Backup Topology Question

[mshilston]

Hi All,

I'm currently working on designing a Veeam Backup and Replication 9.5 solution and am looking for some clarification on a few points to determine what components I do and don’t need to consider for the design to work.

At the moment, I plan to use a powerful physical machine (BU1) with a local SQL install as the primary backup server. This will have direct attached storage that will be used as the backup repository.

There will then be a separate vSphere environment consisting of a bunch of hosts managed by a vCenter and hosted on that hardware will be a number of domains separate from each other.

-Virtually Hosted Domain A – this will provide the SSO domain for vCenter
-Virtually Hosted Domain B – separate stand-alone domain

I plan to use the virtual ‘Domain A’ to authenticate users of Veeam as well as it being the SSO domain for vCenter. So effectively, my understanding is that Veeam backup server BU1 need to be a member of Domain A. Is that correct?

My second question is about backups of the other domains. If I’m using Domain A as the vCenter SSO source and the Veeam BU1 server domain, how do I backup Domain B machines in the following scenarios;

- Backing up whole machine – I assume that the snapshot rights given to Veeam by virtue of the vCenter access would allow machine level backups to be taken with no additional configuration. Is this correct?

- Taking application aware backups / performing file level restores – Do I need a backup proxy joined to Domain B to perform one or both of these, or can I simply supply credentials to that domain? Do I need a proxy for each additional separate domain I want to back up or can I have one proxy accessing and backing up all domains? Are there any limitations I need to watch out for?

Grateful for any input,

M

[DGrinev]

Hi and welcome to the community!

Veeam backup server BU1 need to be a member of Domain A. Is that correct?

This isn't a mandatory for BU1 to be a member of Domain A, as you will choose vCenter as management server and type in valid credentials on the connection step.

Backing up whole machine – I assume that the snapshot rights given to Veeam by virtue of the vCenter access would allow machine level backups to be taken with no additional configuration. Is this correct?

That's correct, but not only snapshot permission. Please find the description of granular permissions in this document: Veeam B&R version 9.0

Do I need a backup proxy joined to Domain B to perform one or both of these, or can I simply supply credentials to that domain?

That's not necessary to have a separate backup proxy. Valid credentials are all you need.

Backup proxies take the workload off backup server, so the number of proxies depends on the scale of your infrastructure.
Please review detailed information about Backup Proxy in our UG.
Thanks!

[mshilston]

Hi Dmitry,

Thanks for your response on this - it has made me think about a few things.

Initially, I was considering that roles and permissions would be managed via AD groups, but from what I've read it seems like this would mostly only apply when using Veeam Backup Enterprise Manager to delegate permissions to branch offices and I'm not sure I need that level of granularity yet. How easy would it be to add that in at a later date? Furthermore, is it possible to delegate or restrict permissions to back up or restore specific VMs or files within VMs without Enterprise Manager?

I don't think I really need a proxy for offloading workloads at the moment, but I understand the Direct storage access transport mode doesn't support vSAN so I'd be looking at going the Virtual Appliance route, hence adding a virtual backup proxy. Have I got that right?

Thanks again!

[DGrinev]

Hi,

How easy would it be to add that in at a later date?

You can implement Enterprise Manager any time later without a trouble.

Furthermore, is it possible to delegate or restrict permissions to back up or restore specific VMs or files within VMs without Enterprise Manager?

There is a vCloud Director to achieve what you're after.

I don't think I really need a proxy for offloading workloads at the moment, but I understand the Direct storage access transport mode doesn't support vSAN so I'd be looking at going the Virtual Appliance route, hence adding a virtual backup proxy. Have I got that right?

You got it. Thanks!