Veeam 101

jediatzinger · Apr 14, 2023

I need a new backup system. I've been using BackupAssist for many years and it's served me well, but going forward with Server 2022 I want to take the time to reevaluate what I use and modernize software where I can and should. I've heard too many good things about Veeam to not take a look at it.

Here is what I have currently in production:

Domain Controller (DC1, DHCP, DNS, and FSMO roles) - Windows Server 2022
Domain Controller (DC2, DNS) - Windows Server 2022
File server - Windows Server 2008 R2
Exchange 2019 (only used for AD-attribute syncing as all mailboxes are hosted on Exchange Online) - Windows Server 2022
Synology NAS (backup ONLY)

The file server is old and being replaced over the summer (Windows Server 2022). My previous backup software installed on each server locally then backed up directly to my Synology NAS nightly. I've been wanting to get an offsite copy to the cloud as well.

I've been reading through all of the Veeam docs and I've got some questions.
I have a few years old server that I can install Server 2022 onto and create a dedicated "backup server". Then the question becomes to I join this backup server to the domain? Do I use a service account for Veeam? Previously I had a COMPANY_backup user service account that I reused on each server where the backup software was installed. This then had read/write on the respective folder on the NAS. I had to mange each separately, but it wasn't bad. I really want a centralized location to manage each server and backup job.

Would I be able to make daily full system backups then sync these to the cloud (Azure most likely since we're MS365 already)? Mainly I need to be 100% certain my file server is backed up and easily restorable, as well as AD (I wouldn't need to backup both DCs). Exchange too could also be reinstalled/rebuilt from AD, but if I can back it up I will.

Thoughts, comments, and/or suggestions? All appreciated.

Entegy · Apr 14, 2023

These five machines, are they physical or virtualized? Veeam was designed to backup VMware VMs first and Hyper-V VMs second, but physical machines can be backed up with an agent.

A service account with essentially admin rights is needed if you want to do application-aware processing in your backup. I would highly recommend you do this for all your Windows machine. This will let Veeam use Shadow Copy and various backup methods to safely backup things like AD objects and Exchange.

Veeam does have the concept of a backup copy. We have it set to copy to an "offsite" in another city daily. Azure and AWS are natively supported as a backup copy target, but you'll need to read the documentation on how it works, the cloud service's pricing, etc.

A VAR could help with the scoping and implementation, but I found Veeam's docs to be very detailed. The price increases in the last couple of years was a bit of an ouch, but it's still very good backup platform. I'm happy with it.

Paladin · Apr 14, 2023

Veeam is probably good for your needs, especially if you run things via Hyper-V, which I would recommend you do. Basically have 2 or 3 physical machines for the 5 servers you run. The 5 servers are virtual machines you host on the 3 physical machines. That way you can always keep the 2 domain controllers on different hosts even through updates that require a reboot. You can run a failover cluster if you really want but it is probably not necessary unless you have staff using those machines 24/7 etc.

The Veeam server would be a 4th physical host and you do not need to have it integrated to the domain, from what I have understood. It may be more secure to not do so, and to keep it a bit separate from the rest of the infrastructure. Veeam should be able to authenticate against a domain without the host operating system being integrated to that domain. In the case of standalone server backup targets, the agent software on the servers that are integrated to the domain would be configured with domain user accounts with appropriate access roles and the Veeam server talks to the agents for doing jobs it needs to do via the permissions the agent software is granted.

Just a side note, Microsoft doesn't really recommend you use full backup/restore procedures for active directory domain controllers. Due to the various nuances of time, version control, etc. involved in active directory, they recommend you have mutiple domain controllers as redundancy rather than backups where you would plan a full server restore. The full restore option is only recommended in the case of a catastrophic loss of the entire DC infrastructure. It is basically always easier to simply take a faulty domain controller offline and replace it with a new one than to try a full restore from backup. Of course, you can have backups, they just don't recommend using a full restore as a first option to repair problems unless the issue is basically a full loss of domain controller infrastructure, say... all your active servers are wiped or stolen or something.

As another side note, you can easily duplicate your DHCP role to the second domain controller as well. Windows server has supported redundant DHCP service for a good number of years and it works quite well.

If you do end up with a separate backup server, make sure to keep its role singular so you can be sure it will function for restore work regardless of the rest of the network being owned by malware etc. No active file share mappings, or running services the other machines connect to etc. No shared user accounts/passwords, or applications.

Entegy · Apr 14, 2023

There's a mode that DCs can be restored in that will make it ask the other DCs for updates. I wouldn't use it on a DC that's been offline for more than a few days but it can save some time recovering from a boot loop due to a bad update.

stevenkan · Apr 15, 2023

You definitely do NOT want to join your Veeam server to your domain, or at least not your main domain. Otherwise, if your domain credentials get compromised, your backup is compromised.

