If you have been around the Veeam world for very long, you know they don’t do small releases; each new version comes with literally hundreds of enhancements and bug fixes. While my last post covers many of the headliners there is still a lot of great things left to see. In this post, I’m going to discuss some of the “little things” that aren’t so little that are going to make this a great release.

Object Storage

One of the long asked for features of Veeam was greater ability to leverage public cloud capabilities for backups and data management in general. In 9.5 update 4, we got the ability to offload local storage to object as a way of extending on-prem resources through dehydrating local backup copies to S3, Azure Blob and the like. In v10 we now have what they call Copy mode which is the next step in the evolution. With Copy mode you will create a Scale Out Backup Repository containing any number of on-premises repository extents and a cloud storage provider, referred to as an External Repository. You will have the ability to have it mirror the local extent to cloud to give you a somewhat simplified method to getting your backups off-site. We’ve also already talked about the capability built in for the NFS backup capability.

While Veeam Backup and Replication is the star of this post, it is worth noting here that the recently released Veeam Backup for Office 365 version 4.0 has the ability to address object storage as a direct repository with no need for local storage at all. This totally makes sense in this case; effectively it empowers you to take a cloud workload in location/system A and place the backups in location/storage B, while all the time maintaining control in an on-prem system, if you choose.

End of the day, the day is coming where object storage is going to become THE first-class citizen in the Veeam ecosphere. Does this mean you have to start using Amazon, Microsoft, or Google for your backup storage, either as a backup copy or even for initial backups? Heck no! Any number of Veeam Cloud Service Providers (VCSPs) including, I don’t know, OffsiteDataSync, are capable of offering these solutions themselves along with more of the hands on assistance you’ve come to know and love.

Restore Here, There and Everywhere

Over the last few releases, we’ve steadily been getting more and more places and ways to restore our data. If you think about it, that’s what it is all about, isn’t it? Backups without an easy way to restore them are just blobs of data taking up disk space. With our traditional VM-based workloads, we’ve been able to have the ability to restore to Azure and Amazon EC2 instances. That’s great, as long as you have no problem with public cloud. It can also be a time-consuming process if you are restoring there from your on-premises backup repositories. Now with v10, we have the capability to have copies of our backups in object or blob storage buckets, putting those backups much closer to their Cloud Compute counterparts. While there are still quite a few steps involved in making this viable, as my friend Anthony Spiteri demonstrated, you can perform these restores while on airplane Wi-Fi in the time it takes for a normal flight.

The restore capability that really gets me excited is a feature they call “restore anything to vSphere.” In this if Veeam is ingesting the backup as a traditional .VBK file, you now will have the capability to restore it directly to a vSphere VM. Hyper-V backups? Restore to vCenter. Physical boxes protected with Veeam Agents for Windows or Linux? Right click, restore to vCenter. For those doing mixed production workloads, this has great potential as a migration tool or powering a single Disaster Recovery Site with only a single framework to support.

On-Premises GFS

One final thing of note is Veeam and the Backup industry as a whole has long advocated for the concept of Grandfather Father Son; Where you have your normal backup that runs for a given period, but outside of that, you have sealed backups on other given time periods created from the backup runs. For example, you might have a normal run job of 30 daily backups, but from that, you seal 12 monthly and 6 yearly backups to give you historical coverage.

Traditionally with Veeam Backup and Replication, this is done as a function of the Backup Copy job, but now with version 10, we have the capability to make GFS restore points right on the primary backup job.

Conclusion

As you can see there’s a lot to like with version 10. Some of these things are answers to long term requests, other are keeping up with today’s computing landscape. Either way it exciting to see what is coming next!

Veeam Backup and Replication v10‘s release is now imminent after a loooooong wait. In fact, as of yesterday we now have a tentative release date: February 18, 2020. For the past few weeks, I’ve been able to work with the first Release Candidate in the lab, and I’ve found quite a few things to love in this release that I’d like to share here.

Linux, Linux, Linux!

Veeam Backup & Replication has long been a Windows first solution and everything else a far distant second. That worked and continues to work really well, but in 2020 the needs of larger customers require automation and management workload shrinkage that Linux-based components lends to. With this release, we now have Linux-based proxies as an option. These are not deployable appliances. You deploy them in the same way as you would a Windows Proxy: deploy the VM, add it to your backup infrastructure, then add it as a proxy, which installs the necessary software.

