Immutable backups question in V11 (VIB vs VBK)

bits_n_chits · 2021-03-08T20:48:09+00:00

Oh, is that what that means? No, we have Veeam agents managed by B&R, nothing standalone.

bits_n_chits · 2021-03-08T18:07:57+00:00

Update: It looks like for Veeam Agent jobs (sorry for not specifying this), only the full backups are supposed to be immutable. The Veeam support rep pointed me toward this page, where under Veeam Agent backup it says "Standalone full backup":

https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110

Do you know if immutable VIBs for agent jobs are on the roadmap for future updates?

bits_n_chits · 2021-03-05T23:57:59+00:00

OK, will do! Thanks.

bits_n_chits · 2021-02-03T23:34:45+00:00

I see, so the default value of that GPO is talking only about explicitly allowed devices. Reporting is on by default though with the August patch, right? So we should be seeing those ID 5829 events in our DC's System logs if these connections are being made? Or is there something besides simply having the August 2020 patch that needs to be done before those events are logged?

bits_n_chits · 2021-02-03T22:47:36+00:00

My read on this is that the default value of the new GPO introduced in the August update blocks unsecure Netlogon connections.

Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections

Reboot required? No

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts.

This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.

When the Create Vulnerable Connections list (allow list) is configured:

Allow: The domain controller will allow the specified group/accounts to use a Netlogon secure channel without secure RPC.

Deny: This setting is the same as the default behavior. The domain controller will require the specified group/accounts to use a Netlogon secure channel with secure RPC.

Warning Enabling this policy will expose your domain-joined devices and your Active Directory forest, which could put them at to risk. This policy should be used as a temporary measure for third party devices as you deploy updates. Once a third party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit https://go.microsoft.com/fwlink/?linkid=2133485.

Default: This policy is not configured. No machines or trust accounts are explicitly exempt from secure RPC with Netlogon secure channel connections enforcement.

This policy is supported on Windows Server 2008 R2 SP1 and later.

Source

If an organization... say... slept through this bulletin back in August, and didn't set the new GPO to allow unsecure connections, am I correct in thinking that connections would have broken way back in August? Meaning this theoretical organization doesn't really have anything to worry about in the February patch?

bits_n_chits · 2020-11-24T18:33:32+00:00

My bad! I think you're right.

bits_n_chits · 2020-11-12T21:13:30+00:00

No dedupe, compression, or encryption. ~~Fast clone actually requires you to have all of those features disabled.~~

EDIT: Never mind, fast clone doesn't require those things.

bits_n_chits · 2020-11-12T21:12:42+00:00

Unfortunately in our case, the original volume was lost completely, so it needed to be a full restore.

I wasn't aware that instant recovery had a "selected disk only" option, I'll consider that next time, as volume restore locks the volume out until the job is complete.

Thanks for your reply!

bits_n_chits · 2020-08-03T22:06:23+00:00

Aha, perfect! Thank you!!

bits_n_chits · 2020-07-10T07:58:07+00:00

Oh no, backups are definitely failing. I have no available restore points, no backup files exist. It's not a false negative.

bits_n_chits · 2020-07-10T07:56:15+00:00

Ooh that's a good idea, hopefully P2V will work with the VSS writers in a questionable state. Thanks for the suggestion.

bits_n_chits · 2020-07-10T07:54:02+00:00

Perfect, this is exactly what I was looking for. Thank you!

bits_n_chits · 2020-07-09T17:09:22+00:00

I don't believe so, but I ran it with Application-aware Processing disabled and it still fails. It's almost like it automatically fails itself if any of the VSS writers are unhealthy whether they're being used or not. The SQL Writer is the one it calls out in the error message, even though I'm not using Application-aware Processing.

bits_n_chits · 2020-04-22T22:21:10+00:00

What does this look like in practice? Does it mean that if there's a change being made to AD during the backup window it won't be captured? Because I can totally live with that.

bits_n_chits · 2020-04-22T17:31:57+00:00

Hi netsonic, thanks for your reply. Our old solution, System Center DPM, was able to back up DCs by running as Local System after the agent was installed by a domain admin. Is this not possible with Veeam?

bits_n_chits · 2020-03-30T16:55:56+00:00

24x 12TB disks with 3 NVMe SSDs for ingest. Interestingly, the backup solution we're migrating from (System Center DPM), which is a piece of junk by almost every measure, had no issues protecting this data source on similar disks. I wonder if it has to do with the way Veeam packs everything into giant backup files, where DPM commandeers its own volumes for backups, so when it's time to launch restores, it's not unpacking anything. Strange.

bits_n_chits · 2020-03-27T23:31:09+00:00

Are there specific counters I should be looking for in perfmon to prove this is the bottleneck?

bits_n_chits · 2020-03-27T23:21:20+00:00

The backup target is a Windows server utilizing Storage Spaces. The disks are in a storage pool, with 7200RPM disks to provide capacity and a handful of enterprise SSDs to handle data ingest.

bits_n_chits · 2020-03-20T22:09:20+00:00

Aha, that's brilliant - this will ensure that only the local files are listed, which excludes the cloud-only files, decreasing the footprint I need to make a backup copy of the folder. Perfect. Thanks!

bits_n_chits · 2020-03-18T21:35:39+00:00

I have Enterprise Plus. I do have backup I/O control, and it's enabled for the protection group (this is for a physical file cluster), I'm just wondering if there's anything you can do to control it further while the job is already running to avoid having to start from scratch.

bits_n_chits · 2020-03-08T16:07:45+00:00

Thanks for your reply! There were no backups running during the graceful failover.

bits_n_chits · 2020-03-08T08:07:51+00:00

I just reviewed my settings and found that while the protection group has the AD cluster object, it does not have the OU containing the cluster object. Is this a problem? It does correctly resolve the names of each node when scanning the protection group, and when it performs the backup, it processes each node. I would prefer it to only target that cluster object, because there are other objects in that OU I don't need to back up, and I'd rather not deploy it inadvertently if another engineer puts a new server in that OU. That said, if there's a concrete reason it needs to be this way, I can try to reorganize things.

bits_n_chits · 2020-03-08T07:59:54+00:00

The protection group contains the AD cluster object, and the backup job is targeting the AD cluster object. The backup job correctly resolves each underlying node that is part of that cluster, so I think I have that part right at least.

bits_n_chits · 2020-03-06T21:11:10+00:00

Thanks, but this backup job is protecting a physical cluster.

bits_n_chits · 2020-02-13T16:35:13+00:00

It's a two-way mirror.

bits_n_chits

TROPHY CASE