I've been using Veeam 11 for ~3 years now, and it's . . . ok. It does the job, but the error reporting is atrocious. Every time I had a failure pushing an agent to a workstation I had to google the cryptic error message and dig through Google or the forum to find the fix (enable Remote Registry and turn on File Sharing and Discovery).

Veeam 12 is allegedly better at this, but Veeam 12 doesn't support Server 2008 R2, so I have to wait until I can retire my Server 2008 boxes before I can upgrade.

You don't need a Server OS to run your Veeam server. I have it running on a Win 10 Pro box.

jediatzinger · Apr 18, 2023

These five machines, are they physical or virtualized?

Physical. The Exchange server isn't online, but I can't remove it from the network as it would also remove the AD attributes. You can simply shut it down and keep it. I use PowerShell to administer Exchange (add users, etc). I don't need the ECP.

I've spent a lot of time over the past week reading about joined vs non-joined to the domain. I'd agree it would be for the best for an additional layer of security. If there is more setup required I have the time to do it now. I only have to prepare and know what I'll need (local account and a service account with admin rights to backup - right?)

I feel like an old man (not wanting to change anything - lol), but I know my cost for setting up this same amount of servers with BackupAssist costs $2414 for 12-months, then 839.80 each year following. Cost aside I don't love the BA product, but it works and I know exactly how to use it to restore files etc. I don't know how to use Veeam (yet).

Paladin · Apr 18, 2023

They have free and demo version of a lot of their products. In fact, I think they have a completely free version for up to 3 or 5 servers or something. Why not just give it a shot?

stevenkan · Apr 18, 2023

stevenkan said:
I've been using Veeam 11 for ~3 years now, and it's . . . ok.

Paladin said:
They have free and demo version of a lot of their products. In fact, I think they have a completely free version for up to 3 or 5 servers or something. Why not just give it a shot?

Yes, I should caveat my statement by saying that the first 2 years I used the Community (free) edition to back up my two DCs, since my ancient WS 2012 Essentials-based box wouldn't back up a "server OS." I was able to build an entire backup appliance for <<$600.

That was just my "starter" box, and I've since spent a lot more on drives and on a duplicate box as an offsite repository, and then lately paying for a subscription, but Veeam Free is a very good option for getting started.

jediatzinger · Apr 18, 2023

Downloading and installing this afternoon. I've requested a free trial license key.

Installed the trial. It's up and running. I have a couple (simple) questions:
I want to backup my physical servers (don't need the secondary DC, but I DO want AD to be backed up just in case).

Do I need or should I setup a Protection Group? I downloaded the PDF (quick start and user guide) and started a pot of coffee

I forgot I also had an old server (running 2022) that is my AD Connect service. This doesn't reaaaaly need to be backed up, but why not. My total servers that need to be backed up daily are 4.

DC (AD backup)
File server
Exchange (not necessary, but why not)
AD Connect (also not necessary, but why not)

The two biggest are my DC and my file server. I want to get them backed up and then learn how to sync that backup to the cloud (Azure most likely).

edit: in case anyone doesn't know (and for those that search for these terms later) you can rebuild Exchange from AD. As long as AD is available you could bring a new Exchange server up if you needed to. I don't need one as I only have one for syncing the Exchange attributes per this article. The same goes for the AD Connect server. It's a simple service that syncs local AD to Azure AD.

oikjn · Apr 18, 2023

stevenkan said:
Veeam 12 is allegedly better at this, but Veeam 12 doesn't support Server 2008 R2, so I have to wait until I can retire my Server 2008 boxes before I can upgrade.

Not according to the release notes I see at Release Notes .

On there, Backups of "all operating systems supported by VMware vSphere version in use" and "MS VSS integration is supported for Microsoft Windows 2008 and later, except for nano server (due to absence of VSS framework).

The HOST side is HV-2012 or later and vCenter 6.x and later, which is the same requirement for the B&R console and other Veeam component software installs, but installing you really shouldn't be installing any new software on such old OSes.

oikjn · Apr 19, 2023

antonyart said:
am I wrong or Veeam Backup & Replication 12 no longer supports Server 2008 R2.

your "supports" is vague...

It supports backing up of Server 2008R2 VMs as long as your hypervisor supports it.

It does not support Server 2008R2 Hyper-V as a hypervisor host and it does not support Server 2008R2 for installation of various Veeam server roles such as server/console/Repository/Proxy.

I have the pleasure of living on with two 2008R2 VMs and one 2012 VM which I just can't seem to rid myself of yet. They are running on esxi 7.0.3 (as legacy support) and backed up using veeam v12.

stevenkan · Apr 19, 2023

oikjn said:
your "supports" is vague...