While many of you may have the same “what, no appliance?” reaction I did, this actually makes sense as it lets organizations develop their own templates based on their own requirements and security policies. Then they can use their automation method of choice to deploy. This will be a big hit for the VSAN crowd, which should have a proxy per host to be in line with best practices.

Further, while we have long had the ability for Linux-based proxies (especially for those wishing to mount NFS datastores as backup repositories), they were never the first-class citizen Windows or appliance-based repos were. With this release we get experimental support for fast cloning with XFS and BRFS. From what I’m hearing they are far more confident in the former. In my own tests writes to this are potentially faster than to ReFS and without the memory requirements ReFS repos need.

Finally, for the Veeam Agent for Linux crowd, there is now support for doing Application Aware Processing for Postgres and MySQL on Linux — the same as we’ve seen for Microsoft SQL in VBR. As we now live in the Veeam Universal Licensing world — even if you have some of these VMs in your environment — you can make the choice to back them up with a managed VAL install instead to a normal backup job to take advantage of this feature, all the while using the same licensing from the same VBR server.

NFS All the Things

Speaking of using Linux to front end NFS shares, that is no longer required as we can now natively address them as a repository. Over the years, many have tried to address this as common SMB shares, but this capability has always been flaky and poor performing, comparatively, so everybody had their work arounds from using it. Now we can add NFS in a server:/share/folder manner and make use of all the capabilities of NFS 3 or 4.

One of the other big features of the release is something I’m sure my friend Michael Cade would love to tell you about, the ability to directly backup NFS or other file shares as a backup job. You can now go into the Inventory portion of your Veeam UI and add file shares there that can then be targeted for File Backup Jobs that are processed in a familiar manner. What is interesting to me with this is the backups are actually written in native blob format (think Azure Blob or Amazon S3). You have the ability to send them directly to object storage archives immediately after the backup hits the on-premises repository. It is worth noting that this is a Veeam Universal Licensed only feature with each 250 GB of data consuming a license instance. I personally think that threshold per instance is too low as it wouldn’t take long with these giant filers to have the NFS share consume more licenses than the virtualization workload at that rate, but licensing is not my fight (today)!

Backup Copy Enhancements

I’ll be honest, as a shiny new architect in the VCSP space this is near and dear to my heart (and my job). Before that, I was a Cloud Connect customer, and there is quite a bit here to be happy about. Probably the most visible of these is the new Mirror Mode, which allows you to mirror any on-prem job to your backup copy job easily. This is great if you are wanting a very simplistic policy for cloud-based copies. This also FINALLY gives us the ability to ship transaction logs via backup copy, which is very nice. The old method, now referred to as Pruning Mode, is still available, allowing you to pick backups from an existing backup job on the fly to create your backup copy.

Next, within the Advanced settings of your backup copy, you’ll also now find a RPO monitor settings tab. I know from my limited time working for a provider, one of our common support concerns is customers will have a disconnect on the fact that their local jobs are failing for whatever reasons and then their off sites are silently broken because they have nothing to copy. With RPO monitor you can configure your backup copy job to send an alert if they job fails to copy any restore points for a given period of time. For me, I look forward to this being an escalation point by having it send text messages if it isn’t happening.

Finally, also in this release we’ve finally seen some real improvements in the WAN accelerator portion. Five or six years ago when this feature was initially released, you had large numbers of customers who had sub 100 Mbps bandwidth for their off-site copies, and this was a great way to maximize those links and minimize the backup copy window.

Conclusion

As you can see there’s a lot to like with version 10. Some of these things are answers to long-term requests. Others are keeping up with today’s computing landscape. Either way, it exciting to see what is coming next!

Tune in tomorrow for Part 2 of My Favorite Things about VBR v10!

This year I was honored with the ability to attend Veeam Software’s Vanguard Summit. Summit comprises a meeting of 60-70 of world’s best Veeam Engineers, Architects, and Partners along with their own Product Strategy and Management groups in Prague, Czech Republic.

Often in talking about a subject we’ll float the old cliché of the good, the bad and ugly of it and frankly there is nothing negative I can say about this event. Because of that in this series of posts I’m going to cover the good (the event itself), the awesome (the people and content), the beautiful (the city of Prague itself), and as a bonus, the technical. This post will be the second in the series, covering the awesome people and content that comprise Vanguard Summit.

