side:

 Added the IPs of Dell Storage Svc3000 controllers dedicated to ESXi side backup

STORAGE create object cluster & server Vmware

Repeat for each host ESXi

Map Volume sotrage side to host ESXi

 

Open your VCSA-VMWARE and MAP RDM to VM VEEAM PROXY\Repository

Binding RDM on Veeam Repor server:

SCv3000-VeeamPRY-01     E:\

SCv3000-VeeamPRY-02     F:\

SCv3000-VeeamPRY-03     G:\

SCv3000-VeeamPRY-04     H:\

 

Repeat this task for each Volume Backup Repositoru

SCv3000-VeeamPRY-01     E:\ SCSI 1:0

RDM = GPT - Formattato REFS 64K

SCv3000-VeeamPRY-02     F:\ SCSI 1:1

RDM = GPT - Formattato REFS 64K

 

SCv3000-VeeamPRY-03     G:\  SCSI 2:0

RDM = GPT - Formattato REFS 64K

 

SCv3000-VeeamPRY-04     H:\ SCSI 3:0

RDM = GPT - Formattato REFS 64K

 

 

WINDOWS O.S. CONFIGURATION

If you are using SCSI Controllers in paraVirtual mode, add the following registry key on the server where you are mounting the LUn RDMs as a backup repository

 

  • PVSCSI CONTROLLER QUEUE DEPTH: modify queue depth

 

Using the PVSCSI virtual storage controller, Windows Server is not aware of the
increased I/O capabilities supported. The queue depth can be adjusted for PVSCSI in

Windows Server to 254 for maximum performance. This is achieved by adding the
following key in the Windows Server registry:

 

Reg add “HKLM\SYSTEM\CurrentControlSet\services\pvscsi\Parameters\Device /v DriverParameter /t REG_SZ /d “RequestRingPages=32,MaxQueueDepth


NOTE: While increasing the default queue depth of a virtual SCSI controller can be
beneficial to an SQL Server-based VM, the configuration can also introduce
unintended adverse effects in overall performance if not done properly102. VMware
highly recommends that customers consult and work with the appropriate storage
vendor’s support personnel to evaluate the impact of such changes and obtain
recommendations or other adjustments that may be required to support the increase
in queue depth of a virtual SCSI controller.

https://kb.vmware.com/s/article/2053145

 

 

  • Disable IPV6 (to be evaluated based on your infrastructure)
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ /v DisabledComponents /t REG_DWORD  /d 0xFF /f

 

  • Disable UAC (to be evaluated based on your infrastructure)

Check this: Hardening Backup Repository - Windows - Veeam Backup & Replication Best Practice Guide

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD  /d 0 /f
  • FIREWALL Disabled (to be evaluated based on your infrastructure)
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
  • Fix Proxy Roles:

 https://www.veeam.com/kb1882   

  1. diskpart
  2. automount disable
  3. automount scrub

 DISABLE TASK SCHED Automatic Reboot Windows USO CLINT WU 

  • Only for O.S. Windows 2016 Disable auto reboot after Windows update
SCHTASKS /Change /TN "Microsoft\Windows\UpdateOrchestrator\Reboot" /DISABLE

SCHTASKS /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE

icacls "%WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" /inheritance:r /deny "Everyone:F" /deny "SYSTEM:F" /deny "Local Service:F" /deny "Administrators:F"

icacls "%WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /inheritance:r /deny "Everyone:F" /deny "SYSTEM:F" /deny "Local Service:F" /deny "Administrators:F"

Rollback

SCHTASKS /Change /TN "Microsoft\Windows\UpdateOrchestrator\Reboot" /enable

SCHTASKS /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /enable

Disable all unnecessary services example:

MAPS Broker service

Set-Service MapsBroker -startuptype "disabled"

 

Proxy role setup vCPU 2x2 or 1x4 vCPU

 

 

INSTALL

Veeam Install 11.0.0.837 (FIPS) 2021032019

                Latest build: 11.0.0.837 P20210525 (May 28, 2021) > KB4126

[ALL VERSIONS] Current build is 11.0.0.837 P20210525 (May 28, 2021) (veeam.com)

 

 

Install Veeam Enterprise Manager

You can bind your cert here ( first import your pub or private CA cert on mmc Certification on Computer):

 

CONFIGURATION

  • Veeam General Options
  • I\O Control
  • Security

 

  • E-Mail Settings

I disable Success notify!

