Hi all,
I work at a SP that also provider BaaS for Microsoft 365 with VBM365.
We have our own selfserviceportal and our resellers can create there own "tenants / organizations".
This will be configured on the VBM365 server and a couple of proxy servers and voila live is good.
However, from a performance and security point of view we need to move every VM out of the AD and if possible use all new server OS (2022).
Now i found https://www.veeam.com/kb2649 and there it states that its not possible to move the configuration data and I know that moving these servers out of the AD will cause other issues.
So what is the best way to handle this.
Note:
Backups are directly offloaded to S3 compatible storage.
Side question: I found the V11 scalibility tweaks, but couldnt find any for VBM365. Are there any?
-
mjr.epicfail
- Veeam Legend
- Posts: 377
- Liked: 113 times
- Joined: Apr 22, 2022 12:14 pm
- Full Name: Danny de Heer
- Contact:
Replace VBM server
VMCE / Veeam Legend 2*
-
johan.h
- Veeam Software
- Posts: 723
- Liked: 185 times
- Joined: Jun 05, 2013 9:45 am
- Full Name: Johan Huttenga
- Contact:
Re: Replace VBM server
Have you thought of using the steps described in the knowledge base article but automating this with VB365 PowerShell? https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60
It should be possible to get enough job settings with Get-VBOJob to be able to recreate these on the new server. I would make sure you carefully test this, but I imagine that most service providers would use something like this. Not sure if this is acceptable to you - but it might save you time.
From a scalability tweak perspective, we have a best practice guide - https://bp.veeam.com/vb365/. The trick is to only use one app registration per customer. I've also heard anecdotally that some people have the most success with 16 threads under the "Configure Threads and Network Bandwidth" section. But that depends on if you have problems with throttling on the M365 side. https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60
It should be possible to get enough job settings with Get-VBOJob to be able to recreate these on the new server. I would make sure you carefully test this, but I imagine that most service providers would use something like this. Not sure if this is acceptable to you - but it might save you time.
From a scalability tweak perspective, we have a best practice guide - https://bp.veeam.com/vb365/. The trick is to only use one app registration per customer. I've also heard anecdotally that some people have the most success with 16 threads under the "Configure Threads and Network Bandwidth" section. But that depends on if you have problems with throttling on the M365 side. https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60
-
mjr.epicfail
- Veeam Legend
- Posts: 377
- Liked: 113 times
- Joined: Apr 22, 2022 12:14 pm
- Full Name: Danny de Heer
- Contact:
Re: Replace VBM server
Hi Johan,
If i create a new server and were able to create all organizations on them, wouldnt i need to have all credentials to make a new backup application? Or can I use the existing one? I dont know if the connection will be made with a new GUID on the server with new TLS certificates...
If i create a new server and were able to create all organizations on them, wouldnt i need to have all credentials to make a new backup application? Or can I use the existing one? I dont know if the connection will be made with a new GUID on the server with new TLS certificates...
VMCE / Veeam Legend 2*
-
johan.h
- Veeam Software
- Posts: 723
- Liked: 185 times
- Joined: Jun 05, 2013 9:45 am
- Full Name: Johan Huttenga
- Contact:
Re: Replace VBM server
Did you try to add an organization using an existing application id? It would be problematic if we had to recreate these each time, after all with the whitelisting that happens for Teams API access now, it needs to be relatively easy to reuse an application id even if you change servers. https://helpcenter.veeam.com/docs/vbo36 ... .html?#uea
Add the organization and select the services you want to protect in VB365. On the next page choose modern authentication, next choose to use an existing Azure AD Application. Enter the Application ID in question, you can look this up on your original server, or in the Azure Portal. Then you'll be asked for a certificate.
You will need to either (a) generate a new one and upload this in Azure AD under certificates and secrets or (b) export the existing certificate on the old server and import it on the new server.
a. Select "Install" next to the certificate field, and choose "generate a new self-signed certificate", give it the appropriate name, and hit finish. With a bit of magic, if you follow the rest of the wizard you'll see that we actually associate this new certificate with your existing Azure AD application. There is a checkbox specifically for this - "grant this application required permissions and register its certificate in Azure AD".
b. To export the existing certificate log in to the computer as the user that initially configured the organization in VB365. Then open certlm.msc (Local Computer Certificate Manager) and select Personal. Then choose the certificate that matches the thumbprint associated in VB365. You can double check the thumbprint within the Azure Portal for the selected Azure AD App Registration, under certificates and secrets. Right click on the correct certificate and select export. Yes, export the private key. Choose PFX, enter a password and save the file. Once you've copied this to the new server, in VB365 select "Install" next to the certificate field. Import certificate from a PFX file and enter your password. Continue with the wizard.
Add the organization and select the services you want to protect in VB365. On the next page choose modern authentication, next choose to use an existing Azure AD Application. Enter the Application ID in question, you can look this up on your original server, or in the Azure Portal. Then you'll be asked for a certificate.
You will need to either (a) generate a new one and upload this in Azure AD under certificates and secrets or (b) export the existing certificate on the old server and import it on the new server.
a. Select "Install" next to the certificate field, and choose "generate a new self-signed certificate", give it the appropriate name, and hit finish. With a bit of magic, if you follow the rest of the wizard you'll see that we actually associate this new certificate with your existing Azure AD application. There is a checkbox specifically for this - "grant this application required permissions and register its certificate in Azure AD".
b. To export the existing certificate log in to the computer as the user that initially configured the organization in VB365. Then open certlm.msc (Local Computer Certificate Manager) and select Personal. Then choose the certificate that matches the thumbprint associated in VB365. You can double check the thumbprint within the Azure Portal for the selected Azure AD App Registration, under certificates and secrets. Right click on the correct certificate and select export. Yes, export the private key. Choose PFX, enter a password and save the file. Once you've copied this to the new server, in VB365 select "Install" next to the certificate field. Import certificate from a PFX file and enter your password. Continue with the wizard.
Who is online
Users browsing this forum: No registered users and 7 guests