SMB - Best practice B&R V12 / Hyper-V / 2 VMs without license violation MS

[Torsten73]

We are having several internal discussions about using und installing B&R V12 for several Setups, where the costs are a problem and the customers won´t buy a second Server 2022 licence for setting up a third VM, respecting the licence for Server 202 std.

We know, it´s a license violation against Microsoft to install the full b&r V12 on the Hyper-V Server. And it´s also a bad chooise to install such a software with another database on a hyper-v host.

My best practice for cost effektiv would be:
- Hyper-V without any other Software
- B&R V12 will be full installed (Postgres) inside VM1 from DC01 Domain Controller with 8GB Ram and 2 V-Cores
- VM2 will carry our productive Orcale 19 / 11 Database software solution
- Backup repository is USB HDD oder RDX attached to Hyper-V Server, Backup Proxy is Hyper-V, sometimes a NAS, no internal HDD, 5 HDDs for Backups Mo-Fr

The Backup Job runs at night 1 times a day for all vhdx drives.

This setup isn´t following the best practice for a Domaincontroller. But I see no really alternative with the same performance and minimal impact to the System. We also need as much as possible ram for the vm2

best practice, if the customer is having a third VM3 for Terminal Server or has a separate Server 2022 Essential License:
- Setting up a Backup VM with only Veeam inside.

Both ways will do a backup only for the Hyper-VB VMs. A Backup for the Host is not wanted. Boths ways use Hyper-V Manger for doing the backup, no agents inside the VMs.

Any comments and recommendations to my Solution are welcome.

Thx a lot!

[Mildur]

Hello Torsten

Installing Veeam on the domain controller (or HyperV server) is not recommended by Veeam. The Veeam server should run on a dedicated physical machine (or virtual).

Also never run the backup server on the same production VMs which must be protected. From a security perspective a bad idea. An attacker having access to the domain controller will be able to also access the backup server with all it's non-immutable or non-airgapped backup data.

If you cannot use a backup server because their is no windows license left, consider using Veeam Agents to protect the environment. You are talking about customer, so you must be a service provider. Use your rental license to manage those Veeam Agents for your customer. Only disadvantage, you loose application item restore without a Veeam Backup & Replication server.

I don't have any other recommendation than that.

https://helpcenter.veeam.com/docs/backu ... on-servers

Coexistence with Mission-Critical Production Servers

We do not recommend you to install Veeam Backup & Replication and its components on mission-critical machines in the production environment such as Microsoft Hyper-V Server, Domain Controller, Microsoft Exchange Server, Small Business Server/ Windows Server Essentials and so on. If possible, install Veeam Backup & Replication and its components on dedicated machines. Backup infrastructure component roles can be co-installed.

Best,
Fabian

[Torsten73]

Hello Fabian,
yes i am a service technician for a Veeam service provider.
I know hardening is a good thing...

[Moopere]

Hello Torsten73,

You are referring to the Windows Server (and previous versions) licensing whereby a 2022 physical server with the Hyper-v role is granted license to run 2x Windows Server 2022 VM's on that same physical server right? If I've understood correctly then I believe the license also grants the running of certain applications on the physical server without violating the license agreement nor removing the granted 2x VM servers. Here is section 3.d of the Server 2019 EULA which is probably similar to the 2022 EULA (but please do check).

-----------------------
"Windows Server Standard

i. For each server to which you have assigned the required number of core licenses as provided in Section 3.b., at any one time you may run the server software in:

· one physical operating system environment,

· up to two virtual operating system environments, and

· any number of operating system environments instantiated as Windows Server Containers without Hyper-V isolation.

ii. If you run all permitted instances at the same time, the instance of the server software running in the physical operating system environment may be used only to:

· run hardware virtualization software,

· provide hardware virtualization services,

· run software to manage and service operating system environments on the licensed server.

iii. If you want to run additional instances of the server software as set forth in this Section 3.d., you may need to acquire additional licenses to the server as described in Section 3.b."
-----------------------

Its probably up for argument as to whether backup software falls within the domain of "run software to manage and service operating system environments on the licensed server." - I have seen it argued so and I've got a memory that earlier version of Windows Server (2012?) specifically lay out this exact scenario - don't quote me though, please do you own research.

