Comprehensive data protection for all workloads
Post Reply
Moebius
Veeam ProPartner
Posts: 169
Liked: 23 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

User privileges needed for VSS?

Post by Moebius »

I'm still a novice with Veeam Backup and performing the first tests at the customer's premises.
I'm trying to back up a DC with VSS integration (without VCB).
Which privileges must I assign to the account the VSS agent uses? The wizard says local administration privileges, but the domain admins are reluctant to let me use those privileges. I tried with a Backup Operator user and it does not work.

What is the minimum privilege level the VSS agent needs in an AD environment?

Thanks,
Lucio

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: User privileges needed for VSS?

Post by Gostev »

Lucio, minimal privileges for this account is Local Administrator on target VM. If you are doing the testing only, don't use this at all. As far as I understand, you are doing some demo backups and will not actually restore them into production.

Moebius
Veeam ProPartner
Posts: 169
Liked: 23 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

Re: User privileges needed for VSS?

Post by Moebius »

Thanks Gostev, the way you support your product is awesome.

I'm left with another question: are there any drawbacks in choosing to use the VSS integration with all VMs, even with those that wouldn't really need it (regular Windows file servers etc) just for the sake of simplicity?

Vitaliy S.
Product Manager
Posts: 24260
Liked: 1865 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: User privileges needed for VSS?

Post by Vitaliy S. »

Lucio,

There are no any drawbacks you can use it with all VMs (just state the correct account with enough privileges), also keep in mind that for Windows machines the recommended way is to use Veeam Vss and for Linux - VMware Tools Quiescence option, which can be enabled at advanced job settings.

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: User privileges needed for VSS?

Post by Gostev »

Lucio, I recommend that you use Veeam VSS integration for all Windows VMs no matter of apps they run. There are just too many transactional applications and services on any Windows box, even in the actual OS alone... of course, in 99.9% of cases all those apps will withstand computer reset (which is essentially what crash-consistent backup is). But do you want to take this 0.1% chance on larger scale, with backups of hundreds or thousands of VMs every day?

Just to give you an idea on how many Windows applications and services require proper application-aware VSS freeze, open the command prompt and ran the following command for full list of all writers installed on specific VM. It will be different for each VM depending on the apps installed, output example from my fairly clean work desktop is listed below.

Code: Select all

vssadmin list writers

Code: Select all

Writer name: 'Task Scheduler Writer'
   Writer Id: {d61d61c8-d73a-4eee-8cdd-f6f9786b7124}
   Writer Instance Id: {1bddd48e-5052-49db-9b07-b96f96727e6b}
   State: [1] Stable
   Last error: No error

Writer name: 'VSS Metadata Store Writer'
   Writer Id: {75dfb225-e2e4-4d39-9ac9-ffaff65ddf06}
   Writer Instance Id: {088e7a7d-09a8-4cc6-a609-ad90e75ddc93}
   State: [1] Stable
   Last error: No error

Writer name: 'Performance Counters Writer'
   Writer Id: {0bada1de-01a9-4625-8278-69e735f39dd2}
   Writer Instance Id: {f0086dda-9efc-47c5-8eb6-a944c3d09381}
   State: [1] Stable
   Last error: No error

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {8458dcff-705f-46cf-8f26-83a98a7d4d78}
   State: [1] Stable
   Last error: No error

Writer name: 'ASR Writer'
   Writer Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
   Writer Instance Id: {4068643e-4331-4b84-bb2a-50ef014dd02f}
   State: [1] Stable
   Last error: No error

Writer name: 'COM+ REGDB Writer'
   Writer Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}
   Writer Instance Id: {d509012f-0d09-487b-aa4f-b7e4029f6143}
   State: [1] Stable
   Last error: No error

Writer name: 'Shadow Copy Optimization Writer'
   Writer Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Instance Id: {be331403-275a-496c-8dca-9a20a1c8e1f7}
   State: [1] Stable
   Last error: No error

Writer name: 'Registry Writer'
   Writer Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
   Writer Instance Id: {ea70cdd5-c228-4fac-b543-628fb71c5556}
   State: [1] Stable
   Last error: No error

Writer name: 'SqlServerWriter'
   Writer Id: {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
   Writer Instance Id: {ff8ef0e0-f84a-4893-8dce-808ae4247783}
   State: [1] Stable
   Last error: No error

Writer name: 'WMI Writer'
   Writer Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
   Writer Instance Id: {2a3a7c20-5480-413d-acd9-6766918b56d7}
   State: [1] Stable
   Last error: No error

Writer name: 'BITS Writer'
   Writer Id: {4969d978-be47-48b0-b100-f328f07ac1e0}
   Writer Instance Id: {ffbc24e9-f26b-406d-b381-c36db43dd167}
   State: [1] Stable
   Last error: No error

Writer name: 'MSSearch Service Writer'
   Writer Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
   Writer Instance Id: {df8e5d61-e850-4cdd-acd2-15bb3a7ca0aa}
   State: [1] Stable
   Last error: No error
^^^ obviously all these apps have VSS writer for a good reason!

