Comprehensive data protection for all workloads
Post Reply
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Suggestions for Offsite Repository?

Post by TheWaterbug »

Having just recovered our tiny 12-person company from a ransomware infection :shock: I am now taking offsite backup seriously! At present I have the following:

Image
  1. A collection of PCs and laptops backing up to a Server 2012 R2 Essentials box. Backup is this box's only function.
    1. This box worked flawlessly during the near-catastrophe. The recovery USB drive it generated was able to boot all my infected machines, and restoring to the day before the infection was fast and easy.
    2. The only problem with this box is that it will not back up my 3 instances of Server 2008 R2.
      1. Those instances had been backing up to an ancient Windows Home Server box, and that worked well enough to save the day, but I need to retire that box and modernize.
    3. At present I also have no offsiting for the Server 2012 R2 Essentials box or the WHS box.
    4. The entire Server 2012 R2 Essentials Client Computer Backups directory is 2.35 TB, but that includes weekly, monthly, and yearly backups back to 2017.
  2. I just bought a Gen10 Microserver and installed Veeam Community Edition on it, for the purposes of replacing that ancient WHS box.
    1. Total cost so far is $574, which is pretty amazing. That includes SSD boot + 2 x 2 TB drives, and I will add more drives as necessary.
    2. It has now backed up physical servers 1 and 2 (including the VM inside 2) for 2 days, and I plan to test bare metal recovery from it when everyone's out of the building.
    3. Full backup files of Server 1 and Server 2 are about 0.25 TB and 1.0 TB, respectively, including the 137 GB VHD and associated files from the virtualized Server 3.
  3. I have a hardware IPSec tunnel to my home/home-office, so I'm thinking I'd like to place a box there as an offsite repository.
    1. I'd like to replicate the Veeam box in my main office
    2. I'd also like to provide an offsite copy of the Server 2012 R2 E's repository.
    3. Ideally I'd like the ability to browse files and create Recovery Media directly from my offsite repository, in case the main building burns down or the main Veeam box get compromised somehow.
Can Veeam Community Edition do all of this? I'm thinking of buying another one of those inexpensive Microservers.

Do I install another instance of Veeam B&R on the remote box? Or do I just set it up as a Managed Server and add it with direct attached storage?

Can I install the Veeam agent on the Server 2012 R2 E box and back that up to the new box?

Can I set up the new box and seed it in the main office, and then move it to my home?

Or am I thinking about this completely wrong?

Thanks!
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Suggestions for Offsite Repository?

Post by Gostev » 1 person likes this post

Hello - and congratulations with successful recovery!

Bulletproof protection against cyber attacks requires offline (air-gapped) copy of your backups in a secure offsite location. Everything else is more or less half-measures which do not guarantee protection, leaving too many "what ifs". The number of "what ifs" will depend on how creative you are, but it will never be zero - so you will always be exposed to some extent.

Air-gapped backups can be achieved with the following approaches, from more complex to more simple to maintain:

1. Copy backups to tape, remove tapes from the library, and have them transported to the offsite vault (or just take them home with you). Having them off-site is critical for protection against natural disasters.

2. Use a backup repository backed by rotated drives, and rotate drives periodically (and also ideally take disconnected drive home with you). This is an extremely popular method among small businesses, and it was used heavily here at Veeam in early days! Nowadays we use tape though.

3. NEW method that requires upcoming Veeam Backup & Replication v10: leverage scale-out backup repository with Capacity Tier in COPY mode to object storage provider that supports "object lock" functionality. Scale-out repository will be automatically duplicating your backups to object storage as they are created, making each backup immutable for the specified number days. Immutable as in - not even "root" account on the object storage bucket can delete or modify them until the specified time period expires.

Hope this helps!
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Re: Suggestions for Offsite Repository?

Post by TheWaterbug »

Thanks! So maybe I don't need a Microserver with 4 SATA bays for the Home Office, and I can just use any form factor of PC and rotate a couple of USB external drives.

Oddly enough, this 8 TB external drive is actually less expensive than any 8 TB internal drive.

Since these external drives are externally powered, I can put their power supplies on some sort of timer, and if they're powered off, they're effectively air-gapped. Especially if the timer is strictly mechanical and/or disconnected from the network.

But how do I set up Veeam B&R at the Home Office to make this all work? Thanks!
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Suggestions for Offsite Repository?

Post by foggy »

You do not need a dedicated Veeam B&R instance there, everything can be managed via a single backup server. The remote server will be added to it as a repository and used as a target for backup copy jobs.
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Re: Suggestions for Offsite Repository?

Post by TheWaterbug »

^^
Thanks! But if the remote box is just a repository, will I still be able to create recovery media and/or recover files from it if the main Veeam box goes down?

If I do need to set up a Veeam B&R instance on my remote box to provide recovery capability, will it fight with my main Veeam box? Or will they understand how to work together?
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Suggestions for Offsite Repository?