For those that feel strongly for the argument against: Think about the ramifications of even running a backup agent on the physical server of your Hyper-v host. Insofar as intent and purpose, a backup agent is a special purpose management application. If you then add a singular purpose front end to that agent, a management interface, does this change the nature of what you are doing with the backup application?

[Moopere]

Oh, I should add to my post above. Personally I'm not a big fan of running anything on Hyper-v hosts that doesn't have to absolutely be there to make the system work. To this end then I'll happily run a Veeam agent but would be less happy running the full Veeam B&R installation - not for licensing reasons, I'm happy enough I'm covered there, but for stability, maintenance and performance reasons.

[m.novelli]

We are having several internal discussions about using und installing B&R V12 for several Setups, where the costs are a problem and the customers won´t buy a second Server 2022 licence for setting up a third VM, respecting the licence for Server 202 std.

We know, it´s a license violation against Microsoft to install the full b&r V12 on the Hyper-V Server. And it´s also a bad chooise to install such a software with another database on a hyper-v host.

My best practice for cost effektiv would be:
- Hyper-V without any other Software
- B&R V12 will be full installed (Postgres) inside VM1 from DC01 Domain Controller with 8GB Ram and 2 V-Cores
- VM2 will carry our productive Orcale 19 / 11 Database software solution
- Backup repository is USB HDD oder RDX attached to Hyper-V Server, Backup Proxy is Hyper-V, sometimes a NAS, no internal HDD, 5 HDDs for Backups Mo-Fr

The Backup Job runs at night 1 times a day for all vhdx drives.

This setup isn´t following the best practice for a Domaincontroller. But I see no really alternative with the same performance and minimal impact to the System. We also need as much as possible ram for the vm2

best practice, if the customer is having a third VM3 for Terminal Server or has a separate Server 2022 Essential License:
- Setting up a Backup VM with only Veeam inside.

Both ways will do a backup only for the Hyper-VB VMs. A Backup for the Host is not wanted. Boths ways use Hyper-V Manger for doing the backup, no agents inside the VMs.

Any comments and recommendations to my Solution are welcome.

Thx a lot!

Such small customers are best suited for a full cloud deployment

- Microsoft 365 for email , OneDrive / Sharepoint for File Sharing, Teams for Collaboration / Videocall
- Desktop PC / Notebook connected to Azure AD
- a single VM in Microsoft Azure for the ERP (both ERP and Terminal Server if the ERP is not web-based), not joined to any domain to lower costs, maybe Azure AD Domain Services but is +150 eur/month
- Acronis Backup Cloud to Cloud for Microsoft 365 backup (mail, OneDrive / Sharpoint, Teams)

No more internal Servers

Marco

Marco

[SmokinJoe]

You have a licensed Oracle DB running on a VM and you don't have enough resources to buy an additional MS Windows server license???? Hmmmm

Well, you could run a Linux proxy, file store and tape server in a Linux VM on Hyper-V. Then you have a VEEAM server running somewhere else to control that Veeam Proxy/Repo/Target over the WAN or on some other Windows Host.

[Mildur]

@SmokinJoe
Linux proxies are not involved in Hyper-V VM backups.
The proxy component runs default on the Hyper-V server itself as an On-Host proxy.

Best,
Fabian

[SmokinJoe]

I would suggest you leave the hypervisor alone and run a dedicated VM for a proxy/repo/tape. On host proxy means if your proxy is compromised so is your hypervisor and all VM's including your precious Oracle DB and Authentication via Active Directory.

[Mildur]

For Hyper-V there are two proxy types:
- On-Host Proxy, which is the default and recommended. Almost any customer runs it.
- Off-Host Proxy, which requires you to buy another physical machine where you have to install Hyper-V. Virtual backup proxies for HyperV backup do not exist.

[Torsten73]

Such small customers are best suited for a full cloud deployment

- Microsoft 365 for email , OneDrive / Sharepoint for File Sharing, Teams for Collaboration / Videocall
- Desktop PC / Notebook connected to Azure AD
- a single VM in Microsoft Azure for the ERP (both ERP and Terminal Server if the ERP is not web-based), not joined to any domain to lower costs, maybe Azure AD Domain Services but is +150 eur/month
- Acronis Backup Cloud to Cloud for Microsoft 365 backup (mail, OneDrive / Sharpoint, Teams)

No more internal Servers

Marco

Marco

Hello Marco,
Yes, I understand but I have to follow the sales contracts our customers has been sold. I won´t discuss about such solutions in this topic, it´s maybe a good point of view for other users but not at the moment for me.