It supports backing up of Server 2008R2 VMs as long as your hypervisor supports it.

It does not support Server 2008R2 Hyper-V as a hypervisor host and it does not support Server 2008R2 for installation of various Veeam server roles such as server/console/Repository/Proxy.

I have the pleasure of living on with two 2008R2 VMs and one 2012 VM which I just can't seem to rid myself of yet. They are running on esxi 7.0.3 (as legacy support) and backed up using veeam v12.

I'd been reading this post by Gostev (Veeam employee):

You can't go ahead with the upgrade in principle, as it will be blocked until you remove these servers from the configuration.

If you need support for Windows Server 2008 R2, you should stay on V11.

I still have 2 physical Server 2008 R2 boxes that I'm trying to migrate away from.

jediatzinger · Apr 20, 2023

Here is where I am at... I've installed the app and licensed (trial). I'm confused about a few things...

I've got a very small number of servers I don't see why I'd want a "protection group". Do I? I don't see an issue creating each manually?

When I go to create a new agent backup job I'm presented with:

Type: Server

Mode:

Managed by backup server - recommended for always-on workloads with a permanent connection to the backup server
Managed by agent - recommended for workstations and servers in remote sites with poor connectivity

Backup Mode

Entire computer
Volume level backup
File level backup (slower)

Being these servers are all in my office on the same LAN I'm going to assume I'd want the "managed by backup server". For backup mode I'd also assume "entire computer", but I do want to be able to make sure I have "AD backed up" and on my file server be able to selectively restore files and folders.

edit: I've been connecting via Remote Desktop to the backup server. For administrative uses should I install the Veeam Console on my laptop? I assume this would then be the app I could use to setup and manage my Veeam install?

Paladin · Apr 20, 2023

Generally you use groups for things that should have similar/the same policy applied to them. For example: you have 10 servers. 3 are doing content stuff, 4 do database stuff, 3 do financial transaction stuff. You want a group for each type of server so you can easily manage policies for each group and update the policies in moments instead of doing each individually. With only a small handful of servers, there is less value but still a bit to using groups unless each of your servers should have wildly different backup policies.

Managed by backup server should be the common option unless the thing you want to backup is often powered off, disconnected from the network/internet/VPN or otherwise should be in charge of starting its backups on its own timing which is initiated by the agent.

Entire computer is probably fine unless you have computers with multiple volumes and you want to backup one volume but not the other(s), etc. Say, a machine with important data on drive C: but a bunch of unimportant junk on drive

or whatever. Or maybe you want one policy on drive C: and a different policy on drive

(once an hour on C: and once a day on

etc.).

File level backup is for when you either can't do a full device backup (due to operating system usually), can't do a volume level backup (due to operating system usually) or don't want to do either of those because all the data you want to backup is just some files in a folder. Say, a particular share on a NAS or something. You want the data but the OS can't be restored anyway so no point backing it up or you have 10 of the same server install and only care about the files in certain folders on those servers, not the OS files, etc.

Not sure about the console, I have never tried that. If remote desktop works for you, you could stick to that until you want a permanent setup or feel like you want to move forward in the demo.

jediatzinger · Apr 21, 2023

So far I like what I see... I'm hardly using anything the app can do.

I need to add my NAS as a backup repository. I will need to create a shared folder for the app to see as a backup target. Do I need to make a folder for each server individually or one folder then let Veeam manage its contents?

For example my old BA sofware I did this:

NAS
\Server 1
\Server 2
\Server 3

The BA software would take the backup for server 1 and put it in the \Server 1 folder, but it would create a Monday, Tuesday, Wed, etc... for which day the backup was running. Retension was 7d before the oldest was overwritten.

Do I create folders on my NAS for each server or one for Veeam and add it as the backup repository and let it do its thing?

edit: When I add a backup repository > Network attached storage
I have to choose NFS share or SMB share.

I've always used SMB... any reason to not choose that one?

jediatzinger · Apr 24, 2023

Not going to proceed w/ Veeam. There are too many friction points for me to want to continue. I tried to deploy an agent and (I think) it was not going due to firewall access. I emailed my contact and I received a list of ports that need to be open. I don't have time to keep jumping hurdle after hurdle. I want backup to just work and not be difficult. I also don't want a backup server. The BA that I've used previously installs onto the server then backups to the NAS. Done.

Paladin · Apr 24, 2023

Yeah that is a different design. Most modern platforms are centered around virtual machine backup these days. You tell the backup management platform about your hypervisor (VMWare vCenter, Hyper-V/SCVMM, Nutanix, etc.) and give it credentials and the backup system enumerates all your VMs, and you apply policies to them and it goes. No hassle.

