Contents

Dell PowerProtect 19.4 Data Manager Administration And User Guide PDF

1 of 250
1 of 250

Summary of Content for Dell PowerProtect 19.4 Data Manager Administration And User Guide PDF

PowerProtect Data Manager Version 19.4

Administration and User Guide Rev 02

April 2020

Copyright 2016-2020 Dell Inc. or its subsidiaries. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS-IS. DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property

of their respective owners. Published in the USA.

Dell EMC Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.DellEMC.com

2 PowerProtect Data Manager Administration and User Guide

Preface 9

Getting Started 13 Introducing PowerProtect Data Manager software........................................... 14 References........................................................................................................ 15 Terminology.......................................................................................................15 Accessing the PowerProtect Data Manager UI..................................................16

Replacing the default PowerProtect Data Manager certificate ............ 17 Getting Started.................................................................................... 18 UI tools and options ............................................................................. 18

Managing Users 21 Managing user roles and privileges ...................................................................22

Managing users....................................................................................22 Default admin user............................................................................... 24 Roles....................................................................................................24 Privileges..............................................................................................27

Managing keychains..........................................................................................32 Modifying the lockbox passphrase....................................................... 32

Managing LDAP or AD groups...........................................................................33 LDAP or AD authentication............................................................................... 33

Configuring LDAP or AD authorities and assigning roles.......................33 Example: Configuring an AD authority ................................................. 37 Example: Configuring an LDAP authority............................................. 38 Troubleshooting LDAP configuration issues......................................... 39

Managing Storage 41 Add protection storage .................................................................................... 42

Troubleshooting protection policy for DD storage unit......................... 43 Viewing the DD Boost storage unit password.......................................43

Overview of PowerProtect Data Manager cloud tier.........................................43 Overview of PowerProtect Data Manager Cloud Disaster Recovery.................44

Using the PowerProtect Search Engine 45 Introducing the PowerProtect Search Engine...................................................46 Setting up and managing indexing.....................................................................46 Performing a search..........................................................................................47 Restoring from search.......................................................................................47 Troubleshooting Search Engine issues.............................................................. 48

Enabling the File System Agent 53 About the File System agent.............................................................................54 Application agent and File System agent coexistence.......................................54 File System agent prerequisites........................................................................ 56 File System agent limitations............................................................................ 57 Roadmap for protection with the File System agent......................................... 59 Installing and configuring File System agent..................................................... 59

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

CONTENTS

PowerProtect Data Manager Administration and User Guide 3

Install the File System agent on Linux.................................................. 59 Install the File System agent on Windows ............................................61 Upgrading the File System agent......................................................... 63

Manage the File System agent..........................................................................65 Troubleshooting database clients......................................................................66

Enabling the Storage Direct Agent for VMAX Systems 69 About the Storage Direct agent........................................................................ 70 Storage Direct agent prerequisites................................................................... 70 Upgrading an existing Storage Direct agent.......................................................71

Configuration file requirements.............................................................71 Roadmap for protection with the Storage Direct agent for new environments.... 73 Roadmap for protection with the Storage Direct agent for existing environments ..........................................................................................................................74 Installing or Upgrading Storage Direct.............................................................. 76

Install the Storage Direct agent on Linux..............................................76 Upgrade the Storage Direct agent on Linux..........................................77 Install or upgrade the Storage Direct agent on Windows .....................78 Silent installation of the Storage Direct agent......................................79 Uninstall the Storage Direct agent on Linux......................................... 80 Uninstall the Storage Direct agent on Windows................................... 80

Manage the Storage Direct agent.....................................................................80 Storage Direct agent limitations and troubleshooting........................................ 81

Managing Assets 85 About asset sources, assets, and storage......................................................... 86 About Kubernetes cluster asset sources and namespace assets....................... 86 About vCenter Server asset sources and virtual assets.....................................87 Prerequisites for discovering asset sources...................................................... 88 Adding a vCenter Server asset source.............................................................. 88

Add a VMware vCenter Server.............................................................88 Creating a dedicated vCenter user account......................................... 90

VM Direct protection engine overview..............................................................93 Add a VM Direct Engine....................................................................... 94 Additional VM Direct actions................................................................95 Best practices for VM Direct Engines.................................................. 96 Troubleshooting virtual machine backup issues................................... 101

Discover a File System Host............................................................................ 107 Discover a Storage Direct agent host.............................................................. 108 Add and discover the SMIS server for the Storage Direct agent..................... 108 Adding a Kubernetes cluster asset source....................................................... 109

Docker Hub images required for successful Kubernetes cluster discovery............................................................................................ 109 Add a Kubernetes cluster.................................................................... 110 Recommendations and considerations when using a Kubernetes cluster ............................................................................................................112 Removing PowerProtect Data Manager components from a Kubernetes cluster................................................................................................. 113

Managing Protection Policies 115 Protection policies........................................................................................... 116

PowerProtect DD protection considerations....................................... 116 Before you create a protection policy...............................................................117

Chapter 6

Chapter 7

Chapter 8

Contents

4 PowerProtect Data Manager Administration and User Guide

Add a protection policy for a virtual machine....................................................118 More options for managing virtual machine backups.......................... 122

Add a protection policy for File System protection.......................................... 122 Exclusion filters.................................................................................. 125

Add a Self-service Protection Policy for Storage Direct.................................. 130 Add a Centralized Protection Policy for Storage Direct................................... 134 Add a protection policy for Kubernetes namespace protection........................138 Add a Cloud Tier schedule to a protection policy..............................................141

Managing Cloud Tier asset copies.......................................................142 Manual backups of protected assets............................................................... 142 On-demand cloud tiering of protected assets.................................................. 142 Edit a protection policy....................................................................................143

Add or remove assets in a protection policy........................................143 Change the DD Boost storage unit password...................................................144 Removing expired backup copies.....................................................................145 Export protection ........................................................................................... 146 Delete a protection policy................................................................................ 147 Add a Service Level Agreement....................................................................... 147 Export Asset Compliance................................................................................ 150 Dynamic filters ................................................................................................ 151

Creating virtual machine tags in the vSphere Client............................ 151 Add a dynamic filter............................................................................ 152 Manually run a dynamic filter.............................................................. 153 Edit or delete a dynamic filter ............................................................ 153 Change the priority of the existing dynamic filter .............................. 154 Enable dynamic filters to move virtual assets across policies..............154 Configure system setting for dynamic filters...................................... 155

Restoring Data and Assets 157 Viewing copies.................................................................................................158 Restore a virtual machine or VMDK................................................................. 158

Prerequisites to restore a virtual machine...........................................159 Restore and Overwrite original virtual machine...................................159 Restore individual virtual disks............................................................ 161 Restore to a new virtual machine........................................................162 Instant access virtual machine restore................................................163 File level restore to original virtual machine........................................ 167 File level restore to alternate virtual machine..................................... 168 Direct restore to ESXi.........................................................................170

Restore an application-aware virtual machine backup...................................... 171 Centralized and file-level restore of a File System host................................... 172

Centralized restore of File Systems.................................................... 172 File level restore from File System backups........................................ 173

Restoring a Storage Direct VMAX storage group.............................................175 Restore a VMAX storage group backup to the original location.......... 175 Restore a VMAX storage group backup to an alternate location......... 176 Instant Access Restore of a VMAX storage group backup.................. 177

Restoring a Kubernetes namespace................................................................. 178 Restore to the original namespace...................................................... 179 Restore to a new namespace.............................................................. 180 Restore to an existing namespace....................................................... 181

Restore the PowerProtect Data Manager server ............................................182 Restore Cloud Tier backups to the DD system.................................................182

Recall and restore from Cloud tier...................................................... 183 Troubleshooting virtual machine restore issues............................................... 183

Chapter 9

Contents

PowerProtect Data Manager Administration and User Guide 5

Troubleshooting instant access restore failures..................................185 FLR Agent for virtual machine file-level restore..................................185 Supported platform and OS versions for virtual machine file-level restore................................................................................................ 187 File-level restore and SQL restore limitations..................................... 188

Performing Self-Service Backup and Restore of Application and File System Agents 191 Performing self-service backups of File Systems............................................ 192 Self-service restore of Kubernetes namespaces..............................................193 Performing self-service restore of a File System host..................................... 194

Using the ddfsadmin utility for File Systems....................................... 194 Self-service image-level restore of File Systems................................ 195 Self-service file-level restore of File Systems.....................................195

Preparing for and Recovering from a Disaster 197 Managing system backups...............................................................................198 Manage PowerProtect Data Manager backups for disaster recovery.............. 198 Prepare the DD system recovery target.......................................................... 199 Configure backups for disaster recovery......................................................... 199 Configure PowerProtect Data Manager server disaster recovery backups..... 200 Record settings for disaster recovery.............................................................200 Restore PowerProtect Data Manager from an external DD system................. 201 Recovering a Search cluster from a DR backup...............................................201 Troubleshooting backup configuration issues..................................................203 Troubleshoot recovery of PowerProtect Data Manager..................................203 Recover a failed PowerProtect Data Manager backup....................................204