  • Notifications

 

Add VCSA – Add Proxy – Setup RDM LUN on VM (Vmware) - Conf Bck Repo + SOBR

Define vmware user account

Creating a new vCenter server role with cumulative privileges and permissions to use with Veeam Backup & Replication V10

 

 

Configure Proxy ( this  configuration is all in One)

I use Automatic or Virtual Appliance “Hot Add”, depend of your VmWare Infrastructure

  • Configure dedicated Proxy

 

Setup RDM LUN on VM (Vmware)( view Storage setup in this exemple FC)

Generally i used a proxy role in combo with the backup Repository role on the same server to minimize windows licenses.

Create the necessary LUNs on the storage to be configured on our side Veeam backup Repository \ Proxy on the Vmware side.

Note the WWNs of the LUNs Present the LUNs to the Vmware Cluster and scan Vmware Storage Add RDM

Match WWN to Storage Volume Labels

LUN 11 ***************************8cad  ***-Backup-Veeam-01

LUN 12 ***************************8caf   ***-Backup-Veeam-02

Rescan Vmware sotrage Vmware

Edit you Veeam proxy VM:

Add first RDM :

Add 2 SCSI Controller

Save SCSI Controller, re-edit and ADD RDM

Logon on Windows Proxy\Backup repository and configure RDM:

Open Disk Manager

Repeat this task for all your RDM\LUN\RAW volume backup repo.

 

How to confirm we have an ReFS partition

fsutil fsinfo volumeinfo E:
fsutil fsinfo refsinfo E:

Here is an example we don’t want – ReFS but the wrong block size

How to tell a synthetic full using block clone?

So aside from a faster backup, how do we tell if a ReFS operation happened.  Which is often on Saturday. Below is the Advanced Settings from a job.

 

  • Configure Backup Repository + SOBR

This is All in One Installation

  • VBR Application server
  • Proxy Role
  • Backup Repository Role

You can change default port!

 

  • Setup SOBR

SCHEDULE JOBS

  • Job Template – how to create a template job:
  • Create new backup job
  • Need one dummy machine

WARNING the "disk to process" setting or select only the necessary disk "is not saved in the template but it is necessary to re-set the controller

  • Setting up you job type

It is possible to personalize an additional and targeted mailing

  • Configure "Application Aware" if you have Domain Controller - Exchange - MSSQLOracle - SharePoint servers

Application-Aware Processing - Veeam Backup Guide for vSphere

Create service account for backup Active Directory (Domain Admin ) No interaction logon:

Assigning the backup service user "svc_veeam@yourdomain.local" (preferred UPN format) "Domain Admin" and deny "interactive logon" and other restricition Deny "Logon as a Batch" 'or' "Deny Logon as a service" etc depends on your needs.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

  • Active Directory Enviroment:

Remember that from the Windows 2012 R2 version it is possible to clone a DC through the official MS procedure.

https://social.technet.microsoft.com/wiki/contents/articles/23859.windows-2012r2-domain-controller-cloning-step-by-step-guide.aspx

https://www.interfacett.com/videos/clone-windows-server-2012-2012-r2-domain-controller/

 

  • Disable new job
  • Manual clone from GUI  the job template e rename it and insert your VM manually
  • Remove VM from job:

Get-VBRJob -Name "D001-test" | Get-VBRJobObject -NameYour-VM-Name" | Remove-VBRJobObject

 

 

#########################################################

#       CREATE NEW JOB 15 restore point Forecver Incremental                                        #

#########################################################

 

#Create new Job:

$test1 = Find-VBRViEntity -Name "*****-db01"

