Comprehensive data protection for all workloads
Post Reply
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Write Configuration Backups to Data Domain

Post by brupnick »

Good afternoon-

When setting up my configuration backup job, I noticed that none of my DD Boost repositories are listed in the backup repository drop down menu. Is this by design and if so, what is the reason? I'd like to back up my configurations to my DD and then replicate it between my DDs (including DR).

Thanks!
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Write Configuration Backups to Data Domain

Post by Gostev »

Hello

DDBoost-based transport is supported for regular backup jobs only.
Please create CIFS-based backup repository on DataDomain for this purpose.

Thanks!
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

Just for my own curiosity, is there a technical reason for this? I ask because in order to access the CIFS shares on my DD, I need to set "Network security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated." However, when I do this, my VBR services are not able to start because my VBR server can't connect to my SQL server. I'm trying to find a workaround that will allow both of these things to happen at the same time and DD Boost would accomplish this.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Write Configuration Backups to Data Domain

Post by Gostev »

No technical reasons, just business reason - hard to justify investing in implementing, testing and maintaining DDBoost considering the size of configuration backups is too small for DDBoost to provide any meaningful benefit. In your case, perhaps you can just backup configuration to another server with some local storage.
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

I do agree with your point about any benefit from a deduplication perspective and excuse me if I'm oversimplifying this, but isn't the configuration backup just a backup job to a repository? As of v8, I'm able to add a repository that uses DD Boost to a DD, and I'm able to create a backup job that sends data to that repository, so isn't this the same thing just with a specific source for the backup data?

Yes, backing up my configurations to another server with local storage is an option, but I already have my Data Domain added to my VBR infrastructure and configured for DD replication down to my DR site, so I'd like to avoid adding any complexity if possible.

Thanks!
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Write Configuration Backups to Data Domain

Post by Gostev »

brupnick wrote:excuse me if I'm oversimplifying this, but isn't the configuration backup just a backup job to a repository
That's the thing - it's not a regular job. Configuration backup uses a different file format, while our engine only knows how to use DDBoost for writing "regular" backup files. So, we are talking about digging a completely separate tunnel to enable configuration backup via DDBoost, and little to no benefits.
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

That makes sense. Thanks for the explanation.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Write Configuration Backups to Data Domain

Post by tsightler »

And you certainly should be able to get a CIFS repo added on the DD and still have VBR running since that's the way about 99% of customers have been using Veeam with DD before v8. Hopefully you can get that issue resolved.
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

You're right, Tom, and I started down that path when I didn't see any of my DD Boost repositories available in the list. However, I seem to have something happening within my hardened Server 2012 R2 box that's preventing them both from working at the same time. I'm happy to post some details here in case anyone else is having a similar issue (I'm allowed to hijack my own thread, right?).

I believe that I have narrowed this down to at least the following GPO setting:

Code: Select all

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> Network security: LAN Manager authentication level
If I leave it at the hardened value of "Send NTLMv2 response only. Refuse LM & NTLM" I'm not able to connect to the CIFS shares on my DD. However, if I change it to "Send LM & NTLM - use NTLMv2 session security if negotiated" (and reboot), I'm able to see the CIFS shares on my DD, but my Veeam Backup Service fails to start because it can't connect to my remote SQL server (also hardened).

I'm sure that this is something related to Windows in my environment and not VBR, but if anyone has any insight, it would be greatly appreciated.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Write Configuration Backups to Data Domain

Post by tsightler » 2 people like this post

This is going to sound like an incredibly silly suggestion, but I'm pretty surprised that NTLMv2 doesn't work with the DD. Is there any chance that the DD doesn't have time sync configured correctly. A lot of people think time sync only impacts Kerberos (which it does), but don't realize that it can impact NTLMv2 auth as well because in Windows 2008R2 and newer connections automatically use CBT (Channel Binding Token) which is sensitive to time sync. I see this fairly often when clients are attempting to connect using workgroup authentication.

Basically I'm wondering if NTLMv2 is failing due to time sync and with your're hardened setting it just fails, but with the less secure setting it simply falls back to a weaker auth that is not time sync dependent. I'm quite confident that the DD should support NTLMv2 auth.

http://support.microsoft.com/kb/976918

I don't know that this is what you're seeing, but I've run across it a couple of times so I thought it was worth throwing out there.
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

I think we can all admit that we've been burned by something that sounded so silly it was dismissed and later found to be the issue.

I checked the time on both my DD and VBR server and they are within seconds of each other. Is there a buffer like with Kerberos?
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Write Configuration Backups to Data Domain

Post by tsightler »

That's a good question, but I'm afraid I don't know the answer. I'm assuming it doesn't have to be exact. Usually when I've seen this problem the time was way off, i.e. time hadn't been set on the DD for example, or was set but in the wrong timezone.

Any chance you can use SQL authentication instead of Windows Integrated (new in v8)?

Have you tried changing this setting on both your SQL and VBR server (if possible)?

Just throwing around ideas. Still thinking...
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: Write Configuration Backups to Data Domain

Post by brupnick »

No dice when setting the VBR and SQL server to use the same override GPO and rebooting. However, I found this in the Svc.VeeamBackup.log log:

Code: Select all

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (System.Data.SqlClient.SqlException)
Is there a way to change to SQL authentication from Windows authentication after VBR has been installed?
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Write Configuration Backups to Data Domain

Post by Gostev »

Yes. Look for the corresponding new tool in the Start Menu. And be sure to check out that What's New for v8 document when you get a chance, as you can be missing lots of other cool new features as well ;)
Post Reply

Who is online

Users browsing this forum: Bing [Bot], koravit, Majestic-12 [Bot], Semrush [Bot] and 122 guests