Community

There are many vendor community programs out there, most of which are much bigger than the Vanguards, and while they may have some nice intrinsic benefits such as licenses or hoodies, nobody does it better than Rick Vanover and his team. This is my 5th year in the program but due to the rules of my previous employer I’ve never been able to participate in person. The addition of being able to interact with seventy of the smartest people was invigorating and enjoyable. While I was happy to meet and spend time with everyone it was great to get to catch up with community stalwarts and friends such as Matt Crape, Craig Dalrymple, Brad Jervis, Dean Lewis and Al Rasheed.

There is nothing like being in a room with your peers, most of which leave me in awe with their abilities, hearing about what comes next from a company and have your feedback and thoughts sought out. In the process the attendees start collaborating on ideas that end up shaping things for years to come. I’ve said this before, but if you think the value of any program like this is measured monetarily, you are doing it wrong. The true value is the information that not only passes from the vendor to the program members but between the members itself and this group is in my mind the best of the best.

Content

I remember back when I began as a Veeam customer there was the free FastSCP product and Veeam Backup & Replication. After nine years it is amazing to see how the product line has grown and this week made that very apparent, with 2.5 days jam packed with content on current and future products. In a later post I’m going to be covering a lot of what’s coming in v10 of Veeam Backup & Replication but we were also treated to updates on Backup for O365, VeeamONE, Veeam Agents for Windows and Linux, as well as Veeam Availability Orchestrator. This doesn’t include the things we aren’t allowed to discuss but frankly are pretty exciting.

One of the ways that this content is vastly different from other vendor briefings you may have attended or seen maybe at a TechFieldDay (who Veeam will once again be attending for TFD #20) event or the like, besides the great Product Strategy staff many of these sessions were led or included the product management team for all of their products. The highlight to me of this even is the final session on Tuesday where we had Anton Gostev, Alec King, and others from the product management/development team in an “Ask Me Anything” style session where we were given the opportunity to ask all we wanted and as best I could tell were given no “BS” answers. In short the content was pretty amazingly done and consisted of far more access to information than I’ve seen from any other vendor.

Conclusion

Much like my last post rather than bore you with more of my opinions I’ll leave you with some pictures from the event.

This slideshow requires JavaScript.

This year I was honored with the ability to attend Veeam Software’s Vanguard Summit. Summit comprises a meeting of 60-70 of world’s best Veeam Engineers, Architects, and Partners along with their own Product Strategy and Management groups in Prague, Czech Republic. As one who had never been to Europe and has long been an advocate of Veeam’s products Vanguard Summit had all the makings of an awesome event and it never came close to letting me down.

Often in talking about a subject we’ll float the old cliché of the good, the bad and ugly of it and frankly there is nothing negative I can say about this event. Because of that in this series of posts I’m going to cover the good (the event itself), the awesome (the people and content), the beautiful (the city of Prague itself), and as a bonus, the technical.

The Good

As anybody who has ever been to VeeamON or even a Veeam Party at partner conferences such as VMworld will tell you, the company knows how to throw an event. That holds true especially when they do small group events such as Vanguard Summit. The Summit itself consists of two and a half days starting on Tuesday of technical content that we’ll discuss later, but the event, like the Vanguard program itself, is as much about its community as it is the content. Two full days before the first session many if not most of us arrived in Prague to allow those coming long distances to get acclimated prior to the event starting. That meant that as a group we had most of the day Sunday and Monday to hang together as a group, get reacquainted and go sightseeing.

Things got into high gear Monday night as we all gathered at a rooftop bar and restaurant for dinner and “responsible enjoyment” just as sunset was approaching. The views, the food, the people were all pretty magical. Afterwards many of us gathered back in the hotel bar for conversation before getting ready for the content portion to start the next day.

After a full day Tuesday of technical content; some current, much it forward it is a lucky thing that Tuesday was a free night. After the traditional Vanguard toast lead by Craig Dalrymple the free evening allowed us an opportunity to further gather and then get a little extra rest after all we’d processed that day.

Wednesday we got right back to it followed by Vanguard Summit’s signature evening which this year included us taking over the Starpromen Brewery Visitors Center for a good bit more “responsible enjoyment.” This event included some great local foods, a brewery tour and a photo booth all the while getting the chance to relax and get to know the people behind the products you probably use everyday for your backup and replication needs.

The final day of the even is actually just a half day of content, allowing for some final gatherings and sight seeing. In these sessions the content was extremely valuable as it included deep dives into shiny new technology coming in v10 but also included the ability for us to directly provide feedback on the event itself. If you haven’t figured it out yet my own feedback was nothing short of glowing as the event was amazingly planned by Aubrey Galen of Veeam’s events team and the Product Strategy team who among many other things are responsible for the Vanguard program itself. For all of this I owe them a hearty thank you for a wonderful time.