Managing Alerts, Jobs, and Tasks 205 Configure Alert Notifications.......................................................................... 206 View and manage System Alerts..................................................................... 206 View and manage Audit Logs...........................................................................207 Monitor and view jobs..................................................................................... 207 Monitor and view tasks................................................................................... 208 Restart a job or task........................................................................................208 Cancel a job or task.........................................................................................209 Export logs for a job or task.............................................................................210

Modifying the System Settings 211 System settings...............................................................................................212

Modify the network settings...............................................................212 Synchronize time on PowerProtect Data Manager and other systems.... 212 Modify the appliance time zone.......................................................... 212 Change the system root user password.............................................. 213 Enable replication encryption..............................................................213 License types......................................................................................214 PowerProtect Data Manager licenses.................................................214

System Support.............................................................................................. 215 Register the Secure Remote Services gateway.................................. 215 Callhome ............................................................................................216 Configure PowerProtect Central reporting......................................... 217 Set up the email server....................................................................... 218

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Contents

6 PowerProtect Data Manager Administration and User Guide

Add Auto Support............................................................................... 218 Enable automatic upgrade package downloads...................................219 Add a log bundle................................................................................. 219 Monitor system state and system health............................................220 Access the open source software package information......................220

Modifying the PowerProtect Data Manager virtual machine disk settings...... 220 Modify the virtual machine memory configuration.............................. 221 Modify the data disk size.................................................................... 221 Modify the system disk size............................................................... 222

Configure the DD system................................................................................ 223

Configuring the vSphere Client PowerProtect plug-in 225 Introducing the PowerProtect plug-in for the vSphere Client......................... 226 Prerequisites for the vSphere Client PowerProtect plug-in.............................227 Monitor PowerProtect Data Manager virtual machine protection copies........ 228 On-demand PowerProtect policy backup in the vSphere Client......................228 Image-level restore of a PowerProtect backup in the vSphere Client............. 229 File-level restore of a PowerProtect backup in the vSphere Client................. 230

Configuring VMware Cloud on Amazon Web Services 233 PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS................................................................................................................234 Configure the VMware Cloud on AWS web portal console.............................. 234 Amazon AWS web portal requirements...........................................................235 Interoperability with VMware Cloud on AWS product features....................... 235 vCenter server inventory requirements...........................................................236 VMware Cloud on AWS configuration best practices...................................... 236 Add a VM Direct Engine.................................................................................. 236 Protection and recovery operations................................................................ 237 Interoperability with VMware Cloud on AWS product features....................... 238 Unsupported operations in VMware Cloud on AWS ........................................238 Troubleshooting VMware Cloud on AWS ........................................................238

Upgrading the PowerProtect Data Manager Software 239 Upgrade PowerProtect Data Manager from version 19.4 and later................. 240 Upgrade PowerProtect Data Manager from version 19.2 and 19.3...................241 Upgrade the software from PowerProtect Data Manager version 19.1............243 Managing certificates after upgrading from versions earlier than PowerProtect Data Manager version 19.1.............................................................................. 244

Configuring and Managing the PowerProtect Agent Service 245 About the PowerProtect agent service...........................................................246 Start, stop, or obtain the status of the PowerProtect agent service...............247 Troubleshoot the PowerProtect agent service operations.............................. 248 Register the PowerProtect agent service to a different server address..........248 Recovering the PowerProtect agent service from a disaster.......................... 249

Restore the PowerProtect Data Manager agent service datastore.... 249

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Contents

PowerProtect Data Manager Administration and User Guide 7

Contents

8 PowerProtect Data Manager Administration and User Guide

Preface

As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in this document, contact a technical support professional.

Note: This document was accurate at publication time. To ensure that you are using the latest version of this document, go to the Support website https://www.dell.com/support.

Note: Data Domain is now PowerProtect DD. References to Data Domain or DD systems in this documentation, in the UI, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the UI has not yet been updated to reflect this change.

Purpose

This document describes how to configure and administer the PowerProtect Data Manager software.

Audience

This document is intended for the host system administrator who is involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager software.

Revision history

The following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

02 April 3, 2020 Content updates.

01 March 31, 2020 Initial release of this document for PowerProtect Data Manager 19.4.

Compatibility information

Software compatibility information for the PowerProtect Data Manager software is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/modernHomeDataProtection.

Related documentation

The following publications are available on Dell EMC Online Support and provide additional information:

l PowerProtect Data Manager Administration and User Guide Describes how to configure the software.

l PowerProtect Data Manager Deployment Guide Describes how to deploy the software.

l PowerProtect Data Manager Release Notes Contains information on new features, known limitations, environment, and system requirements for the software.

PowerProtect Data Manager Administration and User Guide 9

l PowerProtect Data Manager Security Configuration Guide Contains security information.

l PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide Describes how to deploy Cloud DR, protect VMs in the AWS or Azure cloud, and run recovery operations.

l PowerProtect Data Manager for Cyber Recovery User Guide Describes how to install, upgrade, patch, and uninstall the Dell EMC PowerProtect Cyber Recovery software.

l PowerProtect Data Manager API documentation: https://developer.dellemc.com Contains the PowerProtect Data Manager APIs and includes tutorials to guide to you in their use.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Special notice conventions that are used in this document

The following conventions are used for special notices:

CAUTION A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

Note: A Note indicates important information that helps you make better use of your product.

Typographical conventions

The following type style conventions are used in this document:

Table 2 Style conventions

Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, file name extensions, prompts, and syntax

l Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Preface

10 PowerProtect Data Manager Administration and User Guide

Where to find product documentation

l https://www.dell.com/support

l https://community.emc.com

Where to get support

The Support website https://www.dell.com/support provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Support.

To access a product-specific page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, select the product.

Knowledgebase

The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:

1. Go to https://www.dell.com/support.

2. On the Support tab, click Knowledge Base.

3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by typing a product name in the search box, and then selecting the product from the list that appears.

Live chat

To participate in a live interactive chat with a support agent:

1. Go to https://www.dell.com/support.

2. On the Support tab, click Contact Support.

3. On the Contact Information page, click the relevant support, and then proceed.

Service requests

To obtain in-depth help from Licensing, submit a service request. To submit a service request:

1. Go to https://www.dell.com/support.

2. On the Support tab, click Service Requests.

Note: To create a service request, you must have a valid support agreement. For details about either an account or obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the Service Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to https://www.dell.com/support.

2. On the Support tab, click Service Requests.

3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities

For peer contacts, conversations, and content on product support and solutions, go to the Community Network https://community.emc.com. Interactively engage with customers, partners, and certified professionals online.

Preface

PowerProtect Data Manager Administration and User Guide 11

How to provide feedback

Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPAD.Doc.Feedback@emc.com.

Preface

12 PowerProtect Data Manager Administration and User Guide

CHAPTER 1

Getting Started

This section includes the following topics:

l Introducing PowerProtect Data Manager software................................................................14 l References............................................................................................................................ 15 l Terminology........................................................................................................................... 15 l Accessing the PowerProtect Data Manager UI...................................................................... 16

PowerProtect Data Manager Administration and User Guide 13

Introducing PowerProtect Data Manager software PowerProtect Data Manager software is an enterprise solution that provides software-defined data protection, deduplication, operational agility, self-service, and IT governance.

PowerProtect Data Manager enables the transformation from traditional centralized protection to an IT-as-a-service model based on a self-service design. This design ensures that you can enforce compliance and other business rules, even when backup responsibilities are decentralized to individual database administrators and application administrators.

PowerProtect Data Manager key features include:

l Software-defined data protection with integrated deduplication, replication, and reuse

l Data backup and recovery self-service operations from native applications that are combined with central IT governance

l Multicloud optimization with integrated cloud tiering

l SaaS-based monitoring and reporting

l Modern services-based architecture for ease of deployment, scaling, and upgrading

PowerProtect Data Manager integrates multiple data protection products within the Dell EMC Data Protection portfolio to enable data protection as a service, providing the following benefits:

l Enables the data protection team to create data paths with provisioning, automation, and scheduling to embed protection engines into the infrastructure for high-performance backup and recovery.

l Enables backup administrators of large-scale environments to schedule Microsoft SQL, Oracle, and SAP HANA backups from a central location on the PowerProtect Data Manager server.

l Uses an agent-based approach to discover the protected and unprotected databases on an application server.

l Enables governed self-service and centralized protection by:

n Monitoring and enforcing Service Level Objectives (SLOs)

n Identifying violations of Recovery Point Objectives (RPO)

n Applying retention locks on backups that are created using the Microsoft application agent, Oracle RMAN agent, and SAP HANA agent.

l Supports deploying an external VM Direct appliance to move data with the VM Direct Engine. The PowerProtect Data Manager software comes prebundled with an embedded VM Direct appliance, which is automatically used as a fallback proxy for performing backup and restore operations when the added external proxies fail or are disabled. Dell EMC recommends that you always deploy external proxies, because the embedded proxy has limited capacity for performing parallel backups.

l Supports the vRealize Automation DP extension, which enables provisioning of virtual machines with PowerProtect Data Manager protection, on-demand backup, and restore to the original or a new location. The vRealize Automation Data Protection Extension for PowerProtect Data Manager Installation and Administration Guide provides more information.

l Supports integration of Cloud Disaster Recovery (Cloud DR), including workflows for Cloud DR deployment, protection, and recovery operations in the AWS or Azure cloud.

l Supports PowerProtect Search, which enables backup administrators to quickly search for and restore VM file copies. The Search Service can be enabled by adding a search node to the configurable Search Engine that is autodeployed during the PowerProtect Data Manager installation.