[Torsten73]

Hello Torsten73,

You are referring to the Windows Server (and previous versions) licensing whereby a 2022 physical server with the Hyper-v role is granted license to run 2x Windows Server 2022 VM's on that same physical server right? If I've understood correctly then I believe the license also grants the running of certain applications on the physical server without violating the license agreement nor removing the granted 2x VM servers. Here is section 3.d of the Server 2019 EULA which is probably similar to the 2022 EULA (but please do check).

-----------------------
"Windows Server Standard

i. For each server to which you have assigned the required number of core licenses as provided in Section 3.b., at any one time you may run the server software in:

· one physical operating system environment,

· up to two virtual operating system environments, and

· any number of operating system environments instantiated as Windows Server Containers without Hyper-V isolation.

ii. If you run all permitted instances at the same time, the instance of the server software running in the physical operating system environment may be used only to:

· run hardware virtualization software,

· provide hardware virtualization services,

· run software to manage and service operating system environments on the licensed server.

iii. If you want to run additional instances of the server software as set forth in this Section 3.d., you may need to acquire additional licenses to the server as described in Section 3.b."
-----------------------

Its probably up for argument as to whether backup software falls within the domain of "run software to manage and service operating system environments on the licensed server." - I have seen it argued so and I've got a memory that earlier version of Windows Server (2012?) specifically lay out this exact scenario - don't quote me though, please do you own research.

For those that feel strongly for the argument against: Think about the ramifications of even running a backup agent on the physical server of your Hyper-v host. Insofar as intent and purpose, a backup agent is a special purpose management application. If you then add a singular purpose front end to that agent, a management interface, does this change the nature of what you are doing with the backup application?

Hello Noname,
we had the same thoughts. But unfortunately it´s wrong. We have learned it hard ... We have proven this point with a Microsoft license specialist from Tarox.
Installations for any other software on the hyper-v host needs one server 2022 license.

[Torsten73]

I would suggest you leave the hypervisor alone and run a dedicated VM for a proxy/repo/tape. On host proxy means if your proxy is compromised so is your hypervisor and all VM's including your precious Oracle DB and Authentication via Active Directory.

This is our way for new Veeam customer contracts. It also means, the user must buy a third server 2022 essential license. This makes the point on costs again expensiver.
Of course it would be much better to use a backup server or a server with a second hyper-v for it, but this is way to expensive for small Business solutions. I am talking hier about 3-5 Clients.

A Veeam installation on the hyper-v is more a problem than installing it on a dedicated vm on the same host.

Again the question at all, what makes more sense, if no addition license for Server 2022 is possible and no additional VM is possible:
- Installing Veeam B&R inside of VM Domain Controller (would be my way)
- Installing Veeam B&R on Hyper-Visor (has been the actual way)
- Installing only an agent inside of all VMs (lightweight but poor to monitor, only e-mails possible, task and resources are difficult)
- Installing Veeam B&R inside any VM (poorest solution)

[Moopere]

Hello Noname,
we had the same thoughts. But unfortunately it´s wrong. We have learned it hard ... We have proven this point with a Microsoft license specialist from Tarox.
Installations for any other software on the hyper-v host needs one server 2022 license.

Fair enough I won't argue with a clarification you are happy with.

The only thing I'll add is that I usually have to argue EULA clauses when I'm being audited by Microsofts license compliance agents. My point in mentioning this is that compliance people, or sales people more generally, have a vested interest in selling licenses to you ... or trying to scare you into buying something you may not need to remain in compliance with license terms.

Ultimately though, of course, buy as many licenses as you need to keep your legal people happy.

[MartinO]

- Installing only an agent inside of all VMs (lightweight but poor to monitor, only e-mails possible, task and resources are difficult)

If you're a service provider, deploy your own Veeam Service Provider Console and have them report into that, that's what we do.

Highly, highly recommend not installing Veeam B&R on an HV host or a DC, that's for certain!