Installation user accounts questions

[Yuki]

We are deploying latest B&R for ESXi on our network with NAS as a backup target. Currently I'm trying to figure out what is the right way to install and configure the software as it is not clear from the manual/guide. Network is all Windows with Active Directory. Veeam B&R is installed on Windows 7 VM on one of the virtual hosts.

1) Software itself is installed under the domain Administrator account.
2) Special account "Veeam" has been created with network admin rights
3) Backup sources (servers that need to be backed up) have had "Veeam" network account added as a local admin
4)SQL services are configured to use this special account
5) "Veeam" account has "logon as a service" enabled
6) NAS is a QNAP that has user Veeam created with password identical to that of the domain user "Veeam"


Now the problem: If the Active Directory is down - Veeam B&R backups fails to make any backups. So if AD server is being taken down for maintenance, restoration or repair - we can't make backups. Here is the error that we are seeing:

Code: Select all

Starting guest agent
Cannot connect to host [192.168.1.18] over VIX library. Login: [root]. GuestLogin: [domain\veeam].
Cannot login into the virtual machine: [[datastore1] server1.domain.lan/server.domain.lan.vmx]. User: [domain\veeam].
VIX Error: Authentication failure or insufficient permissions in guest operating system Code: 3015

Indexing guest file system
Veeam Guest Agent is not started

Freezing guest operating system
Veeam Guest Agent is not started

[Gostev]

I do not know many application that would work with all domain controllers down. What I do not understand is why do you only have a single domain controller? This is pretty fundamental Active Directory design flaw.

[Yuki]

Alright, fair shot i guess.

This particular company is a small business with a single location and a few users. So in their case it is not a design flaw. They really do not need more than one controller (which can be debated to death, but this is really not the point here, is it?) So my question is back to you - does Veeam support backups and restores when the AD is not avaliable? I imagine in case of a major disaster (fire, flood, earthquake) when all equipment is abandoned and presumed dead - how companies with mutlple ADs would restore their ADs if Veeam relies on AD accounts to process backups/restores.

Just to reiterate - Single AD DC in a small organization is not a design flaw and is in fact configuration officially supported by Microsoft and VMware. How does Veeam support this configuration?

[Gostev]

Well, we do not really require Active Directory presense either... just specify local computer accounts for application-aware processing settings. But if you specify domain account, it is expected that guest processing will fail when all domain controllers are down (since there is no DC to authenticate against).

[Yuki]

So in our evnironment, it should be the proffered configuration to use "local" accounts?

How would we restore the Domain Controller? It does not have "local" accounts that we can specify in a backup job configuration, so we are forced to use domain account to backup AD DC. So if we brought up our Veeam Backup & Restore station - we still can't restore DC since the account is expected to authenticate against the DC that we are trying to restore in the first place?

[Gostev]

I am confused... so far we have been talking about backup only.
What issues do you have restoring VMs when the only Domain Controller down?

[Yuki]

I have not tried the restore yet (just installed the backup software yesterday, since we just purchased it recently). However, as I was configuring and testing backups jobs, I've noticed the reliance on domain accounts for backups. And now i'm wondering if the restore also relies on the same domain account. If it does - then i foresee a problem that i need to resolve somehow. If restore jobs don't rely on the domain account - then we should be OK.

I'm really not trying to confuse you here, just trying to figure out the proper way to set this up for our environment.

[Gostev]

Oh, I see. Unlike during backup, there is no need to connect to guest OS during restore, so you should not have any issues. Unless you add vCenter server to Veeam Backup using domain account when deploying the product, of course.

[Yuki]

Not using vCenter, so we should be fine.

I have another question, but don't know if I should continue asking here of open a new thread (if new thread needed, i'll open one - just let me know), but here it goes :

We will be saving backups onto a NAS and plan on keeping 90 days of backups for each of the 5 virtual machines. Then we want to off-site latest 30 days on portable drives. To automate this - we need to be able to save latest backup set into a folder separate from older files. So for example if we have 1 full monthly and then 29 incrementals, we need to maintain the latest full and up-to 29 incrementals in the same folder.

If we went with Reverse incremental, then our latest would always be full and older backups would be incremental. Is there a way to separate the "N" backups into a separate folder?

[Gostev]

So on day X, when you need to make a last 30 day backup copy to a portable drive, can you just go ahead and copy latest VBK and following 30 VRBs to your portable drive using script? If I understood the scenario right.

[Yuki]

Sure, we can do that. But I wanted to know if Veeam can place either N number of backups in a separate folder or at least store FULL separately from incremental ones.

[Vitaliy S.]

No, that's not possible, as all VBK, VRB and VIB files are stored in the same folder.

[Yuki]

Alright, another question.

We have 2 physical hosts. One (vmhost-new) is newer with 2 CPUs and 12 cores, the other one is older (vmhost-old) with 2 CPUs and 8 cores. The plan is to run all VM's on vmhost-NEW in order to give them more CPU power, more ram and faster local disk arrays.
vmhost-OLD will host Veeam B&R and be replication target in case the NEW server tanks (while backups go to NAS). At the same time we can assign all 6-7 cores to Veeam for faster data crunching. I've just read in the posts that Network Transfer mode is much slower than Appliance mode. I assume that it will fail-over to Network mode if Veeam is on a separate host from the VMs that are being backed up. I'm I correct in that assessment ?

Would running Veeam on vmhost-NEW with 2 cores be better than running it on an empty vmhost-old with 7 cores?