Conclusion

Rather than write in this space I’m just going to load you with some images from the week. Until next time!

This slideshow requires JavaScript.

Almost ten years ago I interviewed with this guy named Mike Murphy for a Senior Network Admin job at the West Virginia Housing Development Fund. I’d been laid off from my previous employer due to plant closure and had been on unemployment for a while. What was supposed to be a 1 hour interview took almost 2 hours and we hit it off pretty well. He has been one of the best managers I’ve ever had and more importantly, a friend.

For the past ten years under Mike’s leadership I’ve been allowed to do some very cool things in my role there; learn about things like VMware vSphere, Veeam Backup and Replication, and cloud computing while making the computing infrastructure for The Fund the best I could make it. I also got to get into this thing called the “tech community” and it has truly changed my career trajectory.

I’ve been extremely lucky to be included in things like vExpert and the Veeam Vanguards, learning to engage and give back as much as possible to those communities with my own viewpoints and knowledge. For what I’ve given it will never match what I’ve got back; the range of ideas, the challenges of my own beliefs, and frankly the friendships. In short it has given me the opportunity to be a better version of myself. Thanks in a very large part to that tech community after almost ten years it is finally time for me to be moving on.

I am extremely excited to say that I will soon become Senior Cloud Architect for OffsiteDataSync, now a part of J2 Global. I’ve been associated in a few ways with ODS for years but I have a great deal of thanks to fellow Vanguard Brad Jervis, who made the introduction and who I will soon be working side by side with. My tech loves have been mostly Veeam and VMware for quite some time now so it’s very exciting to take what I’ve learned and apply it at a much grander scale.

In addition to the new technical challenges in this new role I’m now going to be in a position to be much more socially active so expect to see quite a bit more content here in the future as I learn and grow into this new role. It’s already looking like it’s going to be a fun ride, I can’t wait to get on!

In the last post we talked about the more traditional models of architecting a disaster recovery plan. In those we covered icky things like tape, dark sites and split datacenters. If you’d like to catch up you can read it here. All absolutely worthwhile ways to protect your data but all of those are slow and limit you and your organizations agility in the case of a disaster.

By now we have all heard about the cloud so much we’ve either gone completely cloud native, dabbled a little or just completely loathe the word. Another great use for “somebody else’s computer” is to power your disaster recovery plans. By leveraging cloud resources we can effectively get out of the managing hardware business in regards to DR and have borderline limitless resources if needed. Let’s look at a few ways this can happen.

DRaaS (Disaster Recovery as a Service)

For now this is my personal favorite, but my needs may be and probably are different from yours. In a DRaaS model you still take local backups as you normally have, but then those backups or replicas are then shipped off to Managed Service Providers (MSPs) aligned with your particular backup software vendor.

I can’t particularly speak to any of the others from experience but CloudConnect providers in the Veeam Backup and Replication ecosphere are simple to consume and use. Essentially once you buy the amount of space you need from a partner you then use the link and credentials you are provided and add them to your backup infrastructure. Once done you create a backup copy job with that repository as the target and let it run. If you are bandwidth restrained many will even let you seed the job with an external hard drive that you ship them full of backups then all you have to transfer over the wire is your daily changes. Meanwhile all of these backups are encrypted with a key that only you and your organization knows so the data is nice and safe sitting elsewhere.

This is really great in that it is infinitely scalable (you only pay for what you use) and you don’t have to own any of the hardware or software licenses to support it. In the case that you have an event you have options; you can either scramble and try to put something together on your own or most times you can leverage the compute capabilities of the provider to power your organization until such time you can get your on-site resources available again. As these providers will have their own IT resources available you and your team will be freed up to do the work of getting staff and customers back online as they handle getting you restored and back online.

In my mind the drawbacks to this model are minimal. In the case of a disaster you are definitely going to be paying more than you would if you are running restored systems on your own hardware, but you would have had to buy that hardware and maintain it as well which is expensive. You will also be in a situation where workers and datacenter systems are not in the same geographical area as well which may cause for increased bandwidth cost as you get back up and running but still nothing compared to maintaining this consistently. Probably the only real drawback here is almost all of these types of providers require long-term agreements, 1 year or more for the backup or replication portion of what is needed. You also need to be sure if you choose this route that the provider has enough compute resources available to absorb you if needed. This can be mitigated by working with your provider to do regular backup testing at the far end. This will cost you a bit more but it is truly worth it to me.