Moebius
Veeam ProPartner
Posts: 169
Liked: 23 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

Re: User privileges needed for VSS?

Post by Moebius »

Thanks again guys. This VSS thing seems to confuse many users, not only me... Maybe a sticky explaining how to handle it once and for all would be welcome to many.
So I read the manual and I read back and forth on the Forum, and this is what I gather (assuming ESX 3.5 u2 or greater, and Veeam Backup 3.1 or greater):

1. On any Windows box, use VSS integration whenever possible. The VMware Tools quiescence checkbox (in Advanced) can be left checked as it will be automatically disabled by Veeam Backup. Also VMware VSS (if installed with the VMware tools) will be disabled in this case, so no need to worry about it.

2. On Linux VMs, leave VMware Tools quiescence option checked.

3. It follows that the VMware Tools quiescence, which is checked by default, should be unchecked ONLY when backing up Windows boxes where VSS cannot be used for any reasons AND some highly transactional applications (Excel, MS SQL - Domain Controllers??) are running.
It also follows that VMware VSS does not need to be uninstalled or disabled in any case as it will be correctly handled by Veeam Backup.

Is this correct?

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: User privileges needed for VSS?

Post by Gostev »

Correct, great summary... I can see you've read quite a few topics on the subject ;)

1. Correct.

2. Correct. Just an additional note: for some Linux apps, some people prefer using VMware pre-freeze/post-thaw script to suspend/stop the application before the snapshot is taken, and resume/start after that. This is basically Linux way of doing application-aware freeze. One example is Oracle, we even have some sample scripts on forum for this.

3. Correct. Example: SQL2000 + regular VMware Tools quiescence = corrupted SQL on the source (production) VM.

Moebius
Veeam ProPartner
Posts: 169
Liked: 23 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

Re: User privileges needed for VSS?

Post by Moebius »

I'm looking for a common setting for all the VMs in this infrastructure.
There is a large mix of Win 2008, Win 2003, Win 2000 server boxes, with many applications ranging from SQL2000, SQL2005, Oracle, Exchange 2007, MS Domain Controllers and more.

My first thought would be to enable VSS integration for all the VMs, leave the "Continue backup even if Veeam VSS quiescence fails" box checked for those OSs that cannot support VSS like Windows 2000, and leave the VMware Tools quiescence enabled.

But what happens when VSS quiescence fails? Is VMware tools quiescence automatically disabled or left enabled? I am worried about my Win 2k server + SQL2000 or Oracle app servers. Do I have to set different options (and hence a separate backup job) for those VSs, and which ones exactly?

Thanks!
Lucio

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: User privileges needed for VSS?

Post by Gostev »

Lucio, you definitely do not want to use regular VMware Tools quiescence on Win 2k server + SQL2000, as it would corrupt SQL on your production VM. On non-VSS aware operating systems, best bet is to use pre-freeze and post-thaw scripts to stop/start database services during snapshot creation. There are a few existing threads discussing all of this topic on the forum.

Moebius
Veeam ProPartner
Posts: 169
Liked: 23 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

Re: User privileges needed for VSS?

Post by Moebius »

Thanks Anton.

On the other hand, I found out by repeated testing that the pre-freeze and post-thaw scripts are activated ONLY if VMware Tools quiescence is left enabled in the Advanced Settings.
I find this important detail is entirely skipped in the documentation. (*)
So the correct way to backup a Windows 2000 + Oracle/SQL DB VM is to
- leave the Vmware Tools quiescence enabled, AND
- quiesce the database by means of pre-freeze and post-thaw scripts.

The only alternative, as far as I can see, would be to backup the VM without VT quiescence nor quiescing scripts, ie. a crash-consistent backup, and hope for the best --- should a restore be needed.

So when you say "you definitely do not want to use regular VMware Tools quiescence" I take it you actually mean "you definitely do not want to use regular VMware Tools quiescence without quescing the database with custom scripts".
Is this correct?

(*) ps. The manual is very sketchy and very funny at the same time about the VMware Tools quiescence thing. All it says (pag. 51) is:
"Select the Enable VMware tools quiescence check box if you are performing the backup job for running virtual machines, and want it to be performed correctly." Is there anyone that would want the backup job for his virtual machines to be performed incorrectly? :lol:

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: User privileges needed for VSS?

Post by Gostev »

Correct, I completely forgot that those scripts are connected with this setting.

Post Reply

Who is online

Users browsing this forum: janbe and 34 guests