With Veeam Backup & Replication (VBR) 12.1 it is possible to restore the Configuration Database using Powershell. Basically a simple task, if there weren't a few things to consider. Challenge accepted!
My Setup Let's prepare for the scenario where the primary VBR is no longer available and the configuration database needs to be restored on another system with a different hostname (standby VBR). On the primary VBR, the configuration backup was encrypted according to the best practices and MFA was also activated for part of the users. The configuration database runs on PostgreSQL.
I had the following thoughts before creating the script
Check that only the necessary Veeam services are running on the standby VBR server
Check if the response file has the proper entries (e. g. not automatically starting the Veeam services after the restore)
When MFA is enabled/used, updates must currently be made to the database after restoring the configuration DB (see here)
The encryption password should not be stored in plaintext within the response file (well, just for a while 😉)
The script should be able to run unattended as a scheduled task on the standby VBR server
Preparations
Setup the configuration backup on the primary VBR server The start time should be before we start the File Copy Job (see next step). Also encrypt the configuration backup.
Create a File Copy Job from the primary VBR to the standby VBR server I use a File Copy Job, so the copy job gets monitored on the primary site. We could use shared storage, but I want to keep it simple (for the moment). Schedule the File Copy Job after the Configuration Backup Job. Keep in mind, that the standby VBR server needs to be added to the Managed Servers on the primary VBR server.
Export Config Answer File for Secondary & Continuous Update Run this command on the primary or standby VBR server and copy the unattended.xml file into the path where the script will be stored:
C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Configuration.UnattendedRestore.exe /generate:c:\temp\unattended.xml
Store the password as a secure string in a txt file on the standby VBR server using the following commands:
Important: Please use the tool PsExec from Microsoft/Sysinternals (see here) to start a Powershell instance for executing the commands above, if you want to execute the script as a scheduled task under a different user. Example with the user svc-import:
.\PsExec64.exe -i -u svc-import powershell.exe
The Script The script consists of 3 "parts": ServiceCheck, Restore, and DBUdate. This allows you to regularly check that only the necessary Veeam services are started for the restore or that only the restore is executed. The DB update is currently only necessary if MFA is activated on the primary VBR server. You can get the script here
IMPORTANT: Please do not run the script on the productive server. Use at your own risk.
Some of the variables have to be adjusted before execution or passed to the script during execution.
$cfgBackupPath | Path to the configuration backups on the standby server $unattendedXmlPath | Path to the unattended response file $securePasswordPath | Path to the password txt file
The script currently uses the following users to update the DB table for the backup administrator user:
Production VBR Administrator Account = "Administrator"
Only this user is “reconfigured” on the target system, so that a login is possible after starting the Veeam services. After a login in case of disaster, users and groups must be adapted in the User & Roles settings.
I will update the readme file with the details as soon as possible.
Examples
Example 1 - Check if only the needed Veeam services for the configuration database restore are running:
.\vbr-dr.ps1 -ServiceCheck
Example 2 - Restore/Migrate the Configuration Database. Execute the script on the standby VBRserver
.\vbr-dr.ps1 -Restore
Example 3 - Restore/Migrate the Configuration Database and update the necessary database fields for the user $srcBkpAdmin
.\vbr-dr.ps1 -Restore -DBUpdate
What's next? I'm thinking about integrating the possibility of selecting a specific configuration backup for the restore into the script. Other ideas are also floating around in my head, but first I'm off to the weekend. Your feedback is welcome and appreciated. Anything missing?
Really great script Steve, thanks for sharing it. We are looking to migrate to Postgres so I might test this in the lab to see. Unless the requirement is being on Postgres to start?
Really great script Steve, thanks for sharing it. We are looking to migrate to Postgres so I might test this in the lab to see. Unless the requirement is being on Postgres to start?
Currently I just need DB access, when MFA is used (see here). You can also use the script when using MSSQL, but without the DBUpdate switch. Adjustments must then be made manually (or there is a great demand to integrate this into the script too 😉).
And for everyone: v1.1 has been uploaded. Separate password file for decrypting the configuration backup and for the database user. Please see the README file.
Really great script Steve, thanks for sharing it. We are looking to migrate to Postgres so I might test this in the lab to see. Unless the requirement is being on Postgres to start?
Currently I just need DB access, when MFA is used (see here). You can also use the script when using MSSQL, but without the DBUpdate switch. Adjustments must then be made manually (or there is a great demand to integrate this into the script too 😉).
And for everyone: v1.1 has been uploaded. Separate password file for decrypting the configuration backup and for the database user. Please see the README file.