Backup to Public Cloud

Finally we come to what all the backup vendors seems to be  going towards these days, public cloud backups. In this situation your backups are either on premises first (highly recommended) and then shipped off to the public cloud provider of your choice. AWS, Azure or GCP start messing with their storage pricing models and suddenly become cheaper? Simply just add the new provider and shift the job to the new provider, easy peasy. As with all things cloud you are in theory also infinitely scalable so you don’t have to worry about on boarding new workloads except for cost, and who cares about cost anyway?

The upside here is the ability to be agile. Start to finish you can probably be setup to consume this model within minutes and then your only limit to how fast you can be covered is how much bandwidth you make available to shipping backups. If you are doing this to cover for an external event like failure of your passive site you can simply tear it back down afterwards just as fast as you made it. Also you are only ever paying for your actual consumption, so you know how much your cost is going to be for any additional workload to be protected, you don’t ever pay for “spare space.”

As far as the drawbacks I feel like we are still in the early days of this so there are a few. While you don’t have to maintain your far end equipment for either backup storage or compute I’m not convinced that this isn’t the most expensive option for traditional virtualized workloads.

Hybrid Archive Approach

One of the biggest challenges to maintaining an on-prem, off-prem backup system is we all run out of space sometimes. The public cloud provides us an ability to only consume what we need, not paying for any fluff, as well as letting others manage the performance and availability of that storage. One trend I’m seeing more and more is the ability to supplement your on premise backup storage with public cloud resources to allow for scale out of archives for as long as necessary. There is a tradeoff between locality and performance, but if your most recent backups are on premises or well-connected to your production environment you may not ever need to access those backups that archived off to object storage so you don’t really care how fast it is to restore; you’ve just checked your policy checkbox and have that “oh no” backup out there.

Once upon a time my employer had a situation where we needed to retain every backup for about 5 years. Each year we had to buy more and more media to save these backups we would never ever restore to because they were so old, but we had them and were in compliance. If things like Veeam’s Archive Tier or similar with other vendors existed I could have said “I want to retain X backups on-prem but after that shift them to a S3 IA bucket.” In the long-term this would have saved quite a bit of money and administrative overhead and when the requirement went away all I had to do is delete the bucket and reset back to normal policy.

While this is an excellent use of cloud technology I don’t consider it a replacement for things like DRaaS or Active/* models. The hoops you need to go through to restore these backups to a functional VM are still complex and require resources. Rather I see this as an extension of your on-prem backups to allow for short-term scale issues.

Conclusion

If you’ve followed along for both posts I’ve covered about 5.5 different methods of backing up, replicating and protecting your datacenter. Which one is right for you? It might be one of these, none of these or a mash-up of two or more to be honest. The main thing is know your business’ needs, it’s regulatory requirements and

It is Disaster Recovery review season again here at This Old Datacenter and reviewing our plans sparked the idea to outline some of the modern strategies for those who are new to the game or looking to modernize. I’m continually amazed by the number of people who I talk to that are using modern compute methodologies (virtualization on premises, partner IaaS, public cloud) but are still using the same backup systems they were using in the 2000s.

In this post I’m going to talk about some basic strategies using Veeam Backup and Replication because that is primarily what I use, but all of these are capable with any of the current data backup vendors with varying levels of advantages and disadvantages per vendor. The important part is to understand the different ways about protecting your data to start with and then pick a vendor that fits your needs.

One constant that you will see here is the idea of each strategy consisting of 2 parts. A local backup first to handle basic things like a failing VM, file restore, and other things that aren’t responding to all systems down. Secondly then archiving that backup to somewhere outside of your primary location and datacenter to deal with that systems down or virus consideration. You will often hear this referred to as the 3-2-1 rule:

• 3 copies of your data
• 2 copies on different types of physical media or systems
• 1 copy (at least) in a different geographical location (offsite)

On Premises Backup/Archive to Removable Media Backup

This is essentially an evolution on your traditional backup system. Each night you take a backup of your critical systems to a local resource and then copy that to something removable so that it can be taken to somewhere offsite each evening. In the past this was probably only one step, you ran backups to tape and then you took that tape somewhere the next morning. Today I would hope the backups would land on disk somewhere local and then be copied to tape or a USB hard disk but everybody has their ways.