$repository = Get-VBRBackupRepository -ScaleOut -Name Your-SOBR

Add-VBRViBackupJob -Name "D001-TEST1" -Entity $test1 -BackupRepository $repository

#Set 15 restore point:

$retention = New-VBRJobOptions -ForBackupJob

$retention.BackupStorageOptions.RetainCycles = 15

$job = Get-VBRJob -Name "D001-TEST1"

Set-VBRJobOptions -Job $job -Options $retention

#Configure job schedule and enable it:

Get-VBRJob -Name "D001-TEST1" | Set-VBRJobSchedule -Daily -At "23:45" -DailyKind Everyday | Enable-VBRJobSchedule

#Set Forever Incremental:

Get-VBRJob -Name "D001-TEST1" | Set-VBRJobAdvancedBackupOptions -Algorithm Incremental -TransformFullToSyntethic $False -TransformIncrementsToSyntethic $False -EnableFullBackup $False

 

VBR v.11 - Step by step Install & Configure (Best Practice) part.02 | Veeam Community Resource Hub


11 comments

Userlevel 7
Badge +20

Amazing post especially the details. Very well done. 👌

Userlevel 7
Badge +9

Thank you for this! Well detailed :ok_hand:

Userlevel 7
Badge +7

@Kseniya

 

Sorry the guide is not finished; Or remove the comments and I will add the second and third posts to conclude the guide.

If not it should be renamed as part1 is public the second part.…

exceeded 300000 characters lol

let me know thanks

 

 

Userlevel 7
Badge +17

It's almost a book 🤣🤣🤣

Thank you for the detailled description. 😎👍🏼

Userlevel 7
Badge +4

@Link State : Thanks for sharing, Much appreciated !

Userlevel 7
Badge +13

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?

Userlevel 7
Badge +7

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?

Generally the design of the security is entrusted to FW hadware / virtual perimeter, but this depends on the type of infrastructure and customer policy.

Userlevel 7
Badge +8

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?


same here veeam could be installed with fw and hardening (UAC disabled?!) :grin:

Userlevel 7
Badge +7

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?


same here veeam could be installed with fw and hardening (UAC disabled?!) :grin:

  • FIREWALL Disabled (to be evaluated based on your infrastructure)
  • Disable UAC (to be evaluated based on your infrastructure)

 

Windows Firewall and UAC are disabled directly on the TEMPLATE IMAGE. It depends on the customer and the policies.
I tend to prefer a strong security in the border of the infrastructure than to armor each Vm with a local FW, also to speed up a possible throbleshooting.

imho, many times UAC creates more harm than good. :smiley::grin:

Userlevel 7
Badge +13

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?


same here veeam could be installed with fw and hardening (UAC disabled?!) :grin:

  • FIREWALL Disabled (to be evaluated based on your infrastructure)
  • Disable UAC (to be evaluated based on your infrastructure)

 

Windows Firewall and UAC are disabled directly on the TEMPLATE IMAGE. It depends on the customer and the policies.
I tend to prefer a strong security in the border of the infrastructure than to armor each Vm with a local FW, also to speed up a possible throbleshooting.

imho, many times UAC creates more harm than good. :smiley::grin:

I like the concept: make life as difficult as possible for the hacker :grin:

Userlevel 7
Badge +7

Thank for sharing your book, @Link State ! :wink: Great piece of work!

Just one question: why do you disable the windows firewall?


same here veeam could be installed with fw and hardening (UAC disabled?!) :grin:

  • FIREWALL Disabled (to be evaluated based on your infrastructure)
  • Disable UAC (to be evaluated based on your infrastructure)

 

Windows Firewall and UAC are disabled directly on the TEMPLATE IMAGE. It depends on the customer and the policies.
I tend to prefer a strong security in the border of the infrastructure than to armor each Vm with a local FW, also to speed up a possible throbleshooting.

imho, many times UAC creates more harm than good. :smiley::grin:

I like the concept: make life as difficult as possible for the hacker :grin:

Of course I agree, you have to find a middle ground.

Comment