Getting Started

14 PowerProtect Data Manager Administration and User Guide

l Provides a RESTful interface that allows the user to monitor, configure, and orchestrate Power Protect Data Manager. Customers can use the APIs to integrate their own automation framework or quickly write new scripts with the help of easy-to-follow tutorials.

References Some procedures in this document reference other publications for detailed procedures.

The following publications, available on Dell EMC Online Support, provide additional information:

l PowerProtect Data Manager Security Configuration Guide

l PowerProtect Database Application Agent Installation and Administration Guide

l PowerProtect Microsoft Application Agent Installation Guide

l PowerProtect Microsoft Application Agent SQL Server User Guide

l PowerProtect Oracle RMAN Agent Administration Guide

l PowerProtect Storage Direct Agent Installation and Administration Guide

l PowerProtect Storage Direct Primary and Protection Storage Configuration Guide

l PowerProtect Storage Direct Solutions Guide

Terminology Familiarize yourself with the terminology that is used in the PowerProtect Data Manager UI and documentation.

The following table provides more information about names and terms you should know to use PowerProtect Data Manager:

Term Description

Application Agent Application Agents are installed on application or database host servers to manage protection using PowerProtect Data Manager. These Agents are commonly known as DDBoost Enterprise Agents (DDBEA) for databases and applications.

Asset Assets are objects in PowerProtect Data Manager for which you want to manage protection, including VMs, databases, and file systems.

Asset Source Assets that PowerProtect Data Manager protects reside within Asset Sources, which include vCenter Servers, application or database hosts, and file servers.

Cloud Tier Storage Cloud Tier storage can be added to an external DD system to expand the DD deduplication storage capacity onto less expensive object storage in public or private object storage clouds, including Dell EMC secure Elastic Cloud Storage appliances.

Copy A PowerProtect Data Manager copy is a point-in-time backup copy of an Asset.

Copy Map The PowerProtect Data Manager Copy Map is a visual representation of backup copy locations on your Protection Storage and is available for all protected Assets that have copies.

Getting Started

PowerProtect Data Manager Administration and User Guide 15

Term Description

Discovery Discovery is an internal process that scans Asset Sources to find new assets to protect and scans infrastructure components to monitor their health and status.

Instant Access PowerProtect Data Manager VM backup copies can be accessed, mounted, and booted directly from the Protection Storage targets as running VMs. Copies can also be moved to a production VMware datastore using vMotion.

Power Protect Data Manager Agent

An agent that is included in PowerProtect Data Manager and installed on each application agent host server so that you can monitor and manage the application agent through PowerProtect Data Manager.

PowerProtect Search Engine

The PowerProtect Search Engine enables you to add a node for indexing copies. Indexing enables you to quickly search for VM file copies and restore the individual files.

Protection Engines Protection Engines are infrastructure components that are centrally deployed from PowerProtect Data Manager and used as data movers to transfer data from Asset Sources to Internal or External Protection Storage targets.

Protection Policy Protection Policies configure and manage the entire life cycle of backup data, which includes backup type, assets, backup start/stop time, backup device, and backup retention.

Service Level Agreement (SLA)

An optional policy that you can layer on top of a Protection Policy. An SLA performs additional checks on protection activities to ensure that protection goals meet the standards that your organization requires. SLAs are made up of one or more Service Level Objectives.

Service Level Objectives (SLO)

Definable rules that set the criteria for Recovery Point Objectives (RPO), encryption, and locations of backups according to your company requirements.

VM Direct A Protection Engine that is centrally deployed from PowerProtect Data Manager as a stateless virtual appliance. VM Direct handles I/O processing and deduplication for protected virtual machines.

Accessing the PowerProtect Data Manager UI PowerProtect Data Manager provides a web-based UI that you can use to manage and monitor system behavior.

Procedure

1. From a host that has network access to the virtual appliance, use Google Chrome to connect to the appliance:

https://appliance_hostname Note: You can specify the hostname or the IP address of the appliance.

2. Log in with your user name and password.

If you receive an unsigned certificate warning, see Replacing the default PowerProtect Data Manager certificate on page 17 for instructions.

The Getting Started page appears.

Getting Started

16 PowerProtect Data Manager Administration and User Guide

l The left pane provides links to the available menu items. Expand a menu item for more options.

l The icons in the PowerProtect Data Manager banner provide additional options.

Replacing the default PowerProtect Data Manager certificate Use this procedure to replace the PowerProtect Data Manager UI and public API facing certificates with new self-signed or CA signed certificates.

Before you begin

You must have the following keys and certificates in place:

l /etc/ssl/certificates/customer/customerkey.pem l /etc/ssl/certificates/customer/customer.pem l /etc/ssl/certificates/customer/customer.keystore l /etc/ssl/certificates/customca/customca.truststore Procedure

1. Log in to the PowerProtect Data Manager system as the root user.

Note: PowerProtect Data Manager does not support using the ssh command with the root account. To use ssh to connect to the system, log in to ssh with the admin account, and then use the su command to change to the root account.

2. Run the following Unix commands:

cd /usr/local/brs/lib/ecdm-ui/app

ln -s /etc/ssl/certificates/customer/customer.pem cert.pem

ln -s /etc/ssl/certificates/customer/customerkey.pem private-key.pem

sudo systemctl restart nginx

3. Update the /usr/local/brs/lib/zuul/config/application.yml file with following parameters:

key-store: Specify the file path where your key-store certificate is kept. For example: /etc/ssl/certificates/customer/customer.keystore key-store-password: Specify a key-store password.

key-password: Specify a key password.

key-alias: Specify a key alias.

trust-store: Specify the file path where your trust-store certificate is kept. For example: /etc/ssl/certificates/customca/customca.truststore trust-store-password: Specify a trust-store password.

4. Carry out the command: zuul restart 5. Log in to the https://ppdm.customer.com instance.

6. When prompted, accept the certificate.

7. Login to https://ppdm.customer.com:8443.

All external requests are now using your installed certificates.

Getting Started

PowerProtect Data Manager Administration and User Guide 17

Getting Started The Getting Started page provides configuration options that are required when the system is first deployed.

The Getting Started page appears upon first deployment of PowerProtect Data Manager and opens to this page by default until you click Skip This.

You can access the Getting Started page at any time by selecting System Settings > Getting Started.

Table 3 PowerProtect Data Manager Getting Started menu items

Options Description

Support View and configure Secure Remote Services (SRS), Email Setup, Auto Support, Logs, System Health.

Disaster Recovery Backup

Configure and manage backups for disaster recovery.

VMware vCenter Opens the Infrastructure > Asset Sources page where you can add a vCenter instance as an asset source so that it can be added to a protection policy.

Protect Assets Opens the Protection Policies page where you can manage Protection Life Cycle workflows for all asset types.

UI tools and options Learn about the available tools in the UI.

PowerProtect Data Manager UI tools

Table 4 PowerProtect Data Manager tools

Menu item Description

Dashboard

Provides a high-level view of the overall state the PowerProtect Data Manager system and includes the following information:

l AlertsSystem alerts

l ProtectionDetails about protection policies

l JobsStatus of all Jobs that are filtered by a selected time period or status type. Select the status in the Jobs pane to open the Jobs window, where you can manage jobs, search, and view details.

l PolicyDetails include number of successes, failures, and excluded assets for each asset type

l Protection StorageProtection storage usage statistics

l RecoveryRecovery statistics

l HealthDetails about the health of the system, including services, licenses, support, protection engines, server backups, and uptime

PowerProtect Data Manager refreshes the data hourly unless you run an ad hoc discovery.

Getting Started

18 PowerProtect Data Manager Administration and User Guide

Table 4 PowerProtect Data Manager tools (continued)

Menu item Description

Infrastructure

Click Infrastructure to perform the following tasks:

l View and manage all assets.

l Add vCenter and Application and File System Host asset sources.

l View and manage Integrated Storage.

l Add a VM Direct appliance with the VM Direct protection engine for virtual machine data protection.

l Manage registration of Oracle RMAN agent, Microsoft application agent, SAP HANA agent, and File System agent.

l View and manage Cloud Disaster Recovery.

l Create and manage a Search Cluster.

Protection

Click Protection to perform the following tasks:

l Add protection policy groups to assets.

l Manage SLA.

l Add, edit, and delete Dynamic Groups for assets.

Recovery

Click Recovery to perform the following tasks:

l View asset copy location details and initiate a Restore operation.

l Manage Instant Access Sessions.

l Use the File Search feature to find and restore virtual machine file copies.