This method has the ability to get the job done but has a lot of drawbacks. First you must have human intervention to get your backups somewhere. Second restores may be quick if you are restoring from your primary backup method but if you have to go to your second you first have to physically locate that correct data set and then especially in the case of tape it can take some time to get that back to functional. Finally you own and have to maintain all the hardware involved in the backup system, hardware that effectively isn’t used for anything else.

Active/Passive Disaster Recovery

Historically the step up for many organizations from removable media is to maintain a set of hardware or at least a backup location somewhere else. This could be just a tape library, a NAS or an old server loaded with disks either in a remote branch or at a co-location facility. Usually you would have some dark hardware there that could allow systems to be restored if needed. In any case you still would perform backups locally and maintain a set on premises for the primary restore, then leverage the remote location for a systems down event.

This method definitely has advantages over the first in that you don’t have to dedicate a person’s time to ensuring that the backups go offsite and you might have some resources available to take over in case of a massive issue at your datacenter, but this method can get very expensive, very fast. All the hardware is owned by you and is used exclusively for you, if ever used at all. In many cases datacenter hardware is “retired” to this location and it may or may not have enough horsepower to cover your needs. Others may buy for the dark site at the same time as buying for the primary datacenter, effectively doubling the price of updating. Layer on top of this the cost of connectivity, power consumption and possibly rack space and you are talking about real money. Further you are on your own in terms of getting things going if you do have a DR event.

All that being said this is a true Disaster Recovery model, which differentiates from the first option. You have everything you need (possibly) if you experience a disaster at your primary site.

Active/Active Disaster Recovery

Does your organization have multiple sites, with datacenter capabilities in each place? If so then this model might be for you. With Active/Active you design you multisite datacenters with redundant space in mind so that in the case of an event in either location  you can run both workloads in a single location. The ability to have “hot” resources available at your DR site is attractive in that you can easily make use of not only backup operations but replication as well, significantly shortening your Restore Time Objective (RTO), usually with the ability to rollback to production when the event is over.

Think about a case where you have critical customer facing applications that cannot handle much downtime at all but you lose connectivity at your primary site. This workload could fairly easily be failed over to the replica in the far side DC, all the while your replication product (Think Veeam Backup & Replication or Zerto) is tracking the changes. When connectivity is restored you tell the application to fallback and you are running with changes intact back in your primary datacenter.

So what’s the downside? Well first off it requires you to have multiple locations to be able to support this in the first place. Beyond that you are still in a world of needing to support the load in case of having an event, so your hardware and software licensing costs will most likely go up to support this event that may never happen. Also supporting replication is a good bit more complex than backup when you include things like the need for ReIP, external DNS, etc. so you should definitely be testing this early and often, maintaining a living document that outlines the steps needed to failover and fallback.

Conclusion

This post covers what I consider the “old school” models of Disaster Recovery, where your organization owns all the hardware and such to power the system. But who wants to own physical things anymore, aren’t we living in the virtual age? In the next post we’ll look at some more “modern” approaches to the same ol’ concepts.

Veeam has recently released the long-awaited Update 4 to their Backup and Replication 9.5 product and with it has come some changes to how they deal with licensing. As workloads that need to be protected/backed up/made available have moved from being 100% on-premises and inside our vSphere or Hyper-V environments to mixes of on-prem, off-prem, on physical, public cloud, etc. my guess is their customers have asked for a way to make that protection and licensing portable.In Veeam’s move they have decided this can be solved by creating per instance licensing, which is similar to how you consume many other cloud based services. This rides along with the established perpetual licensing we still have for VBR and Veeam Availability Suite.

I will be honest and say that the upgrade was not as smooth as I would have hoped. Now that I’ve got to the bottom of my own licensing issues I’ll post here what I’ve learned to hopefully keep you from experiencing the same headaches. It’s worth noting that there is a FAQ on this but the content is varying quite a bit as this gets rolled out.

How We Got Here

In the past if you were using nothing but Veeam Backup and Replication (VBR) you did all your licensing by the socket count of protected hypervisors. After that came along Veeam Agents for Windows and Linux and we had the addition subscriptions levels for VAW Server, VAW Workstations, and VAL. As these can be managed and deployed via the Veeam Console this license was required to be installed on your VBR server as well so you now had 2 separate licenses files that were commingled on the server to create the entire solution for protecting VBR and Agent workloads.

