Comprehensive data protection for all workloads
Post Reply
muhaynes
Influencer
Posts: 10
Liked: never
Joined: Aug 11, 2011 11:46 pm
Contact:

Questions about SureBackup, DCs and Exchange

Post by muhaynes »

Hello everyone,

So I've been using Veeam 5.0.2 for about a month, very happy thus far. As part of my process I'm beginning to test my backups (making sure I can pull the Veeam jobs from tape, import them, and then read the backups, etc). One thing that has come up is this:

SureBackup does some really cool stuff that facilitate being able to restore a secondary DC to an "island" without breaking Active Directory. I can restore my standalone GC along with my Exchange 2k7 instance and everything is happy fun times. When I attempt to do the same thing manually, by using instant recovery to an isolated virtual network, everything breaks. The DC doesn't recognize itself, DNS stops working, SYSVOL shares go offline, the whole nine yards. I know the restoration is working properly because it boots into safe mode on first-boot, just as it does when I use the SureBackup Lab, but obviously there's a piece missing when I attempt to do this outside of the Virtual Lab environment. I was wondering if anyone might be able to shed some light on this? Does the Virtual Lab automatically let some communication route between the isolated lab network and the production network so the DC will come up properly?

Moving forward I would like to be able to use these labs for extended testing that will likely extend passed my backup window. Will leaving the lab running interfere with my backup jobs? I've got an automated lab job that runs nightly to verify my important VMs, so I guess I would just create a new application group/virtual lab for any additional testing I wanted to do? Also: is it possible to create a replica of a backed up VM that you can safely test/break without fear of invalidating the backup in question, or is it just advisable to clone the VM within vSphere once the lab is going and then stop the virtual lab for posterity's sake? If removed from the lab, I wonder if my DC would explode again...

Thanks!
Gostev
Chief Product Officer
Posts: 31630
Liked: 7128 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Gostev »

Hi,

Great observation on DC behavior! No, there is absolutely no communication out of the virtual lab environment. There is, however, a secret sauce specific to SureBackup jobs that is required when brining the DC brought from multi-DC environment up in the isolated network. Essentially, Domain Controller is reconfigured before boot to make it works properly in the environment where its replication partners (other DCs) are not available.

Backup job will automatically stop any running SureBackup jobs which are locking the backup files that backup job needs to update. So, backup jobs will always complete fine.

Yes, you can set up any amount of virtual labs if you want multiple isolated environments.

Remember, your backup files are read-only. No matter what you do to VMs running from a backup file, contents of the actual backup file is NEVER modified. All disk writes are redirected elsewhere by vPower NFS - it simply does not have ability to write back to the actual backup file. So, feel free to do whatever is necessary. Many customer are using this extensively for testing. It's quite useful to bring up a complete copy of their environment with just few clicks, and test whatever changes they want to make to production on it first. What I find really cool is that this is a mirror copy. Even network settings, including computer names and IP addresses, are exactly the same. Complete copy of your production that you can do anything with. For example, delete your boss' account. Isn't that just a dream? :D

Thanks!
muhaynes
Influencer
Posts: 10
Liked: never
Joined: Aug 11, 2011 11:46 pm
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by muhaynes »

Wow Gostev, thanks so much for the quick reply.

That is very very cool.. the more I learn about Veeam the more I like it :)

One thing I'm still unsure of: is it possible to migrate these VMs so my regular environment so they can be used after the lab is torn down? From the sounds of things everything is linked via the vPower NFS redirected writes, but I thought I'd double-check. It would be quite nice to take the reconfigured standalone DC/Exchange combo and stash it away for longer term testing or something along those lines.
Vitaliy S.
VP, Product Management
Posts: 27302
Liked: 2775 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Vitaliy S. »

Hello,

Yes, sure - you can use VM copy or replication jobs (or even VMware Converter) to copy VMs from the virtual lab to another storage, and keep it there. VM copy and replication will pick up the latest (actual) VM disks state, with all the changes you have made while the VM was running in the virtual lab.

Thanks.
muhaynes
Influencer
Posts: 10
Liked: never
Joined: Aug 11, 2011 11:46 pm
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by muhaynes »

Nice. Thanks for the help guys.
muhaynes
Influencer
Posts: 10
Liked: never
Joined: Aug 11, 2011 11:46 pm
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by muhaynes »

Hmm one more question, if you will:

I've gone back to testing a from-tape restore w/ the Surebackup Lab and I'm having issues. I import the backup job, pick the jobs and place them into a Application Group, and then fire the job up. Every time it restores the latest version from my regular backups. I can't seem to find a way to force it to pull the backup instance I've selected for the Application Group. Is this not possible?