Alerts

Click Alerts to perform the following tasks:

l View and acknowledge alerts and events.

l View and examine Audit logs.

l Export audit logs to CSV files.

l Set audit log boundaries.

Administration

Click Administration to perform the following tasks:

l Configure users and roles.

l Set password credentials and manage key chains.

l Configure alert notifications.

l Add LDAP Identity Sources.

Jobs

Click Jobs to manage jobs, view by completed or running, filter, and view details.

Reporting

Click Reporting to log in to PowerProtect Central.

Getting Started

PowerProtect Data Manager Administration and User Guide 19

Banner UI options

The following table describes the icons that are located in the PowerProtect Data Manager banner.

Table 5 Banner UI options

Option Description

Click to enter search criteria to find assets, jobs, logs, and alerts.

Click to see recent alerts.

Click to configure and manage PowerProtect Data Manager system network, time zone, and NTP settings, DR backups, security, licenses, upgrades, authentication, agent downloads, and support, and to access the Getting Started page.

Click to log out, and log in as a different user.

Click to see PowerProtect Data Manager version information.

Click to obtain more information about PowerProtect Data Manager, access Dell EMC Support, or view the REST API documentation.

Getting Started

20 PowerProtect Data Manager Administration and User Guide

CHAPTER 2

Managing Users

This section includes the following topics:

l Managing user roles and privileges ....................................................................................... 22 l Managing keychains.............................................................................................................. 32 l Managing LDAP or AD groups............................................................................................... 33 l LDAP or AD authentication....................................................................................................33

PowerProtect Data Manager Administration and User Guide 21

Managing user roles and privileges Users can be defined as either local or LDAP/Active Directory. Users and LDAP groups can access all protection policies and assets within the PowerProtect Data Manager environment.

The role that is assigned to a user defines the privileges that are associated with the user and determines the tasks that the user can perform.

Managing users Only the Admin role can manage users.

The following roles can view users, roles, identity sources, and user groups:

l Admin

l User

l Export and Recovery Admin

Users can see only their own role within their own account.

Note: User authorization grants or denies users access to PowerProtect Data Manager resources. Authorization is the same for locally authorized users and Microsoft Windows Active Directory/LDAP users.

You can create local users to perform management tasks. When you create a local user account, you must assign a role to the user.

Add a user Only the Admin role can add a user.

Procedure

1. Select Administration > Users.

The Users window appears.

2. Click Add.

3. In the New User window, provide the following information:

l User first name

l User last name

l Username

l Email Address

l Password

l Retype to confirm password

l Force Password ChangeEnabled by default. Requires the user to update the password at first login.

l Role

4. Click Save.

Results

The newly added user appears in the Users window.

Managing Users

22 PowerProtect Data Manager Administration and User Guide

Edit or delete a user Only the Admin role can edit or delete a user.

Procedure

1. Select Administration > Users.

The Users window displays the following information:

l Username

l User first name

l User last name

l User email address

l User role

l Date the user was created

2. Select the user you want to edit or delete.

3. Do one of the following:

l To delete the user, click Delete.

l To edit the user, click Edit, modify the user fields, and then click Save.

Results

The changes appear in the Users window.

Reset a password Local users can reset a forgotten password using this procedure.

Before you begin

l The user must be a local user.

l A mail server must be configured on PowerProtect Data Manager.

l LDAP and Windows Active Directory users cannot reset their password using this procedure. Contact the system administrator to reset your password.

About this task

Local users can receive an email with a link to reset their password. The reset password link in the email expires in 20 minutes, after which time they must request another link.

Procedure

1. In the PowerProtect Data Manager login page, click Forgot Password.

2. In the Forgot Password dialog box, type your user name, click Send Link, and click OK to dismiss the informational dialog box.

The system sends a message to the email address associated with your user name.

3. Open the email and click the link.

4. In the Reset Password dialog box, type a new password in the New Password and Confirm New Password fields, and click Save.

The PowerProtect Data Manager login page appears.

5. Log in with your user name and new password.

Managing Users

PowerProtect Data Manager Administration and User Guide 23

Default admin user The default admin user is preassigned the Admin role during PowerProtect Data Manager installation.

The default admin user has super user control over PowerProtect Data Manager and cannot be deleted. However, you can modify the attributes of the default admin user.

Roles A role defines the privileges and permissions that a user has to perform a group of tasks. When a user is assigned a role, you grant the user all of the privileges that are defined by the role. Only one role can be associated to a user account.

Admin role

Admin

The Admin role is responsible for setup, configuration, and all PowerProtect Data Manager management functions. The Admin role provides systemwide access to all functionality across all organizations. One default Admin role is assigned at PowerProtect Data Manager deployment and installation. You can add and assign additional Admin roles to users in your organization who require full access to the system.

This table outlines the privileges and tasks that are associated with the Admin role.

Table 6 Admin role privileges and tasks

Privileges Tasks

Activity Management l Manage Discovery Jobs

l Manage Tasks

l Workflow Execution

Asset Management l View Data Source Assets

l Manage Data Source Assets

l View Protection Storage Targets

l Manage Protection Storage Targets

Monitoring l Monitor Events

l Manage Events

l View Historical Data

l View Tasks and Activities

Recovery and Reuse Management

l View Host

l Manage Host

l Rollback to Production

l Recovery to New Location

l Export for Reuse

Managing Users

24 PowerProtect Data Manager Administration and User Guide

Table 6 Admin role privileges and tasks (continued)

Privileges Tasks

Service Plan Management

l View Plans

l Manage Plans

l Assign Data Source to Plan

Security and System Audit

l Monitor Security/System Audit

l Manage Security/System Audit

Storage Management l View Storage Array

l Manage Storage Array

l View Inventory Sources

l Manage Inventory Sources

Support Assistance and Log Management

l View Diagnostic Logs

l Manage Diagnostic Logs

System Management l View System Settings

l Manage System Settings

User/Security Management

l Manage User Security

l View User Security

User role

User

The User role is responsible for monitoring the PowerProtect Data Manager Dashboard, Activity Monitor, and Notifications. The User role provides read-only access to monitor activities and operations. Assign the User role to users in your organization who monitor Dashboard activities, Activity Monitor, and Notifications but do not require the ability to configure the system.

This table outlines the privileges and tasks that are associated with the User role.

Table 7 User role privileges and tasks

Privileges Tasks

Activity Management l Workflow Execution

Asset Management l View Data Source Assets

l View Protection Storage Targets

Monitoring l Monitor Events

l View Historical Data

l View Tasks and Activities

Managing Users

PowerProtect Data Manager Administration and User Guide 25

Table 7 User role privileges and tasks (continued)

Privileges Tasks

Recovery and Reuse Management

l View Host

Service Plan Management

l View Plans

Security and System Audit

l Monitor Security/System Audit

Storage Management l View Storage Array

l View Inventory Sources

Support Assistance and Log Management

l View Diagnostic Logs

System Management l View System Settings

User/Security Management

l View User Security

Export and Recovery Admin role

Export and Recovery Admin

The Export and Recovery Admin role is defined for a dedicated set of users who are solely responsible for PowerProtect Data Manager setup, configuration, and execution of data management tasks such as copy export and recovery operations. The Export and Recovery Admin role provides access only to those functions required for data export and recovery operations. This role and its operations are intended for a limited set of users whose actions are solely focused on data management, export, and recovery; and whose actions are audited routinely for security purposes. Assign the Export and Recovery Admin role to a user in your organization who requires access to data only to make it available to others in the organization and thereby maintain a chain of custody record.

This table outlines the privileges and tasks that are associated with the Export and Recovery Admin role.

Table 8 Export and Recovery Admin role privileges and tasks

Privileges Tasks

Activity Management None

Asset Management l View Data Source Assets

l View Protection Storage Targets

Monitoring l Monitor Events

l View Historical Data

l View Tasks and Activities

Recovery and Reuse Management

l View Host

l Manage Host

Managing Users

26 PowerProtect Data Manager Administration and User Guide

Table 8 Export and Recovery Admin role privileges and tasks (continued)

Privileges Tasks

l Rollback to Production

l Recovery to New Location

l Export for Reuse

Service Plan Management

None

Security and System Audit

None

Storage Management l View Storage Array

Support Assistance and Log Management

l View Diagnostic Logs

System Management l View System Settings

User/Security Management

l View User Security

Privileges PowerProtect Data Manager privileges define the tasks that a user can perform and these privileges are assigned to roles.

Activity Management Privileges

This table defines the Activity Management Privileges.

Table 9 Activity Management Privileges

Privilege Task

Manage Discovery Jobs

l Create discovery jobs.

l View discovery jobs.

l Edit discovery jobs.

l Delete discovery jobs.

Manage Task l Create task resources.

l View task resources.

l Edit task resources.

Workflow Execution l Start workflow execution.

l Cancel workflow execution.

l View the status of workflow execution.

Managing Users

PowerProtect Data Manager Administration and User Guide 27

Asset Management Privileges

This table defines the Asset Management Privileges.

Table 10 Asset Management Privileges

Privilege Task

Manage Data Source Assets

l Create, read, edit, and delete a data source.

l Create, view, edit, and delete the policy in the protection group resource.

l Create, view, edit, and delete asset group resources.

l Create, view, edit, patch, and delete tag category resources.

Manage Protection Storage Targets

l Create, view, edit, and delete a data target.

l Create, view, edit, and delete asset group resources of protection storage targets.

View Data Source Assets l View a data source.

l View asset group resources.

l View the policy of the protection group resource.

l View tag category resources.

View Protection Storage Targets

l View a data target.

Monitoring Privileges

This table defines the Monitoring Privileges.

Table 11 Monitoring Privileges

Privilege Task

View Tasks or Activities l View task resources.

View Historical Data l View historical data that relates to plans, arrays, data targets, data sources, and capacity data.

Monitor Events l View alerts.

l View external notifications.

Manage Events l Acknowledge alerts and add notes.

l Create, modify, and delete external notifications.

Service Policy Management Privileges

This table defines the Policy Management Privileges.

Managing Users

28 PowerProtect Data Manager Administration and User Guide

Table 12 Policy Management Privileges

Privilege Task

Assign Data Source to Policy

l Assign a data source to a protection policy resource.

Manage Policies l Create, view, edit, and delete the policy for a protection policy resource.

l Create, view, edit, and delete a policy definition resource.

l Create, view, edit, and delete schedule resources.

l Create, view, edit, and delete an objective definition resource.

l Create, read, edit, and delete an action definition.

View Policies l View the policy for a protection policy resource.

l View schedule.

l View a protection policy definition.

l View objective definition.

l View services.

l View service resources.

l View assets that are assigned to a protection policy.

l View action definitions.

l View asset group resources.

Recovery and Reuse Management Privileges

This table defines the Recovery and Reuse Management Privileges.

Table 13 Recovery and Reuse Management Privileges

Privilege Task

Export for Reuse l Create, view, edit, and start export and reuse operations.

Roll back to Production

l Create, view, edit, and start rollback to production operations.

Recovery to Alternate Location

l Create, view, edit, and start recovery to alternate location operations.

Manage Host l Create, view, edit and delete a host.

View Host l View a host.

Storage Management Privileges

This table defines the Storage Management Privileges.

Managing Users

PowerProtect Data Manager Administration and User Guide 29

Table 14 Storage Management Privileges

Privilege Task

View Inventory Sources

l View a management interface.

l Read storage manager resources such as exported, deleted, and restored copies.

View Storage Array l View a storage array.

Manage Storage Array

l Create, view, edit, and delete a storage array.

Manage Inventory Sources

l Create storage manager resources and run creation-related storage array operations.

l Create exported and restored copies and run restore-related storage array operations.

l Create expunged copies and run deletion-related storage array operations.

l Create, view, edit, and delete a management interface.

Security Management Privileges

This table defines the Security Management Privileges.

Table 15 Security Management Privileges

Privilege Task

Manage User Security l Create, view, edit, and delete users

l View roles

l Create, view, edit, and delete identity sources

l Create, view, edit, and delete user groups

l Create, view, edit, and delete white lists

l Create, view, edit, and delete TLS certificates for external hosts

View User Security l View users and roles

l View identity sources and user groups

l View white lists

l View TLS certificates for external hosts

System Management Privileges

This table defines the System Management Privileges.

Managing Users

30 PowerProtect Data Manager Administration and User Guide

Table 16 System Management Privileges

Privilege Task

View System Settings l View SRS information.

l View Server Disaster Recovery artifacts.

l View Maintenance Mode.

l View License information.

l View Server Disaster Recovery Status.

l View node, Configuration EULA, OS User, Upgrade Package, Component, Configuration Status, Configuration Logs, Time Zone, and State resources

Manage System Settings

l Manage Server Disaster Recovery activities.

l Manage SRS Gateway connection and other Telemetry communications.

l View and edit Node State resource.

l Update the license for the appliance.

l View Component, Configuration Status, Configuration Logs, Time Zone, and State resources

l View and edit node, Configuration EULA, OS User, and Lockbox resouces.

l Create, view, edit, and delete the Upgrade Package resource

Support Assistance and Log Management Privileges

This table defines the Support Assistance and Log Management Privileges.

Table 17 Support Assistance and Log Management Privileges

Privilege Task

View Diagnostic Logs l View Log bundle resources.

l View Log information resources.

l View the LogSource resource.

l View logs.

Manage Diagnostic Logs

l Manage Log bundle resources.

l Retrieve Log information resources.

l Retrieve or edit the LogSource resource.

l Export logs.

Security and System Audit Privileges

This table defines the Security and System Audit Privileges.

Managing Users

PowerProtect Data Manager Administration and User Guide 31

Table 18 Security and System Audit Privileges

Privilege Task

Monitor Security/ System Audit

l View Security Auditrelated events and activities.

Manage Security/ System Audit

l Acknowledge Security Auditrelated events and activities.

l Export Audit/Change Log of events and activities.

Managing keychains You can create, edit, delete, and view keychain credentials.

Modifying the lockbox passphrase Perform the following steps to modify the lockbox passphrase.

About this task

Note: You cannot change passphrase when the appliance is in a pending or quiesce node state.

Procedure

1. Select Settings > System Settings > Authentication.

2. In the System User window, select Lockbox, and then click Edit.

The Change the passphrase for the Lockbox account window appears.

3. In the Old Passphrase field, type the current passphrase for the lockbox.

4. In the New Passphrase field, type a new passphrase for the lockbox.

Ensure that the password meets the following requirements:

l Minimum of nine characters and a maximum of one hundred characters

l At least one numeric character (0-9)

l At least one uppercase character (A-Z)

l At least one lowercase character (a-z)

l At least one special character from the following list of acceptable characters:

~!@#$%^&*()_+`-={}|[]\:'";,./<>?

5. In the Confirm Passphrase field, type the same value that you specified in the New Passphrase field, and then click Save.

6. Click Save.

Managing Users

32 PowerProtect Data Manager Administration and User Guide

Managing LDAP or AD groups To use Identity Source users, PowerProtect Data Manager requires you to configure an LDAP or AD group, and the PowerProtect Data Manager users must be part of this group. Only the Admin role can add LDAP or AD groups.

When you configure LDAP or AD authentication in Administration > Identity Sources, use the User Group resources to assign roles to the LDAP groups. The User Group resource defines the role assignments for an LDAP or AD user group.

LDAP or AD authentication When you authenticate users through an external authentication authority, users can log in with their authority username and password. The authority username and password are managed by Lightweight Directory Access Protocol (LDAP), Lightweight Directory Access Protocol over SSL (LDAPS), Microsoft Active Directory server (AD), or a Microsoft Active Directory server over SSL (AD over SSL).

When the user's credentials are validated, the Authentication Service issues a token for the user. The PowerProtect Data Manager GUI uses the token information to authorize the user's activities.

Note: You can configure only one authority.

Configuring LDAP or AD authorities and assigning roles Only the Admin role can configure an external LDAP, LDAPS, or AD authentication authority. You can configure LDAP or AD roles in Administration > Identity Sources.

Configure LDAP or AD authentication Only the Admin role can configure an external LDAP, LDAPS, or AD authentication authority.

Procedure

1. Select Administration > Identity Sources.

The Identity Sources window appears.

2. Click New.

The Identity Source Server window appears.

3. In the Required tab, configure the following attributes:

Attribute Description

Server Type Select one:

l AD

l LDAP

Server Address Type the protocol and hostname or IP address of the LDAP or AD server, in the following format:

protocol://hostname_or_ip_address

where:

Managing Users

PowerProtect Data Manager Administration and User Guide 33

Attribute Description

l protocol is ldap for LDAP or AD authorities, and ldaps for

LDAPS or AD over SSL. For example, to configure an AD server that is named idd- ad.iddlab.com, type ldap://idd-ad.iddlab.com

l hostname_or_ip_address is the FQDN or IP address of the external authentication authority.

Domain Type the base distinguished name (DN) of the LDAP or AD authority. For example, dc=pp_lab, dc=ldap.example.com

Port Type the port number that the external authentication authority uses.

l For LDAP and AD, the default port number is 389.

l For LDAPS and AD over SSL, the default port number is 636.

User Search a. Type the objectClass that the authentication service uses when searching for users in the LDAP or AD hierarchy.

b. Ensure that you specify a search path that is relative to the base DN that you specified in the Domain option.

For example:

l For an AD configuration, specify the value in the objectClass property for an AD user. For example, type user.

l For an LDAP configuration, specify the value in the objectClass property. For example, type account.

Group Search a. Type the objectClass of the search path that you want the authentication service to use when searching for groups in the LDAP or AD hierarchy.

b. Ensure that you specify a search path that is relative to the base DN that you specified in the Domain attribute.

For example:

l For an AD configuration, specify the value in the objectClass property for an AD group. For example, type group.

l For an LDAP configuration, specify the value in the objectClass property for an LDAP group. This value should be a structural objectClass. For example, type group.

Query User Type a user account that has full read access to the LDAP or AD directory, in the following formats:

l For AD, the format is user@domain, or the DN of the query

user. For example, administrator@ldap.example.com or

cn=administrator,dc=example,dc=com.

l For LDAP, the format is user@domain. For example,

administrator@ldap.example.com.

Query Password Type the password of the user account that you specified in the Query User attribute.

Managing Users

34 PowerProtect Data Manager Administration and User Guide

4. For LDAPS or AD over SSL:

a. Click Verify.

b. In the Verify Certificate window, verify the details of the TLS certificate that was retrieved from LDAPS or AD over SSL and click Accept.

Note: When you specify the LDAPS protocol, PowerProtect Data Manager automatically downloads the certificates required to connect to the authentication authority. Once downloaded, the Certificate field appears. Click Verify to compare the displayed certificate information with the expected authentication authority's certificate information. If the certificates match, click Accept to continue with the setup. Otherwise, click Cancel to cancel the setup.

5. (Optional) In the Advanced tab, configure the following attributes:

Attribute Description

User Search Path Type the DN of the search path that the authentication service uses when searching for users in the LDAP or AD hierarchy. Ensure that you specify a search path that is relative to the base DN that you specified in the Domain option. For example:

l For an AD configuration, specify the value in the objectClass property for an AD user.

l For an LDAP configuration, specify the value in the account object class.

Group Search Path Type the DN of the search path that the authentication service should use when searching for groups in the LDAP or AD hierarchy. Ensure that you specify a search path that is relative to the base DN that you specified in the Domain attribute. For example:

l For an AD configuration, specify the value in the objectClass property for an AD group.

l For an LDAP configuration, specify the value in the posixGroup object class.

Group Attribute Name Type the attribute that the authentication service should use to validate the group name in the LDAP or AD hierarchy. For example:

l For an AD configuration, specify sAMAccountName.

l For an LDAP configuration, specify cn.

Group Member Attribute Type the attribute that the authentication service should use to validate the group member in the LDAP or AD hierarchy. For example:

l For an AD configuration, specify member.

l For an LDAP configuration, specify memberUid.

User Attribute ID Type the attribute that the authentication service should use to validate the username in the LDAP or AD hierarchy. For example:

l For an AD configuration, specify sAMAccountName.

Managing Users

PowerProtect Data Manager Administration and User Guide 35

Attribute Description

l For an LDAP configuration, specify cn.

6. Click Save.

7. Assign LDAP or AD groups to a role. The section Add LDAP or AD group-to-role mapping on page 36 provides instructions.

This step is required before you can log in to the UI with an LDAP or AD account.

Edit an LDAP or AD authority configuration Only the Admin role can edit an LDAP or AD authority.

Procedure

1. Select Administration > Identity Sources.

2. Select the Identity Source you would like to edit, and then click Edit.

3. Edit the LDAP attributes as required.

4. Click Save.

Delete an LDAP or AD authority configuration Only the Admin role can delete an existing LDAP or AD authority configuration.

Procedure

1. Select Administration > Identity Sources.

2. Select the Identity Source you would like to delete, and then click Delete.

Add LDAP or AD group-to-role mapping Only the Admin role can add LDAP group-to-role mapping.

Procedure

1. Select Administration > Identity Sources.

2. Select the identity source for which you would like to add group-to-role mapping, and then click Add Map.

3. Assign the LDAP or AD groups to a role.

4. Click Add.

Modify LDAP or AD group-to-role mapping Only the Admin role can modify LDAP group-to-role mapping.

Procedure

1. Select Administration > Identity Sources.

2. Select the indentity source for which you would like to edit group-to-role mapping, and then click Add Map.

3. Assign the same LDAP or AD groups to a different role.

4. Click Add.

Managing Users

36 PowerProtect Data Manager Administration and User Guide

Delete LDAP or AD group-to-role mapping Only the Admin role can delete LDAP group-to-role mapping.

Procedure

1. Select Administration > Identity Sources.

2. Select the group or group roles you would like to delete, and then click .

Example: Configuring an AD authority In this example, an AD server that is named idd-ad.iddlab.com has an AD group called Protection_admins. Protection_admins contains three users: Meghan, Patrick, and Liam. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.

View the properties of the AD configuration

To view the properties of the AD configuration, use a third-party tool such as the AD Explorer program.

The following figure provides an example of the key user attributes on the AD server, which are required to configure idd-ad.iddlab.com.

Figure 1 AD and user properties in AD Explorer

Based on this AD configuration, specify the following values for PowerProtect Data Manager LDAP configuration options:

l Domain: dc=iddlab, dc=com l Hostname: idd-ad-iddlab.com l User Search: One of the following values: top, inetOrgPerson, or user l User Attribute ID: cn

Configure the idd-ad.iddlab.com authority

The following figure provides an example of the group attributes that are required to configure the idd-ad.iddlab.com authority.

Managing Users

PowerProtect Data Manager Administration and User Guide 37

Figure 2 AD group properties in AD Explorer

Based on the properties of Protection_admins, specify the following values for the LDAP configuration options:

l Group Search: top or group l Group Attribute Name: sAMAccountName

Example: Configuring an LDAP authority In this example, an LDAP server that is named alberta.lss.emc.com has a group that is named AlbertaAllGroups. AlbertaAllGroups contains three LDAP users: alberta_user1, alberta_user2, and alberta_user3. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.

View the LDAP configuration properties

To view the properties of the LDAP configuration, use a third party tool such as the LDAP Admin program.

The following figure provides an example of the key user attributes to use when configuring an LDAP authority.

Figure 3 LDAP Admin server and group attributes

Based on this configuration, specify the following values for the LDAP configuration options:

l Domain: dc=alberta,dc=emc,dc=com l Hostname: alberta.lss.emc.com l Group Search: groupOfUniqueNames.

Managing Users

38 PowerProtect Data Manager Administration and User Guide

Note: Only structural object classes may be values for the group search. So, in the example, although top is an object class, only groupOfUniqueNames can be used as a group search value.

l Group Attribute Name: cn

Specify values in the user search attribute

The following figure provides an example of the value to specify in the user search attribute.

Figure 4 LDAP Admin user search attribute

Based on this configuration, specify the following values for the LDAP configuration options:

l User Search: One of the following objectClass values: top, person, organizationalPerson, or inetOrgPerson

l User Attribute ID: cn

Troubleshooting LDAP configuration issues This section provides information about error messages that might appear when you configure an external authority for authentication.

For more information about LDAP configuration errors, refer to http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0.

User credentials are incorrect

The following message appears when the user credentials that you specified are not correct:

Error Code: 49: Invalid credentials

To resolve this issue, ensure that the values in the Query User and Query Password fields are correct.

Base DN (Domain) is not correct

One of the following messages appears when the Base Domain Name is not correct:

l Error Code: 32: No such object exists. l Error Code: -3: LDAP error: Invalid name: [invalidName]. l LdapIdentitySource cannot have an empty base. l Error Code: 34: An invalid DN syntax. To resolve this issue, ensure that the value in the Domain field is correct.

Managing Users

PowerProtect Data Manager Administration and User Guide 39

Format of the Server Address field is not correct

One of the following messages appears when the format of the Server Address field is not correct:

l Error Code: 2: Protocol error l Error Code: -3: LDAP error: Cannot parse url: [url] To resolve this issue, ensure that you specify the Server Address field in the following format:

l For an LDAP or AD authority: ldap://hostname_ip_address l For an LDAPS or AD over SSL authority: ldaps://hostname_ip_address

Managing Users

40 PowerProtect Data Manager Administration and User Guide

CHAPTER 3

Managing Storage

This section includes the following topics:

l Add protection storage .........................................................................................................42 l Overview of PowerProtect Data Manager cloud tier............................................................. 43 l Overview of PowerProtect Data Manager Cloud Disaster Recovery..................................... 44

PowerProtect Data Manager Administration and User Guide 41

Add protection storage About this task

The PowerProtect Data Manager UI enables users with administrator credentials to add the following storage types:

l DD Management Center

l External DD system

Note: Data Domain is now PowerProtect DD. References to Data Domain or DD systems in this documentation, in the UI, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the UI has not yet been updated to reflect this change.

Procedure

1. Select Infrastructure > Storage.

The Storage window appears.

2. In the Protection Storage tab, click Add.

3. In the Add Storage dialog box, select a storage system (DD System, DD Management Center).

Note: If using the Storage Direct agent to move snapshot backups from a VMAX storage array to a DD system, you do not need to add a DD Management Center.

4. Specify the storage system attributes:

a. In the Name field, specify a storage name.

b. In the Address field, specify the hostname, fully qualified domain name (FQDN), or the IP address.

If you specify a virtual machine for the storage name, use the FQDN.

c. In the Port field, specify the port for SSL communication. Default is 3009.

5. Under Host Credentials click Add, if you have already configured DD credentials that are common across DD systems, select an existing password from the Select Keychain list. Alternatively, you can add new credentials, and then click Save .

6. If a trusted certificate does not exist on the storage system, a dialog box appears requesting certificate approval. Click Verify to review the certificate, and then click Accept.

