Setting Up Endpoint Backup Access to Backup & Replication 8 Update 2 Repositories

A part of the Veeam Backup & Replication 8 Update 2 Release is the ability to allow users to target repositories specified in your Backup Infrastructure as targets for Endpoint Backup. While this is just one of many, many fixes and upgrades (hello vSphere 6!) in Update 2 this one is important for those looking to use Endpoint Backup in the enterprise as it allows for centralized storage and management and equally important is you also get e-mail notifications on these jobs.

Once the update is installed you’ll have to decide what repository or repositories will be available to Endpoint Backup and provide permissions for users to access them. By default every Backup Repository Denies Endpoint Backup access to everyone. To change this for one or more repositories you’ll need to:

  1. Access the Backup Repositories section under Backup Infrastructure, then right click a repository and choose “Permissions.”
  2. Once there you have three options for each repository in regards to Endpoint permissions; Deny to everyone (default), Allow to everyone, and Allow to the following users or groups only. This last option is the most granular and what I use, even if just to select a large group. In the example shown I’ve provided access to the Domain Admins group.
  3. You will also notice that I’ve chosen to encrypt any backups stored in the repository, a nice feature as well of Veeam Backup & Replication 8.

Also of note is that no user will be able to select a repository until they have access to it. In setting up the Endpoint Backup job when the Veeam server is specified you are given the option to supply credentials there so you may choose to use alternate credentials so that the end users themselves don’t actually have to have access to the destination.

Getting Started with Veeam Endpoint Backup

This week Veeam Software officially released their new Endpoint Backup Free product introduced at VeeamON last October after a few months of beta testing. The target for this product is to allow image based backup of individual physical machines, namely workstations, allowing for Change Block Tracking much like users of their more mature Backup & Replication product have been used to in virtualized environments. Further Veeam has made a commitment that in the product is and should always be freely available making it possible for anybody to perform what is frankly enterprise level backup of their own computers with no cost other than possibly a external USB drive to store the backup data.  I’ve been using the product throughout the beta process and in this post I’ll outline some of the options and features and review how to get started with the product.

Also released this month by Veeam is the related Update 2 for Backup & Replication 8. This update in this case allows a Backup Repository to be selected as a target for your Endpoint Backup job after some configuration as shown here. Keep in mind if you are wanting to backup to local USB or a network share this isn’t necessary but if you are already a B&R user this will make managing these backups much better.

Getting Started with Installation

Your installation optionsI have to say Veeam did very well keeping the complexity under the water in this one. Once downloaded and run the installation choices consist completely of one checkbox and one button. That’s it. Veeam Endpoint Backup seems to rely on a local SQL Server Express installation to provide backend services just like the bigger Backup & Replication install but it is installed on the fly. I have found that if there is pending Windows Updates to complete the installer will prompt you to restart prior to continuing to configuring your backup.

Configuring the Job

Once the installation is complete the installer will take you directly into configuring the backup as long as you are backing up to an external storage device. If you plan to use a network share or Veeam Backup Repository you will need to skip the step and configure the job once in the application. Essentially you have the following options:

  • What you wantto backup
    • Entire computer; which is image based backup
    • Specific volumes
    • File level backup
  • Where you want to back it up to (each will generate another step or two in the wizard)
    • Local storage
    • A shared folder
    • Veeam Backup & Replication repository
  • Schedule or trigger for backups
    • Daily at a a specific time
    • Trigger a backup on a lock, log off or when the backup target is connected


Personally I use one of three setups depending on the scenario. For personal computers I use a external USB drive triggered on when the backup target is available but set so that it never backs up more than once every 24 hours. In the enterprise using Endpoint Backup to deal with those few remaining non-virtualized Windows servers these are configured to backup to a Veeam Backup Repository on a daily schedule. Finally I will soon begin rolling this out to key enterprise laptop users and there backup will be to a B&R Repository as well but triggered on the user locking the workstation with a 24 hour hold down. Keep in mind all of these options can be tweaked via the Configure backup button in the Veeam Endpoint Backup Control Panel.

media-createCreating the Recovery Media

The last step of installing/configuring Endpoint Backup is to create the restore media. This creates a handy disk or ISO that you can boot off of to allow you to do a Bare Metal (or Bare VM :)) recovery of the machine. From an enterprise standpoint if you are rolling Endpoint Backup out to a fieldful of like machines I really can’t find a good reason to create more than one of these per model of device. Personally I’ve been creating the ISOs for each model and using it in conjunction with a Zalman VE-300 based external hard drive to keep from having lots of discs/pen drives around. If you are using this to backup physical servers it would also be a first step to being able to quickly restore to a VM if that is part of your disaster recovery plan.

As a trick what I’ve found is I have installed the product on a VM for no other reason but to create the recovery media. This way I know I’ll have the drivers to boot to it if need be. Further once you boot to the recovery media you’ll find all kinds of little goodies that make it a good ISO to have available in your bag.

Conclusion

I’ve played with lots of options, both paid and free, over the years for backing up a physical computer on a regular basis and even setting the general Veeam fanboy type stuff aside, this is the slickest solution for this problem I’ve ever seen. The fact that it is free and integrates into my existing Enterprise solution are definitely major added bonuses, but even in a standalone, “I need to make backups of Grandma’s computer” situation it is a great choice. If you find you need a little help with getting started the Veeam has created a whole Endpoint Backup forum just for this product. My experience both here and with other products is that there is generally very quick response from very knowledgeable Veeam engineers, developers and end users happy to lend a hand.

Support Adobe Digital ID Signing with Automated Microsoft CA User Certificate Generation

Just a quick how to, wanting to document a task I have recently had need of. This process has a perquisite of you having a Microsoft Certificate Authority already available in your environment.

  1. Start > Run >mmc
    1. Add Remove Snap-ins and choose the following
      – Certificate Authority (when prompted add the name of your CA)
      – Certificate Templates
      – Group Policy Management
  2. In Certificate Templatesright click on “User” and choose “Duplicate Template”
    1. Set compatibility settings as needed. If you have a 2008 R2 pure Active Directory environment make it match. In terms of Certificate Recipient make it match the oldest OS you have in use.
    2. Under General Change the Name to something meaningful as you’ll be referencing it later.
    3. Under the Security Tab set Domain Users to have both Enroll and Autoenroll permissions
  3. In Certificate Authorityright click on the “Certificate Templates”subfolder and choose New> “Certificate Template to Issue”
    1. Choose your newly created Certificate Template
  4. In Group Policy Management we are going to do a couple of things; setup your domain for certificate auto enrollmentand also define registry settings for Adobe Acrobat and Acrobat Reader.
    1. In any GPO that will hit the users you wish to have certificates (Default Domain Policy for example) choose to edit.
    2. Navigate to User Configuration> Windows Settings> Security Settings> Public Key Policies
    3. Double click on Certificate Services Client- Auto-Enrollment and set
      – Configuration Model: Enabled
      – Check Renew expired certificates…
      – Check Update certificates that use certificate templates
      – Hit OK
  5. Digital Signature Verification PreferencesBy default Adobe Acrobat and Reader only recognize certificates that are signed by the usual public authorities as trusted, so you have to tell it to look at what is available in the local Windows Certificate Store. In Adobe Acrobat or Acrobat Reader you can do this in Preferences, under Signatures>Verification and enable “Validating Signatures” under Windows Integration. This can be cumbersome across the enterprise but luckily this data is saved in a registry key, which means that through Group Policy Preferences we can manage this setting.  The fix below will work for all Acrobat or Acrobat Reader versions 7 or later
    1. Select the GPO of your choice to edit (again, I recommend the Default Domain Policy) and navigate to User Configuration> Preferences> Registry
    2. Right click in the window New> Registry Item
    3. You will need to create an entry with the following attributes:
      – Hive: HKEY_CURRENT_USER
      – Key Path: Software\Adobe\product\versionnumber\Security\cASPKI\cMSCAPI_DirectoryProvider
      * (Example for Acrobat Pro 11: Software\Adobe\Adobe Acrobat\11.0\Security\cASPKI\cMSCAPI_DirectoryProvider)
      – Value name: iMSStoreTrusted
      – Value type: REG_DWORD
      – Value data: 60 (hexidecimal)
      – Hit OK
    4. gp-prefRepeat steps B & C for each product/version combination you have in your environment. For example, in our environment we only have one version of Reader, but 3 different major versions of Acrobat Pro, so I needed 4 variants of this key to cover each of them.

And that’s it! It will probably take a little while for these policy changes to naturally propagate, but once it does so it works very slickly. Once done you and your users will be able to use their generated certificate as a Digital ID to sign any documents with a digital signature field in a fillable form. Do keep in mind that while this will work and absolutely can and should be trusted within your organization, if you or your users are in need of this type of service between organizations you will probably want to call the fine folks at Verisign or Thawte.

To for more information check out

Quick Config: Install ClamAV & configure a daily scan on CentOS 6

I’m pretty well versed in the ways of Anti-Virus in Windows but I’ve wanted to get an AV engine installed on my Linux boxes for a while now. In looking around I’ve found a tried and true option in ClamAV and after a few stops and starts was able to get something usable. I’d still like to figure out how to have it send me a report by e-mail if it finds something but that’s for another day; I don’t have enough Linux in my environment to necessitate me putting the time in for that.

So with that here’s how to quickly get started.

Step 0: If not already there, install the EPEL repository

Step 1: Install ClamAV

Step 2: Perform the 1st update of ClamAV definitions (this will happen daily by default afterwards)

Step 3: Enable and Start Services

Step 4: Configure Daily Cron Job

I chose to have it scan the whole system and only report infected files, you may want to do differently

Enter the following:

Note the -i option tells it to only return infected files, the -r tells it to recursively search. You may want to add the –remove option as well to remove files that are seen as infected.

Step 6: Make Cron Job Executable

You can then kick of a manual scan if you’d like using

That’s it! pretty simple and all of your output will be logged daily to the /var/log/clamav/daily_clamscan.log file for review.

Top New Features in Veeam Backup & Replication v8

We are now a couple of months out from the release of version 8 of Veeam Software’s flagship product Backup & Replication. Since then we’ve seen the first patch release a couple of weeks after, almost a Veeam tradition, and I’ve had it deployed and running for a while now. In that time I’ve found a lot to really like in the new version.

End to End Encryption

Backup & Replication now has the ability to encrypt your backup data from the moment it leaves your production storage system, through the LAN and WAN traffic and once it is at rest, either on disk or tape. This encryption is protected by password stored both with humans as well as within the Enterprise Manager database keeping you from losing backups. Finally the encryption does not change ratios for either compression or deduplication of the backup data.

Resource Conservation Improvements

Quite a few of the new Backup & Replication features are geared towards keeping your RPO goals from getting in the way of production efficiency. First and foremost is the availability of Backup I/O Control, a feature that will monitor the latency of your production storage system and if measured metrics climb above a user defined level will throttle backup operations to return systems to acceptable levels.

On the networking side if you have redundant or other none production WAN links you now have the ability to specify preferred networks for backup data, with failover to production if it isn’t available. Further the WAN Accelerator for site to site backup copy and replication has been improved to allow for up to 3x what was seen in v7.

Cloud Connect

Both of the above features make this one possible. With this new version brings a new partnership opportunity where VARs and other cloud storage service providers have the ability to directly act as a repository for your backup data. These providers can then allow you to spin these backups up as part of a second offering or as part of a package. With this the need to own, manage and maintain the hardware for a DR site becomes much lighter and I personally believe this will be a big deal for many in the SMB space.

New Veeam Explorers for Recovery

Veeam has been phasing out the use of the U-AIR wizards for item level restore for a while but with v8 we now have the release of the Explorers for Active Directory, Microsoft SQL Server and Exchange. The Active Directory one is particularly of note because it not only allows you to restore a deleted AD item but do so with the password intact.  Transaction log backup for SQL servers is also now supported allowing for point in time restore. The Exchange option has a few new features but I especially like the option of recovering hard-deleted items.

These are frankly just the tip of the iceberg when it comes to the new features. For more on what’s new I recommend you checkout the What’s New documents for both Backup & Replication as well as for VeeamONE, Veeam’s virtualization infrastructure monitoring package.

 

vExpert 2015

The 2015 vExpert List was released today and I am honored to be on the list for the second year in a row. The vExpert program was developed to recognize those who active discuss and help others with VMware’s virtualization products in a number of ways, but notably through blogging and social media. To other vExperts that may be reading this please accept my hearty congratulations on your inclusion, whether it’s your first or your fifth time around.

While it isn’t really the point, there are a number of benefits to being a vExpert with most of them compiled and listed by Romain Decker on his website. This can include anything from swag to free or heavily discounted training to NFR licenses for your home lab from many companies in the virtualization industry.  In truth what I’ve found to be the biggest benefit is getting to know, at least virtually, some exceptionally bright people in our field.

If for some reason you either didn’t apply and or didn’t make the cut this time around and would like to be considered for inclusion there will be another round of applications this year but it hasn’t been announce yet. A best bet to be notified of when this opens would be to either follow the VMTN blog feed or the @vExpert twitter account.

What’s New in vSphere 6: Licensing

Today's release of vSphere 6 brings about quite a few new technologies worth getting excited for. This includes things such as Virtual Volumes (VVOLs), Open Stack Integration, global content library and long distance vMotion. Now for many of us, especially in the SMB space, the question is can we afford to play with them. As usual VMware very quietly released the licensing level breakout of these and other new features and I have to say my first take is this is another case of the rich getting richer.

If you are already Enterprise Plus level licensed you are in great shape as everything discussed today except VSAN is included. Specifically this includes

  • cross vCenter/ long distance vCenter
  • Content Library
  • vGPU
  • VMware Integrated OpenStack

While that's great and all and I applaud their development, they have quite a few other licensing levels that have been left out. Personally my installations are done at either Standard or Enterprise levels. The only major feature with across the product line support is VVOLs, which is nice but I honestly expected them to at least move some version 5 features such as Storage DRS down a notch to the Enterprise level and I figured the Content Library would maybe come in at the Essentials Plus level or Enterprise.

As Mr. Geitner alluded to in his talk about half of all vSphere licenses are Enterprise Plus, my guess is the company really want to see that number grow. Here's to hoping that like vRAM this recent trend of heavily loading features into the highest level is a trend that will be quickly rectified because I think this is going to be just as popular.

 

 

Managing your vSphere 6 Environment

VMware released their long awaited version 6 of its vSphere 6 products today and as I’m sure you’ll be running out tomorrow to go update all your production environments….

Ok now that we’re done laughing what you probably are going to want to get into is getting your lab updated or built so you can work out the changes yourself, possibly using your EvalExperience licenses you got with VMUG Advantage? Once you get it up and running you’ll notice that a few things have changed from the administration point of view. In this post I’m going to take a quick look at the Management features of vSphere 6.

Platform Services Controller

One thing you’ll find right off is that many of the underlying vCenter services have now been lumped together into what they are calling the Platform Services Controller. These services include Single Sign-On, licensing and certificate management.  At installation you are given two options on how to deploy the PSC, either embedded, where the PSC always rides along with vCenter, or External where the PSC is installed on its own VM and each vCenter talks back to the central services controller.

There are a couple of design requirements here if you chose to go the embedded route. You can have a maximum of 8 embedded or external PSCs per Single Sign-On site, and if you choose to go the embedded route it will increase the minimum RAM required to 8 GB.

vSphere Web Client

As has been the trend VMware has spent some serious time improving the Web Client, this time focusing on loading time, login time and a more streamlined component layout. It is still Flash based, but still a bit better. Time will tell with this one.

vSphere Host Client

Is the death of the installable VI client we’ve been hearing about for years here? Yes but it’s been replaced with a new version that is to be used only for connecting to the hosts directly or Update Manager. No, the new C# client for vSphere 6 will function much in the same way as the 5.5 client, you will be able to manage your infrastructure fully with it, but in terms of editing virtual hardware you will only be able to do so fully on VMs version 5-8.* The good part about it is the new C# client is not version based, rather it can be used to manage hosts running hardware versions 8-11.

Multi-Site Content Library

This one is probably what I am most excited about. Instead of having to update the ISO datastore in each of your locations, as well as building or copying your base templates for each vCenter, with the Content Library you can create a repository for all of your ISOs, templates, vApps and scripts and that repository will automatically be synchronized across all sites and vCenter Servers.

Virtual Datacenters and Policy Based Management

These two are the ones that I frankly still need to dive deeper into.  The concept is that you create virtual datacenters, spanning multiple locations (both local and cloud service) and then use policy to define what resources are available and where when spinning up a VM.

Certificate Lifecycle Management

Finally on the management side a new command line interface has been added for managing both the VMware and third-party certificates. I recently used fellow vExpert Derek Seaman’s excellent tool and blog series to use Microsoft Certificate Services certs in my vSphere infrastructure, I have to believe this will make that process easier. As the documentation gets finalized I’ll provide a link to the docs for this here.

All in all it should be an exciting time for us virtualized folks, with lots of new toys and technology to try out.

*After the big Feb. 6 announcement VMware saw fit to let everybody know that there are major changes between what was there in the betas and what will be there in the GA build, this being one of them.

3 steps to really reset a Cisco 7900 Phone

Recently had some issues with one of our phones at the office and you know how it goes, reboot it. What you may not know is that there are different levels of “reboot” for the 7900 series phones, each of which are a little more pervasive. In this post I’ll outline how to go about performing these 3 ways to reset your desk phone to cure what may or may not be ailing you.

I. The Simple Reset

Sure you could go into ccmadmin and hit the reset button but that doesn’t work as well if you are standing right in front of it.  A quick reset can be performed by doing the following directly from the device

  1. Hit the settings button on the device
  2. Hit **#** on the keypad
  3. You should then see the screen display the “Resetting…” message followed by a reboot

II. Configuration Erase

When you boot your 7900 series IP phone as part of the boot sequence it reaches out to your Publisher’s TFTP server to grab a copy of either its specific configuration file or if none exist the default configuration file. Once this occurs it is stored locally to allow for quicker subsequent reboots. From time to time this locally cached copy will get gummed up and it is necessary to erase it and have it download a fresh copy. To do this the steps are

  1. Hit the settings button on the device
  2. Hit the **# buttons in order, afterwards you will see “Settings Unlocked!” display on the screen and a “More” soft button appear on the screen
  3. Hit the “More” soft button followed by the “Erase” soft button.
  4. You should then see the screen display the “Resetting…” message followed by a reboot

III. Factory Reset

This is the big daddy, if neither of the previous fixes worked then this process will erase not only the configuration but any firmware updates you have pushed to it as well, resulting in a phone as fresh as when it left the factory from a software perspective. To perform this process do the following steps:

  1. Unplug the power cable and/or the switch cable if using PoE
  2. Plug the device back in, pressing and holding the “#” key before the Speaker button flashes on and off
  3. Continue to hold the # button until each line button flashes on and off in sequence (amber).
  4. Next release the # and in order hit 123456789*0#
  5. After the sequence is done correctly the line buttons will flash red and then the phone will reboot.
  6. The phone will go through multiple reboot processes as various firmware loads and configuration files are downloaded.
  7. Do not remove power in any way until the reset process is completed in its entirety. You will know that this is done when the phone either correctly registers to CUCM or display the “Registering…” message on the screen.

That’s it, if you’ve made it this far without fixing your issue then you either need to get back in CUCM and check you configurations of the device or contact TAC for a replacement device.

VMware’s Big February 2nd Announcement

VMware will be having a big announcement event next week, most likely regarding the public release of their vSphere 6 suite of products. Version 6 has been in a “private” beta that anyone can join for the past 5 months or so and looks to include various features to move the product along. The beta program is still open for enrollment with the latest version being an RC build, you can sign up here to gain access to the bits themselves but also various documents and recorded webinars regarding the new features.

Just going by what was discussed at VMworld 2014 what is included in this version includes

  • Virtual Volumes: A VMware/Storage vendor interoperability technology that masks much of the complexity of storage management from the vSphere administrator and makes the storage more virtualization-centric than it already is. There is a lot of information out there on this already available through the power of Google, but the product announcement on the VMware blogs is nice and concise.
  • The death of the fat VI Client: This is the release where we are supposed to be going whole hog on the vSphere Web Client. Can you feel the enthusiasm I have for this?
  • vMotion Enhancements: One feature really worth getting worked up for is the ability to across the both vCenters and datacenters, neither of which was possible in the past. This is great news.
  • Multi-CPU VM Fault Tolerance: While the fault tolerance feature, the ability to have in essence a replica of protected VMs on separate hosts within your datacenter, has been around for years it has been relegated to the also featured category due to some pretty stringent requirements for VMs to be protected in this manner. In vSphere 6 the ability to protect VMs with multiple CPUs will finally be supported.

In any case the announcement will be available for all to attend online. You can register to attend the event at VMware’s website.