With bare metal machines you have to put the agent on the machine and the agent needs to make outbound and accept inbound connections from the backup system. Generally that is not a big deal because the backup system is on your LAN along with the servers and it is common to allow connections to/from LAN IP addresses so there is no work to allow it. If you have your servers more locked down or the backup system is on another network then you will have more administrative work to do.

That is generally another motive for moving to virtual machines as well, backup is much easier and administration is more policy-centric instead of everything being a one-off that needs special tinkering.

oikjn · Apr 25, 2023

++ to what Paladin said. These days, VMs are the default and physical hardware is the exception to the rule. I don't think Veeam 12 won't backup a physical 2008r2 server, but it will easily backup a VM. To answer your NAS file share question, each backup repository is a single share and Veeam would manage the sub-folders within that share so that you can have it put in multiple backups. That share and its total storage would be split across all the backups targeting that repository, so if you wanted to limit or dedicate specific backups by size, then you should create any number of additional shares and add those as additional repositories. For example, I have a single repository for all my server VM backups and a second repository for the handful of desktops I individually backup and while the physical storage is on the same NAS, they are in different shared folders with different quotas and are represented in veeam as two different repositories. If I were you, I would be updating that 2008r2 file server up to at least 2019 assuming it is just a file server and doesn't have some funky application... not sure why you haven't updated it already. I would then really look at getting two new physical host servers and P2V everything over and run every OS as a VM so you don't have to worry about hardware issues ever again and backups and recovery become soooo much easier.

stevenkan · Apr 25, 2023

My installation is 2 VMs and 10+ physical PCs, so I'm the opposite of the norm, and deploying agents definitely has a learning curve, as I mentioned above.

If your PCs are joined to your domain, and the PCs are on the same LAN as your Veeam server, and your Veeam server has domain credentials stored, then it's actually not that difficult once you know how to map unhelpful error messages to the root causes:

Network Discovery needs to be turned On for domain networks on the target PCs.
1. Otherwise you will see the target PC in the domain list on the Veeam console, but you won't be able to push a client to it,
2. or you'll be able to push the client, but backups will fail.
3. I can't remember which symptom is tied with this root cause . . . .
The Remote Registry Service needs to be running on the target PCs.
1. . . . and which is tied to this root cause.
I did not have to manually open any firewall ports on the clients PCs.
If you get mysterious "duplicate client" errors, it might be the result of stale DNS entries on your DC, as Veeam helpfully identifies clients by IP address , at least as of Veeam 11. Purging the DNS table fixed this for one client.
In a few cases of failed credentials, removing from the PC from the domain and then adding it back fixed the problem
1. Of course this requires you to know the password for a local admin account first!

oikjn · Apr 26, 2023

10+ PCs to backup? Yuck! All our general PCs are considered "disposable" nothing is backed up on them and anything important is saved to network shares/servers/onedrive. If any of those PCs gets messed up in software or hardware, it gets wiped and started fresh. We are manufacturing and there are four PCs connected to physical equipment which are the exception to the rule and get backed up. Veeam is OK for physical computers and I've done a few restores of those equipment computers over the years and it works great, but I wouldn't consider Veeam a great solution for managing backups for lots of physical computers unless you have even more Virtual machines and want to keep all the backups under one program for ease of management.

stevenkan · May 24, 2024

stevenkan said:
I'd been reading this post by Gostev (Veeam employee):

I still have 2 physical Server 2008 R2 boxes that I'm trying to migrate away from.

As it turns out, a bunch of Veeam's online documentation was misleading. Server 2008 R2 is unsupported if and only if it lacks SP1, and "Veeam CBT driver is supported only if Microsoft Windows update KB3033929 is installed on the Veeam Agent computer."

Which is a long way of saying Server 2008 R2 can be compatible with Veeam 12 if set up properly. See my original link for Gostev's confirmation.

I did update my Veeam server to V12, and my sole remaining Server 2008 R2 SP1 VM has been backing up successfully. And we will get rid of the VM very, very soon.

oikjn · May 24, 2024

way to bring up a necro thread :flail:

If I recall properly, the issue of support isn't with VMs, it will support whatever VMs the Hypervisor supports, the issue is supporting it as a hypervisor.

I hate to admit it, but I still have a 2008 (NOT R2) VM I'm stuck with along with one 2008R2 VM that is backed up by Veeam 12.1.2 with no problem. Its running on VMWare and since it is supported there, its getting backed up happily along with the SQL instances with logs with no issue. I just can't wait for the day when I can really drop those VMs (hopefully in about 8 months)

Veeam 101

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Scholae Palatinae

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Praefectus

Ars Praefectus

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Scholae Palatinae