Now as we look at the present and future Veeam has lots of different products that are subscription based. Protecting Office365, AWS instances, and Veeam’s orchestration product are all per consumable unit subscriptions. Further when you consider that due to Veeam’s Service Provider program you as an end customer have the option of either buying and subscribing directly from a VAR or “renting” those licenses from a server provider. As you keep counting up you can see where this model needed (and still needs) streamlined.

Update 4 License Types

So that brings us to the here and now. For now and for as far as I can get anyone to tell me perpetual (a.k.a. per socket) licensing for Veeam Backup and Replication and the Veeam Availability Suite which includes VBR and VeeamONE is here to stay. Any new products though will be licensed through a per instance model going forward. In the middle there is some murkiness so let’s take a look at the options.

1. Perpetual (per socket) only. This is your traditional Backup and Replication license, licensed per protected socket of hypervisor. You still have to obtain a new Update 4 license from my.veeam.com but works exactly the same. If you have a Veeam Server without any paid VAW/VAL subscriptions attached you can simply just run the installer and continue on your current license. An interesting note is that once you install your Update 4 perpetual license and if you have no instances it will automatically provide you with 1 instance per socket up to a maximum of 6. That’s actually a nice little freebie for those of us with a one-off physical box here or there or a just a couple of cloud instances.
2. Instance based. These are the “portable licenses” that can be used for VBR protected VMs, VAW, VAL, Veeam for AWS, etc. If you are an existing customer you can contact licensing support and migrate your per socket to this if you want, but unless you are looking at a ROBO site, need more cloud protection or have a very distributed use case for Veeam (small on-prem, workstations, physical servers, cloud instances) I don’t see this being a winner price-wise. For those of us with traditional workloads perpetual makes the most sense because it doesn’t matter how many VMs we have running on our hypervisors, they are still all covered. If you’d like to do the math for yourself they’ve provided a instance cost calculator.

   I will mention that I think they are missing the idea in the calculator that unless they are doing something magical this is based on buying new. Renewals of perpetual licenses should be far cheaper than the given number and I’ve never heard of a subscription license service having a renewal rate.It is also worth noting that even if you aren’t managing your licensed (as opposed to free) Veeam Agent for Windows and Linux with VBR you will need to go to the Update 4 License management screen in my.veeam.com and convert your subscription licenses to Update 4 instances ones to be able to use the 3.0 versions of the software. It doesn’t cost any thing or make a difference at this point, but while you could buy subscription licenses in any numbers you choose per instance licenses have a minimum level of 10 and are only sold in 10 packs. So while for now it might be nice that your licenses are rounded up understand you’ll have to renew at the rounded up price as well.

   Further its worth noting that back when VAW was subscription there were separate lines for workstations and servers, with 1 server license costing the same as 3 workstations. In the new per instance model this is reflected by consumption. A server of any kind will consume 1 instance, but a workstation will only consume 0.33 of one. Same idea, different way of viewing it.

3. The Hybrid License. This is what you need if you need/want to manage both perpetual and instances from the same VBR server . If you previously had per socket for your VMs and subscription licenses for VAW/VAL you will need to hit the merge button under your Update 4 license management screen. This only works if you are the primary license administrator for all support IDs you wish to merge.

Just to make sure it’s clear in previous versions you could have both a per socket and subscription license installed at the same time; this is no longer the case thus the reason for option 3. You cannot have a 1 and a 2 installed on the same server, the 2 will override the 1. So if you are consuming both perpetual and per instance under the same VBR server you must be sure to merge those licenses on my.veeam.com. In order to do so you will need any and all licenses/Support IDs to be merged to be under the same Primary License Administrator. If you did not do this previously you will need to open a case with support to get a common Primary set for your Support IDs.

Conclusion

As we begin, or continue, to move our production workloads from not only our own datacenters to others as well as the public cloud those workloads will continue to need to be protected. For those of us that use Veeam to do so handling the licensing has, for now, been made simpler and is still cost effective once you can get it lined out for yourself.

So I am probably way late to the game but today’s opportunities to learn have included ADFS and with that the concept of Managed Service Accounts.

What’s a Managed Service Account you ask? So we’ve all installed applications and either set the service to run with the local system account or with a standard Active Directory account. Since the release of Windows Server 2008 R2 this feature has been available (and with Windows Server 2012 greatly enhanced,) gMSA lets you create a special type of account to be used for services where Active Directory itself manages the security of the account, keeping you secure while not having to update passwords regularly.

While there are quite a few great step by step guides for setting things up and then creating your first Managed Service account, I almost immediately ran into an issue where my Active Directory didn’t seem to include the Managed Service Accounts container (CN=Managed Service Accounts,DC=mydomain,DC=local). My domain was at the correct level, Advanced Features were turned on in AD Users & Computers, everything seemed like it should be just fine, the container just wasn’t there. In this post I’ll outline the steps I ultimately took that resulted in getting the problem fixed.

Step 0: Take A Backup

While you probably are already mashing on the “take a snapshot” button or starting a backup job, its worth saying anyway. You are messing with your Active Directory, be sure to take a backup or snapshot of your Domain Controller(s) which holds the various FSMO roles. Now that you’ve got that backup depending on how complex your Active Directory is it might be worth leveraging something like Veeam’s SureBackup (er, I mean DataLab) like I did and create you a test bed where you can try it out on last night’s backups before doing this in production.

Step 1: ADSI Stuff

Now we are going to have to start actually manually editing Active Directory. This is because you might have references to Managed Service Accounts in your Schema but are just missing the container. You also have to tell AD it isn’t up to date so that the adprep utility can be rerun. Be sure you are logged into your Schema Master Domain Controller as an Enterprise Admin and launch the ADSIEdit MMC.

1. Right click ADSI Edit at the top of the structure on the left, Click Connect… and hit OK as long as the Path is the default naming context.
2. Drill down the menu structure to CN=Domain Updates, CN=System, DC=<mydomain>,DC=<mytld>
3. Within the Operations Container you will need to delete the following containers entirely.
   1. CN=5e1574f6-55df-493e-a671-aaeffca6a100
   2. CN=d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d
4. Now go back up a level and right click on the CN=ActiveDirectoryUpdates container and choose Properties
   1. Scroll down until you find the “revision” attribute, click on it and click Edit
   2. Hit the Clear button and then OK

Step 2: Run ADPrep /domainPrep

So now we’ve cleaned out the bad stuff and we just need to run ADprep. If you have upgraded to your current level of Active Directory you probably have done this at least once before, but typically it won’t let you run it on your domain once its been done; that’s what the clearing the revision attribute above did for us. Now we just need to pop in the (probably virtual) CD and run the command

1. Mount the ISO file for your given operating system to your domain controller. You can either do this by putting the ISO on the system, right click, mount or do so through your virtualization platform.
2. Open up a command line or powershell prompt and navigate to <CDROOT>:\support\adprep
3. Issue the .\adprep.exe /domainPrep command. If all goes well it should report back “Adprep successfully updated the domain-wide information.”

Now that the process is completed you should be able to refresh or relaunch your Active Directory Users & Computers window and see that Managed Service Accounts is available right below the root of your domain as long as Advanced Features is enabled under View and you are now good to go!

One of the issues that Veeam Backup & Replication users, actually those of any application aware backup solution, is that the various VSS writers are typically very finicky to say the least. Often you will get warnings about the services only to do a “vssadmin list writers” and see either writers in a failed state or not there at all. In most of these cases a reboot of either the service or the target system itself is an easy quick fix.

But do you really want to rely on yourself to remember to do this every day? I know I don’t and going with the mantra of “When in doubt, automate” here’s a script that will help out. The Reboot-VSS.ps1 script assumes that you are using vSphere tags to dynamically identify VMs to be included in backup jobs, looks at the services in the given services array and if they are present on the VM will restart them.

#   Name:   Restart-VSS.ps1
#   Description: Restarts list of services in an array on VMs with a given vSphere tag. Helpful for Veeam B&R processing
#   For more info on Veeam VSS services that may cause failure see https://www.veeam.com/kb2041

Import-Module VMware.PowerCLI

$vcenter = "vcenter.domain.com"
$services = @("SQLWriter","VSS")
$tag = "myAwesomeTag"
Connect-VIServer $vcenter
$vms = Get-VM |where {$_.Tag -ne $tag}

ForEach ($vm in $vms){
  ForEach ($service in $services){
    If (Get-Service -ComputerName $vm -Name $service -ErrorAction SilentlyContinue) {
      Write-Host $service "on computer" $vm "restarting now."
      Restart-Service -InputObject $(Get-Service -Computer $vm -Name $service);
    }
  }
}

This script was designed to be set in the Windows scripts section of guest processing settings within a Veeam Backup and Replication job. I typically only need the SQL writer service myself but I’ve included VSS in the array as well here as an example of adding more than one. There are quite a few VSS services that VSS aware backup services can access, Veeam’s KB 20141 is a great reference for all of these that can be included here based on your need.