Having just recovered our tiny 12-person company from a ransomware infection I am now taking offsite backup seriously! At present I have the following:
A collection of PCs and laptops backing up to a Server 2012 R2 Essentials box. Backup is this box's only function.
This box worked flawlessly during the near-catastrophe. The recovery USB drive it generated was able to boot all my infected machines, and restoring to the day before the infection was fast and easy.
The only problem with this box is that it will not back up my 3 instances of Server 2008 R2.
Those instances had been backing up to an ancient Windows Home Server box, and that worked well enough to save the day, but I need to retire that box and modernize.
At present I also have no offsiting for the Server 2012 R2 Essentials box or the WHS box.
The entire Server 2012 R2 Essentials Client Computer Backups directory is 2.35 TB, but that includes weekly, monthly, and yearly backups back to 2017.
I just bought a Gen10 Microserver and installed Veeam Community Edition on it, for the purposes of replacing that ancient WHS box.
Total cost so far is $574, which is pretty amazing. That includes SSD boot + 2 x 2 TB drives, and I will add more drives as necessary.
It has now backed up physical servers 1 and 2 (including the VM inside 2) for 2 days, and I plan to test bare metal recovery from it when everyone's out of the building.
Full backup files of Server 1 and Server 2 are about 0.25 TB and 1.0 TB, respectively, including the 137 GB VHD and associated files from the virtualized Server 3.
I have a hardware IPSec tunnel to my home/home-office, so I'm thinking I'd like to place a box there as an offsite repository.
I'd like to replicate the Veeam box in my main office
I'd also like to provide an offsite copy of the Server 2012 R2 E's repository.
Ideally I'd like the ability to browse files and create Recovery Media directly from my offsite repository, in case the main building burns down or the main Veeam box get compromised somehow.
Can Veeam Community Edition do all of this? I'm thinking of buying another one of those inexpensive Microservers.
Do I install another instance of Veeam B&R on the remote box? Or do I just set it up as a Managed Server and add it with direct attached storage?
Can I install the Veeam agent on the Server 2012 R2 E box and back that up to the new box?
Can I set up the new box and seed it in the main office, and then move it to my home?
Hello - and congratulations with successful recovery!
Bulletproof protection against cyber attacks requires offline (air-gapped) copy of your backups in a secure offsite location. Everything else is more or less half-measures which do not guarantee protection, leaving too many "what ifs". The number of "what ifs" will depend on how creative you are, but it will never be zero - so you will always be exposed to some extent.
Air-gapped backups can be achieved with the following approaches, from more complex to more simple to maintain:
1. Copy backups to tape, remove tapes from the library, and have them transported to the offsite vault (or just take them home with you). Having them off-site is critical for protection against natural disasters.
2. Use a backup repository backed by rotated drives, and rotate drives periodically (and also ideally take disconnected drive home with you). This is an extremely popular method among small businesses, and it was used heavily here at Veeam in early days! Nowadays we use tape though.
3. NEW method that requires upcoming Veeam Backup & Replication v10: leverage scale-out backup repository with Capacity Tier in COPY mode to object storage provider that supports "object lock" functionality. Scale-out repository will be automatically duplicating your backups to object storage as they are created, making each backup immutable for the specified number days. Immutable as in - not even "root" account on the object storage bucket can delete or modify them until the specified time period expires.
Thanks! So maybe I don't need a Microserver with 4 SATA bays for the Home Office, and I can just use any form factor of PC and rotate a couple of USB external drives.
Since these external drives are externally powered, I can put their power supplies on some sort of timer, and if they're powered off, they're effectively air-gapped. Especially if the timer is strictly mechanical and/or disconnected from the network.
But how do I set up Veeam B&R at the Home Office to make this all work? Thanks!
You do not need a dedicated Veeam B&R instance there, everything can be managed via a single backup server. The remote server will be added to it as a repository and used as a target for backup copy jobs.
^^
Thanks! But if the remote box is just a repository, will I still be able to create recovery media and/or recover files from it if the main Veeam box goes down?
If I do need to set up a Veeam B&R instance on my remote box to provide recovery capability, will it fight with my main Veeam box? Or will they understand how to work together?
Thanks! But if the remote box is just a repository, will I still be able to create recovery media and/or recover files from it if the main Veeam box goes down?
Yep, you will need to install a backup server (or restore it from a backup), restore its configuration and restore whatever files you want to from backups stored in this repository.
Moreover, even if you don't have a configuration backed up, you will be able to perform restores. All you will need to do prior to restoring is to import backups.
^^
Ok, I think I understand. So I need to make sure the main Veeam box is backing up its config to the remote box, as well as copying over the backup sets.
Then, if disaster strikes I can then install Veeam B&R onto the remote repository, restore the configuration from that backup, import the backups, and then the remote box will behave just like a duplicate of the original box. Correct?
In case of a DR, you can even install B&R on your laptop, import backups as Vladimir suggested and restore a workload you need asap. Configuration Backup will be required in case if you'd like to set up a new server that will continue the operations of the old one: planned migration or loss of the backup server are typical scenarios.
Yes, you would like to store configuration backup at some remote box/USB drive/cloud so it will be accessible in case you have lost a significant piece of the backup infrastructure.
Then, if disaster strikes I can then install Veeam B&R onto the remote repository, restore the configuration from that backup, import the backups, and then the remote box will behave just like a duplicate of the original box. Correct?
Almost, if you restore configuration, importing backups won't be required. Thanks!
Wouldn't harm to test theoretic concepts in real-life deployment, indeed. Should any additional questions arise, don't hesitate to let us know. Thanks!
hi
we we do is do a backup copy to offsite and another backup copy onsite to a USB device (offline repository). This USB is offline all the time, I only connect it to IT pc when doing backups, the rest of the days it is in a fire proof closet. I test the USB restoring few times a year by restoring all VM (Full restore) to another vmware vSphere system, so far all VM's have worked fine. Previously I had problems when I encrypted the USB backup copy, the encryption password didn't work when I tried to restore to a new vsphere system, even though it was 100% right. There is a forum thread about this; vmware-vsphere-f24/error-message-invali ... ml#p344615
I suggest getting a faster USB storage, if backing up a lot of data (TB's). Now I use USB device with 2 hard disck on RAID0 so that the transformation/merging of the backup chain will be much faster (I want to have the offline USB online as little time as possible).
yes of course, but with 1 disk the merging and Health checks takes so long (from morning till next day) that the purpose of offline is fading away since the USB would be online almost a day for every time we need to take a backup. Offsite copy twice a day still exist in case something happens to the "offline" USB. RAID1 USB would be much better (this USB we use originally was configured RAID1) but I doubt fast enough big SATA disks exists any time soon. RAID10 usb devices becomes quite heavy and big to move around and the costs goes up too. Actually I should time it with the current USB as RAID0, then put it to RAID1 and see the difference. With 1 disk USB it was too slow, with RAID1 the only help is the read part, I wonder if anyone have tested the speeds, like this, I suppose merging is write intensive so RAID1 doesn't help much. Just for the sake of interest, I think I will test these.
veremin wrote: ↑Dec 12, 2019 3:50 pm
Wouldn't harm to test theoretic concepts in real-life deployment, indeed. Should any additional questions arise, don't hesitate to let us know. Thanks!
Tonight I'll take it home and see how well the backup backups work over my IPSec VPN. Wire speed from the main office is only 20 Mbps, so this could take a long time.
I am now taking offsite backup seriously! At present I have the following: