UAIR with multiple networks and domains

[mwhalley]

I have tried searching this forum to see if I could see whether anyone else had posted this question. I couldn't find anything on the subject, apologies if this has already been discussed.

We are a hosting company and use Veeam to backup all of our hosted VM’s. Each of our customers have VM’s on separate virtual networks and domains. The Veeam backup server (which also hosts the Veeam Enterprise Manager) is located on a network separate again to the customer networks.

My question is: What is the best practice for using the UAIR recovery to restore AD, Exchange and SQL for each of the customer VMs?

If I run the UAIR recovery wizard from the Veeam server, it is unable to see any of the customer production networks therefore when the wizard asks you to connect to the domain controller it is unable to do so.

I have also tried installing the UAIR application on a client machine on the domain of one of the customer networks, this machine has access to both its own network and the network where the Veeam server (and Enterprise Manager) resides. However when I try to connect to the Enterprise Manager I get an error stating “The server has rejected the client credentials”. I now know that the client machine where the UAIR application is installed must reside on the same domain as the Enterprise Manager.

Thanks in advance for your advise.

[dellock6]

Running U-AIR in a multi-domain environment is a really tricky stuff.
On a "multi-domain belonging to the same forest" environment, AD domain trusts will help for sure, but this is something impossible to do in a multi-tenancy environment, where every hosted domain has to be separated from each other.
At the moment, in our environment (basically same as yours) we ended up offering only crash-consistent backup. I would like to integrate also VSS-aware backups if the customer allows us to have their admin credentials to run application-aware backups, but I have not finished testing the restore part of this.
I found no direct way at the moment to delegate restore activities to different customers (also access to backup repositories is an issue), but I'm really interested too in a possible workaround to do this. This thread can become a starting point to exchange our ideas regarding this topic.

[mwhalley]

Thanks for the response Luca, I am out of ideas how we are going to proceed with this.
We can't be the only two Veeam users who host Virtual Machines for multiple customers who require this sort of functionality.
It is simply not feasible to have individual Veeam servers for each customer.
Does anyone have any suggestions regarding this?
Thanks
Mark

[SteveOllis]

Hi Guys,

I'm also needing to tackle this problem.

The only way I can think of solving this is by:
a) providing a dedicated dual homed backup proxy for each customer, and manually allocating to the job
b) by having a backup Private vLAN for the hosting company, and then to dual-home one of the customer machines into that vlan, install the Veeam Proxy on the customer VM, and dedicate it in the backup job.
c) have a group of proxies, with carefully managed NATs/persistent routes to make sure you have unique ranges per proxy/customers - VERY MESSY

Steve Ollis
Data Centre Administrator
Oriel Hosting, Sydney Australia

[SteveOllis]

I have come up with another solution

Requirements:

• Hosting Provider Backup vlan
• Hosting Provider per-customer virtual firewall with a leg in both customer network, and Hosting Backup vlan
• IP address in Customer network, NAT'd to an address in the Hosting Backup vlan
• Hosting provider Veeam B&R proxy with leg into the backup vlan
• Change to Veeam B&R Proxy

Basically, the B&R change would be to allow the Veeam B&R operator to, per backup job, configure an IP address that will be the source IP used by the B&R Proxy to perform the Remote VSS api call. As long as the NAT'ing is setup correctly into the customer network, the VSS call would appear to originate from an IP within the customer network, and as long as the credentials were correct, the VSS would correctly trigger. And then a full multi-tenanted backup solution is available.

Please feel free to tear this apart, and/or improve it.

Steve Ollis
Data Centre Administrator
Oriel Hosting, Sydney Australia

[SteveOllis]

After re-reading this, I realise I left out a vital piece.

A remote VSS proxy agent is also needed on one of the servers in the customer container to actually initiate the Remote VSS call.

[tsightler]

I'm not really sure I follow you. Remote VSS calls are required during backups, not during restores. This thread is about U-AIR, which is all about restores. Performing backups with VSS isn't really an issue because Veeam doesn't require network connectivity to perform application aware processing, just VMware tools and an account with appropriate permissions.

[SteveOllis]

Yes, for U-AIR, the issue is different, and maybe my replies should be placed in another thread.
Starting new thread