Thanks again
Gostev
Chief Product Officer
Posts: 31630
Liked: 7128 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Gostev »

For imported backup testing, you would have to create separate Veeam instance (which you can use your existing license to deploy), and do such testing there for now. At this time, if there are multiple backups of the same VM available (including imported), SureBackup job will always pickup the latest backup from the backup job (no way to force using imported backup in v5). I stumbled upon this myself even before v5 was released...
muhaynes
Influencer
Posts: 10
Liked: never
Joined: Aug 11, 2011 11:46 pm
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by muhaynes »

It's all good, I've figured out the hack-ish way to do the "secret sauce" portion of restoring a standalone secondary DC. Not quite as slick (or fast) as the SureBackup way, but at least I know my tape backups are good! Cheers.
Johnaldo
Influencer
Posts: 13
Liked: never
Joined: May 20, 2009 12:17 pm
Full Name: John
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Johnaldo »

Within my company we have 18 sites using Veeam Backup and fastscp; for these sites we use enterprise manager also. Question we are having about surebackup is following:

I saw in the documentation that for the setup virtual domain controllers and dns servers are necessary. For the setup we only have physical domain controllers and virtual in country domain controllers. Dns server is a server in the States. Don't know if this one is physical or virtual.

What i understood from the documentation is that we have to configure a virtual domain controller and dns server on each site ? Is it necessary to use a primary dc for this or can we use the in country (secondary) ones for it ?

At this moment we are struggling with the setup necessary for Surebackup, can't we use a fake environment on each location ?

thanks in advance
Gostev
Chief Product Officer
Posts: 31630
Liked: 7128 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Gostev »

What do you mean by primary/secondary domain controllers? Are you still on Windows NT? Because Active Directory does not have such notion, all domain controllers are made equal. Some domain controllers may also hold FSMO roles (SureBackup does not require such DC). Some domain controllers also hold Global Catalog roles (SureBackup does not require GC DC, however some applications like Exchange will refuse to work properly if they cannot reach GC).

DNS is typically required in the virtual lab, because without DNS, most things fail to work.

Generally speaking, for basic SureBackup testing (makes sure that restored VM will boot up properly, will be pingable, and VMware Tools will be running - meaning OS is fine), you do not have to have DC or DNS. However, if you want to bring up complete and functioning copy of your environment in the virtual lab, then of course you need to have all of its critical pieces there.

Thanks.
Johnaldo
Influencer
Posts: 13
Liked: never
Joined: May 20, 2009 12:17 pm
Full Name: John
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Johnaldo »

Thanks Anton, no not on Nt. We have AD. Bottom line we need a dc and a dns server on each site then ?
Gostev
Chief Product Officer
Posts: 31630
Liked: 7128 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Gostev »

Yes or no - depends on the level of recoverability testing you want to perform.
JZTOR
Service Provider
Posts: 14
Liked: never
Joined: Nov 29, 2010 2:38 pm
Full Name: Joseph Zinguer
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by JZTOR »

Hi All,
Our company had a problem with SureBackup job for Exchange server 2007 as a part of AIR task.
I created the Application group with two VMs – DC and Exchange server and I have discovered soon that even all services on DC were started (including two DNS services) the DNS and all AD tools did not function properly. At the same time Exchange server was not able to start main ExchangeIS service and few others.
Finally I found that a root cause for this behaviour was the DNS. Because we isolated one DC from the AD with multiple DCs/AD sites, the DNS was waiting for updates from other AD integrated DNS servers.
More details in MS support KB: http://support.microsoft.com/kb/2001093
It was a post related to this issue in Veeam forum as well http://www.veeam.com/forums/viewtopic.p ... ons#p30391
The resolution is simple – one registry key that saying to Windows OS do not wait for updates from other AD integrated DNS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

The important step is a reboot the DC after adding this key; the restarting services did not work for me.

I hope that Veeam will add this registry key to the script that already implemented for the DC running in SureBackup to address other issues related to running DC in isolated network without an access for other DCs and some FSMO roles.

Regards.
Gostev
Chief Product Officer
Posts: 31630
Liked: 7128 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Gostev »

I am trying to squeeze the above into v6, chances are good, but no promises.
JZTOR
Service Provider
Posts: 14
Liked: never
Joined: Nov 29, 2010 2:38 pm
Full Name: Joseph Zinguer
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by JZTOR »

Thank you, Anton.

As you can see in MS KB article in some cases this issue is delaying the starting DNS (no the DNS server service itself, it is starting fine) but in my case the DNS was not working even after 8 hours after starting virtual DC.
I think it is an important fix. It will save hours and days of work to many Veeam customers.

Best.
markfellows
Expert
Posts: 121
Liked: 6 times
Joined: Mar 24, 2010 12:15 pm
Full Name: Mark Fellows
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by markfellows »

JZTOR,

Thanks for this, you've saved me trawling the Internet for a solution.

Regards,

Mark
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Bunce »

Nice find. :)
resiliences
Service Provider
Posts: 5
Liked: never
Joined: May 29, 2009 3:41 pm
Full Name: Resiliences
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by resiliences »

Hello,

I'm experiencing right now the same problem. I tried to use the key of JZTOR (Repl Perform Initial Synchronizations).

Strangely, the key worked when I restore the server from a job crash consistent (without application aware) but didn't worked when application aware is enable in the job.

I wonder what is the right needed for the account used in the application aware job ?

If you have any else idea, I thank you by advance.

Regards.

Sylvain.
Vitaliy S.
VP, Product Management
Posts: 27302
Liked: 2775 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Questions about SureBackup, DCs and Exchange

Post by Vitaliy S. »

Sylvain, If you want to use "application-aware image processing" option then local or domain administrator account is required.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Semrush [Bot] and 36 guests