Post by veremin »

Thanks! But if the remote box is just a repository, will I still be able to create recovery media and/or recover files from it if the main Veeam box goes down?
Yep, you will need to install a backup server (or restore it from a backup), restore its configuration and restore whatever files you want to from backups stored in this repository.

Moreover, even if you don't have a configuration backed up, you will be able to perform restores. All you will need to do prior to restoring is to import backups.

Thanks!
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Re: Suggestions for Offsite Repository?

Post by TheWaterbug »

^^
Ok, I think I understand. So I need to make sure the main Veeam box is backing up its config to the remote box, as well as copying over the backup sets.

Then, if disaster strikes I can then install Veeam B&R onto the remote repository, restore the configuration from that backup, import the backups, and then the remote box will behave just like a duplicate of the original box. Correct?
wishr
Veteran
Posts: 3077
Liked: 455 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Suggestions for Offsite Repository?

Post by wishr »

In case of a DR, you can even install B&R on your laptop, import backups as Vladimir suggested and restore a workload you need asap. Configuration Backup will be required in case if you'd like to set up a new server that will continue the operations of the old one: planned migration or loss of the backup server are typical scenarios.

Yes, you would like to store configuration backup at some remote box/USB drive/cloud so it will be accessible in case you have lost a significant piece of the backup infrastructure.

Regards,
Fedor
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Suggestions for Offsite Repository?

Post by veremin »

Then, if disaster strikes I can then install Veeam B&R onto the remote repository, restore the configuration from that backup, import the backups, and then the remote box will behave just like a duplicate of the original box. Correct?
Almost, if you restore configuration, importing backups won't be required. Thanks!
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Re: Suggestions for Offsite Repository?

Post by TheWaterbug »

Thanks! My second box will be arriving Friday, so if I can get it set up and seeded before the end of the day, I'll take it home and test all of this.

Thanks!
veremin
Product Manager
Posts: 20413
Liked: 2301 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Suggestions for Offsite Repository?

Post by veremin »

Wouldn't harm to test theoretic concepts in real-life deployment, indeed. Should any additional questions arise, don't hesitate to let us know. Thanks!
mikame
Influencer
Posts: 15
Liked: 4 times
Joined: May 30, 2015 1:03 pm
Full Name: Mika Melonen
Contact:

Re: Suggestions for Offsite Repository?

Post by mikame » 1 person likes this post

hi
we we do is do a backup copy to offsite and another backup copy onsite to a USB device (offline repository). This USB is offline all the time, I only connect it to IT pc when doing backups, the rest of the days it is in a fire proof closet. I test the USB restoring few times a year by restoring all VM (Full restore) to another vmware vSphere system, so far all VM's have worked fine. Previously I had problems when I encrypted the USB backup copy, the encryption password didn't work when I tried to restore to a new vsphere system, even though it was 100% right. There is a forum thread about this;
vmware-vsphere-f24/error-message-invali ... ml#p344615

I suggest getting a faster USB storage, if backing up a lot of data (TB's). Now I use USB device with 2 hard disck on RAID0 so that the transformation/merging of the backup chain will be much faster (I want to have the offline USB online as little time as possible).
nitramd
Veteran
Posts: 298
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Suggestions for Offsite Repository?

Post by nitramd »

Mika,

Are you aware that RAID 0 provides no fault tolerance?
mikame
Influencer
Posts: 15
Liked: 4 times
Joined: May 30, 2015 1:03 pm
Full Name: Mika Melonen
Contact:

Re: Suggestions for Offsite Repository?

Post by mikame »

yes of course, but with 1 disk the merging and Health checks takes so long (from morning till next day) that the purpose of offline is fading away since the USB would be online almost a day for every time we need to take a backup. Offsite copy twice a day still exist in case something happens to the "offline" USB. RAID1 USB would be much better (this USB we use originally was configured RAID1) but I doubt fast enough big SATA disks exists any time soon. RAID10 usb devices becomes quite heavy and big to move around and the costs goes up too. Actually I should time it with the current USB as RAID0, then put it to RAID1 and see the difference. With 1 disk USB it was too slow, with RAID1 the only help is the read part, I wonder if anyone have tested the speeds, like this, I suppose merging is write intensive so RAID1 doesn't help much. Just for the sake of interest, I think I will test these.
TheWaterbug
Enthusiast
Posts: 37
Liked: 4 times
Joined: Dec 06, 2019 7:29 pm
Full Name: Steven Kan
Contact:

Re: Suggestions for Offsite Repository?

Post by TheWaterbug » 1 person likes this post

veremin wrote: Dec 12, 2019 3:50 pm Wouldn't harm to test theoretic concepts in real-life deployment, indeed. Should any additional questions arise, don't hesitate to let us know. Thanks!
So the 2nd box arrived Friday, and I got everything installed and seeded over the weekend, including some monkeying with a PowerShell script to swap which USB drive is mounted as D:.

Tonight I'll take it home and see how well the backup backups work over my IPSec VPN. Wire speed from the main office is only 20 Mbps, so this could take a long time.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 131 guests