Thanks again!

[Gostev]

Yes, you are correct (if your hosts use local storage).
More cores for Veeam VM is better

[Yuki]

What would you advise though ?

1) Veeam on same host as VMs for appliance mode but with only 2 cores for Veeam
OR
2) Veeam on a different host from VMs (thus in network mode) but with 7 cores for Veeam?

from your previous post sounds like you would recommend option 2, but I would like to get a confirmation.


Issue just came up in last backup job - it completed with a warning saying

Backing up object "[0-RAID5] DriveE.vmdk"
Hot add is not supported for this disk, failing over to network mode...

where should i look for clues to resolve this?

[Gostev]

Honestly, this does not matter for environment of your size at all, both options are okay. These things start to matter when you have a few times more VMs to process, in which case neither solution above would be good anyway.

Please refer to the sticky FAQ topic for full list of hot add limitations.

[Yuki]

The last two are suspects:

• Hot Add transport is not supported for backup server VM with SAS adapters - Our physical server where Veeam VM is running does use SAS drives on a SAS controller. However, all of the VMs on this host were backed up successfully .
• In case of standalone host connection (no vCenter presented), you can only hot add VMs which are located on the same host running Veeam Backup VM. - We don't use a vCenter and the two VMs that gave us error were on a different host, so this must be it.

Another question - If we move Veeam VM from one host to another, will we need to reconfigure any of the backup jobs or should they still work fine?

[Gostev]

Sure. This is what virtualization is all about - making the underlying hardware irrelevant

[Yuki]

A few more questions:

1) We have a vritualized Windows 2000 Server with SQL 2000 on it. As you know there is no VSS for 2000, so we are backing it up with "application aware processing" turned OFF. This means that the backup of the server will restore it to a state similar to that after a crash, right?

2) If the virtual machine is turned shut down completely - for VM copy, backup, replication - shell we keep "application aware processing" OFF and does having it on make any difference? I assume since the machine is OFF - there is no "guest processing" of any sort, right?

Thank you

[Vitaliy S.]

1. I would say it will be restored in a crash-consistent state, but it is not a synonym to "corrupted" or "awful". If you want to backup SQL 2000 VM in a proper way, you should use pre-freeze scripts as it it described in our F.A.Q. topic.

2. Correct, if you backup VMs in a powered off state, there is no need to use "application aware processing", as we are backing up "cold" image.

[Yuki]

Vitaliy,

1) On a windows 2000 server - should we enable VMware tools quiescence for daily backups and will this have any effect on SQL?

2) We have just moved 2VMs from one physical host to another, after which the backup jobs have been manually adjusted to point to the correct host. Now the new incremental file is about 130% in size of the FULL backup done before the VMs were moved. So the question is - will moving a VM from host to host cause a "FULL" backup, even though it is stored in .VIB file? and is there any reason why the VIB is so much bigger (130gb full->184gb incremental and 151gb full -> 192gb incremental).

Спасибо

[Gostev]

1. Only do that only if you want to kill your production SQL for more info, please search for VMware SYNC driver and SQL (Google or on this forum).
2. Correct. In your case, moved VM is treated as new because its unique ID changes. This is the reason why we recommend configuring product by adding vCenter server versus standalone hosts.

[Yuki]

Do you mean it will harm the SQL running on production machine, or that it will harm the SQL in the backup of the production machine?

[Gostev]

production SQL

This.

[Yuki]

Since we should not use "vmware tool quiescence" on our Win 2000 +SQL - how do we call for freeze/thaw scripts ? From what i understand the mentioned feature must be checked in order for freeze/thaw scripts to be called.

We would like to stop some services (including SQL) before the backup is started...

[Yuki]

Do i understand correctly that Backup jobs are handled separately from replication ? A replication job in the middle of a backup cycle is not going to cause new backup chain or break the existing backup chain?

[Gostev]

Since you will stop SQL server through prefreeze script, SYNC driver will not be able to do anything bad to it. SYNC driver only causes issues to running SQL server.

No, backup and replication are not connected.

[Yuki]

That may be the case with SQL, but I've just had to recover a production server from severe file corruption (file tables and USN journal entries on both drives - system and one that stores database files). The server is a Windows 2000+ SQL and the I presume the issue was due to Veeam+vmware tools quiescence (which was turned on because it was recommended by your official user guide. I've only learned about the potential problem from this forum's FAQ and your posts). Besides moving this VM from one physical host to another there has been no change to this VM in the last year. And the only way we were able to recover is by firing up the VM that was left in shut-down state on the old physical host.

[Yuki]

How exactly does the scheduling mechanism work?

I've set Veeam to run forward incrementals on week-days with "full synthetic" on a Saturday, it is also set to keep 30 instances (30 days in our case). Saturday has passed, but nothing happened form what i can tell (full synthetic was not created). It seems that "full synthetic" transformations are only possible if they co-inside with an incremental backup day? If no forward incremental is scheduled for the day - Veeam does not perform a "full synthetic" transform?

In fact, even in the schedule (Jobs) is shows that the next backup is on Monday (when the next incremental will take place). Will it create a full synthetic only after 30 days go by and a saturday comes around?

[Alexey D.]

It seems that "full synthetic" transformations are only possible if they co-inside with an incremental backup day?

With your setup, synthetic full is left out of schedule that's why it never happens. Here's the topic which describes similar case and provides solution: Synthetic Backup Scheduling