7. Click Save to exit the Add Storage dialog and initiate the discovery of the storage system.

A dialog box appears to indicate that the request to add storage has been initiated.

8. In the Storage window, click Discover to refresh the window with any newly discovered storage systems.

When a discovery completes successfully, the Status column updates to OK.

9. To modify a storage system location:

a. In the Storage window, select the storage system from the table.

b. Click Set Location.

The Set Location window appears.

c. Click Location > Add.

Managing Storage

42 PowerProtect Data Manager Administration and User Guide

The Add Location window appears.

d. In the Name field, type a location name for the asset, and click Save.

10. To manage MTrees in the Storage window, select the storage system from the table and click View storage unit.

Results

PowerProtect Data Manager displays External DD systems only in the Storage window Name column. PowerProtect Data Manager displays DD Management Center storage types in the Managed By column.

Troubleshooting protection policy for DD storage unit

When adding a protection policy in PowerProtect Data Manager, creation of a storage unit on the selected DD system fails if you reach the maximum MTree count on the DD system. PowerProtect Data Manager enables you to finish adding the protection policy without the storage unit. However, if you subsequently run a backup of this protection policy, the backup process is suspended indefinitely with no error message.

To continue backup operations on this device, you must perform a cleanup on the DD system.

Viewing the DD Boost storage unit password PowerProtect Data Manager provides a script to retrieve the password of a DD Boost unit that is configured as a backup target.

Before you begin

This process requires the name of the DD MTree where the DD Boost storage unit resides.

Procedure

1. SSH to the PowerProtect Data Manager appliance as the admin user.

2. Navigate to the /usr/local/brs/puppet/scripts directory.

3. Obtain the DD Boost storage unit password by typing the following command:

./get_dd_mtree_credential.py PLC-PROTECTION-1551667983302

Overview of PowerProtect Data Manager cloud tier The PowerProtect Data Manager cloud tier feature works in tandem with the Cloud Tier feature of DD systems to move PowerProtect Data Manager backups to the cloud. This provides long-term storage of PowerProtect Data Manager backups by seamlessly and securely tiering data to the cloud.

From the PowerProtect Data Manager UI, you configure cloud tier to move PowerProtect Data Manager backups from DD systems to the cloud, and you can perform seamless recovery of these backups.

DD cloud storage units must be pre-configured on the DD system before they are configured for cloud tier in the PowerProtect Data Manager UI. The DD Operating System Administration Guide provides further information.

Managing Storage

PowerProtect Data Manager Administration and User Guide 43

Overview of PowerProtect Data Manager Cloud Disaster Recovery

The Cloud DR feature enables you to deploy a Cloud DR Server in the public cloud and provide DR protection to the cloud as part of the PowerProtect Data Manager protection life cycle. From the PowerProtect Data Manager, you can run DR work flows in the cloud and monitor the progress of these jobs.

For example, to validate that you can fail over a VM copy to the cloud before a disaster occurs, from PowerProtect Data Manager, you select a network in the cloud, start a DR test, and monitor its progress. If you want to fail over a production VM, from PowerProtect Data Manager, you select a network in the cloud, start the DR failover operation, and then bring up the restored VM within AWS or Azure cloud.

To learn about Cloud DR work flows within PowerProtect Data Manager, see the PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide.

Managing Storage

44 PowerProtect Data Manager Administration and User Guide

CHAPTER 4

Using the PowerProtect Search Engine

This chapter presents the following topics:

l Introducing the PowerProtect Search Engine....................................................................... 46 l Setting up and managing indexing......................................................................................... 46 l Performing a search.............................................................................................................. 47 l Restoring from search........................................................................................................... 47 l Troubleshooting Search Engine issues.................................................................................. 48

PowerProtect Data Manager Administration and User Guide 45

Introducing the PowerProtect Search Engine When you install PowerProtect Data Manager version 19.3 or later, PowerProtect Search software is installed by default.

The PowerProtect Search software indexes virtual machine file metadata to enable searches based on configurable parameters. To use this feature, you must create a search engine node and set up your indexing.

You can add indexing to protection policies so that the assets are indexed while they are backed up. Recovering indexes from a disaster is a manual process. Recovering a Search cluster from a DR backup on page 201provides instructions. The indexing recovery process will be automated in a future release.

When a DR backup is run, scheduled, or manually triggered, the search cluster backup workflow backs up the cluster index data. A backup task is created, and you can view the individual status of the Search Component backup under Details.

Note: Scheduled backups with Search cluster integration appear in the Jobs pane as two identical jobs: an initialization job, which runs immediately, and the backup job, which runs both ServerDR and Search cluster backups.

Limitations

The following limitations exist for the Search Engine in this release of PowerProtect Data Manager:

l You can create only one search engine node. Creation of multi nodes will be available in a future release.

l PowerProtect Search is an optional feature that can be enabled, set up, and configured for virtual machine backups and protection policies. When you enable this feature, a backup of the search Engine is taken as part of the server backup process. As of this release, you cannot disable these backups. Therefore, when Search is enabled, you must white-list the Search Engine virtual machine on the DD system that contains the ServerBackup MTree: Add the search node IP address or hostname to the client list for the NFS export.

Setting up and managing indexing Set up an external search node and configure indexing.

Before you begin

Ensure that:

l A vCenter datastore has been configured.

l PowerProtect Data Manager has discovered the networks for the vCenter Server.

Procedure

1. From the PowerProtect Data Manager UI, select Infrastructure > Search Engine and click Add Node.

2. In the Add Search Engine Node dialog box, provide the required parameters.

3. Click Save.

4. Click Yes to confirm that you want to deploy the node.

The new search node is deployed, and details are displayed in the lower panel.

5. In the Configure Search Engine dialog box, enable or disable Search Indexing, accept or change the expiration period, and then click OK.

Using the PowerProtect Search Engine

46 PowerProtect Data Manager Administration and User Guide

Note:

l When the index cluster reaches 70 percent, an alert is generated. When it reaches 90 percent, an alert is generated and indexing is suspended. Specify a global index expiry interval to periodically clean up indexes, which frees up space.

l To turn off or modify indexing, select Infrastructure > Search Engine, select the cluster, and click Configure Cluster. From the Configure Search Cluster dialog box, you can enable/disable the service or change the number of expiration days.

l Indexes expire according to the global setting or when the associated copies expire, whichever occurs first.

Performing a search When the PowerProtect Search software is installed and configured, you can use the Search engine to find protected folders and files in the environment using key parameters.

Before you begin

Ensure that:

l A Search Engine node is set up.

l Search Indexing is enabled.

About this task

When asset types are set up for index searching, the File Search button appears in the Infrastructure and Recovery menus for the configured asset types.

Procedure

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets and select the file type.

2. Click File Search.

3. In the File Search Criteria dialog box, enter any information that you know about the file, and then click Search.

The files matching your criteria appear in the results window. You can filter further using the Search Criteria fields.

Restoring from search You can use the search engine to find backup copies and restore them to the original or alternate virtual machine at the same or a different location on the virtual machine.

About this task

You can search across all indexed data, but you can restore only from a single asset and single copy at a time.

You can restore virtual machine files in this release. More restore options will be available in future releases, including file systems, VMAX storage groups, and Kubernetes.

Procedure

1. From the PPDM UI, select Recovery > Assets, select the type of file you want to search for, and then click File Search.

Using the PowerProtect Search Engine

PowerProtect Data Manager Administration and User Guide 47

2. In the File Search Criteria dialog box, enter as much information as you know to narrow down the search results, and then click Search.

3. In the File Search results, you can further filter the results using the Search Criteria fields and you can view details by clicking the Details icon to the left of the file/folder name.

4. Select the files that you want to recover, and click Recover.

The rest of the steps are the same as for recovery of the file type you want to recover. See Restoring Data and Assets on page 157 for details.

Troubleshooting Search Engine issues This section lists troubleshooting and Search Engine issues.

Node failed

Not able to deploy search-node.com. Another session " " is already configured with the same hostname. Would you like to redeploy search node or delete the node? Delete the node, and try again. If you choose to edit, delete the node and the new mode modal appears with your previous input. The input that caused the error is marked as critical.

Certificate issues

Issues with indexing backups and/or performing search queries might result when certificates that were deployed on the search node were corrupted.

Perform one of the following tests to determine certificate issues:

l Use the log bundle download utility in PowerProtect Data Manager to examine the Backup VM logs in VM Direct, and look for a log entry like the following:

ERROR: Failed to Upload File: /opt/emc/vproxy/runtime/tmp/vproxyd/ plugin/search/e6c356a1-fbaf-4231-9f6f-a0166b74909a/ -e081fdea-3599-4a6c-abc4-1b5487cb9a32-e523a94c-2d01-5234-ab3c- 7771cfab3c58-7f16bcbb72d7b49ea073356f0d7388ac08461827.db.zip to https:// :14251/upload, Error sending data chunk. Post https:// :14251/upload: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "PPDM Root CA ID- d5ec56b8-69ec-4183-9c94-7c0230408765"

l Examine the rest-engine logs in the search node (/opt/emc/search/logs/rest-engine/ *.log), and look for certificate verification errors.

l Run a search either through the UI or through the API /api/v2/file-instances and look for a certification verification error.

Examine the certificate files in the node(s) to investigate further. If necessary, regenerate the certificate files.

Accessing the Search Node

Use the following steps to discover the admin and root passwords for all deployed search nodes:

1. SSH into PowerProtect Data Manager: Log in with UI admin credentials, and then su to become root.

2. Change directory to /opt/emc/vmdirect.

3. Source unit/vmdirect.env.

4. Run bin/infranodemgmt get -secret.

Using the PowerProtect Search Engine

48 PowerProtect Data Manager Administration and User Guide

Verifying certificates

Use this procedure to verify that certificates are valid and uncorrupted:

1. Verify that the rootca.pem file is the same in all the relevant nodes (search node, PowerProtect Data Manager, and VM Direct node).

Note: The rootca.pem file name is different on each node:

l PowerProtect Data Manager /etc/ssl/certificates/rootca/rootca.pem l Search node /var/lib/dellemc/vmboot/trust/thumbprint l VM Direct /var/lib/dellemc/vmboot/trust/thumbprint

2. Run the following openssl command to find out whether the root certificate file is corrupt or invalid: openssl verify Response:

/var/lib/dellemc/vmboot/trust/thumbprint: C = US, O = DELL Corporation, CN = PPDM Root CA ID-4c9de850-24ab-42ec-a9a7-6080849d0d24

error 18 at 0 depth lookup:self signed certificate

OK

Ensure that the CN values match.

Certificate verification fails

If the troubleshooting verification steps described above fail, you must re-create the certificates on the Search Node or VM Direct node:

1. SSH into PowerProtect Data Manager: Log in with UI admin credentials, and then su to become root.

2. Use the Get command in the infranodemgmt utility to determine the search node FQDN.

3. Run /usr/local/brs/puppet/scripts/generate_certificates.sh -n -c -b A properties file is created in the /root directory called FQDN>.properties.

4. Open this file to determine the location of the generated certificates. They should be located in /etc/ssl/certificates/ .

5. From a separate terminal, SSH into the search node using the password that was revealed with the infranodemgmt Get call in step 2.

6. Change directory to /var/lib/dellemc/vmboot/trust and move the key, cert, and thumbprint files over.

7. Copy the certificate files that were generated in PowerProtect Data Manager as follows:

l otca.pem to thumbprint l key.pem to key l .pem to cert

8. Paste the files to /var/lib/dellemc/vmboot/trust.

9. Restart the rest-engine daemon or the vproxyd daemon) to pick up the new certificates: systemctl restart search-rest-engine.

Result: Backup with indexing executes successfully and search service is functional.

Using the PowerProtect Search Engine

PowerProtect Data Manager Administration and User Guide 49

Index cluster is full

When the index cluster runs out of space, you have the following options:

Disable the service

1. Select Infrastructure > Search Engine.

2. Select the cluster, and then click Configure Cluster.

3. In the Configure Search Cluster dialog box, switch the Search Indexing button to turn it off, and then click Save.

Note: This setting applies to all indexes in all protection policies in the Search Cluster.

Shorten the expiration time to remove indexes sooner

1. Select Infrastructure > Search Engine.

2. Select the cluster, and then click Configure Cluster.

3. In the Configure Search Cluster dialog box, modify the Search Index Expiration and click Save. A recommended formula to determine the expiration time is: Delete Index when Today = Backup-Date + Expiration Days + 1 day. That is, one day after the backup expires.

Note: This setting applies to all indexes in all protection policies in the Search Cluster.

Remove indexes manually

1. Use SSH to log in to the Search virtual machine.

2. Create a snapshot of the Search cluster using the following format:

{ Command: "APP_SNAPSHOT", Title: "Initiate Index/Search Cluster Snapshot Process", AsyncCmd: false, Properties: { "Name": { Description: "Used to uniquely identify a particula r snapshot", Type: STRING }, "Action": { Description: "Action to perform, 'Create', 'Delete' , 'Restore' or 'Cancel' a Snapshot", Type: STRING }, "NFSHost": { Description: "NFS Host serving snapshot backup area .", Type: STRING }, "NFSExport": { Description: "NFS Export path to mount too.", Type: STRING }, "NFSDirPath": { Description: "NFS directory path to write too.", Type: STRING } } }

Using the PowerProtect Search Engine

50 PowerProtect Data Manager Administration and User Guide

For example:

{ "Command": "APP_SNAPSHOT", "Title": "", "AsyncCmd": false, "Properties": { "Action": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "Create", "Default": null }, "Name": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "PPDM_Catalog_Cluster_snapshot_2019-10-16-12-57-16", "Default": null }, "NFSHost": { "Value": "10.25.87.88" }, "NFSExport": { "Value": "/mnt/shared" }, "NFSDirPath": { "Value": "" } } }

3. You can delete indexes by protection policy or by asset. If the JSON command is stored at /home/admin/remove-plc.json, run the command, ./searchmgmt -I /home/ admin/remove-plc.json.

l Use the following format to delete indexes by protection policy:

{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "PLCDelete", } "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e- a572-6daf-33689933456d", } } }

Using the PowerProtect Search Engine

PowerProtect Data Manager Administration and User Guide 51

l Use the following format to delete indexes by asset type:

{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "AssetDelete", }, "AssetID": { "Description": "Optional, Asset ID of item(s) to delete.", "Required": false, "Value": "503dd753-b57e- a572-6daf-44680033755f", }, "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e- a572-6daf-33689933456d", } } }

Note:

l The time to complete the execution of these procedures depends on the number of backup copy asset indexes being deleted.

l This procedure does not impact regular operation of the cluster.

Using the PowerProtect Search Engine

52 PowerProtect Data Manager Administration and User Guide

CHAPTER 5

Enabling the File System Agent

This section includes the following topics:

l About the File System agent................................................................................................. 54 l Application agent and File System agent coexistence........................................................... 54 l File System agent prerequisites............................................................................................ 56 l File System agent limitations.................................................................................................57 l Roadmap for protection with the File System agent............................................................. 59 l Installing and configuring File System agent..........................................................................59 l Manage the File System agent.............................................................................................. 65 l Troubleshooting database clients.......................................................................................... 66

PowerProtect Data Manager Administration and User Guide 53

About the File System agent The File System agent enables an application administrator to protect and recover data on the file system host. PowerProtect Data Manager integrates with the File System agent to check and monitor backup compliance against protection policies. PowerProtect Data Manager also enables central scheduling for backups.

You can install the File System agent on the host that you plan to protect by using the installation wizard. Installing and configuring File System agent on page 59 provides instructions.

Note: PowerProtect Data Manager supports the coexistence of agents on the same Windows or Linux host for the following:

l Microsoft SQL agent and the File System agent on Windows.

l Oracle/RMAN agent and the File System agent on Linux.

Software compatibility information for the PowerProtect Data Manager software and the File System agent is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

Application agent and File System agent coexistence PowerProtect Data Manager supports the coexistence of the Microsoft SQL application agent with the File System agent on Windows, and the Oracle agent or SAP HANA agent with the File System agent on Linux, which enables you to protect the SQL, Oracle, or SAP HANA database with the host file system. The following coexistence scenarios are supported:

l Both agents in managed mode (registered to PowerProtect Data Manager)

l The SQL, Oracle, or SAP HANA agent in stand-alone mode, with the File System agent registered to PowerProtect Data Manager

Note: The latest version of each agent must be installed if the agents are registered to PowerProtect Data Manager. In the single agent coexistence scenario (SQL, Oracle, or SAP HANA agent in stand-alone mode), the File System agent is supported in managed mode only.

The steps for installation and usage for each agent are the same.

The table below lists the supported use cases and limitations.

Category Supported cases Current limitations

Agent installation and uninstallation 1. New installation of both agents with:

a. SQL application agent, Oracle RMAN agent, or SAP HANA agent in stand-alone or managed mode.

b. File System agent in managed mode.

2. New installation of an agent in managed mode with an already existing agent in standalone mode.

l Uninstalling the last agent installed on the host un-registers the host from PowerProtect Data Manager. Any new agent installation that occurs after the uninstall will have to be newly registered to the PowerProtect Data Manager server.

l Similar to the agent installations, uninstallation of each agent is performed separately.

Enabling the File System Agent

54 PowerProtect Data Manager Administration and User Guide

Category Supported cases Current limitations

3. New installation of an agent in standalone mode with an already existing agent in managed mode.

4. Repair of an already existing agent installation.

5. Uninstallation of agents.

Host Registration and Un- registration

1. Registration of an installed agent to the PowerProtect Data Manager server.

2. Changing the registration of an already registered agent to a different PowerProtect Data Manager server.

3. Un-registration of agents from the PowerProtect Data Manager server.

l Both agents, if operating in managed mode, should be registered to the same PowerProtect Data Manager server only. There is no option to register each agent to a different PowerProtect Data Manager server.

l On an already registered host, performing a direct registration (explicitly using register.sh/ register.bat) with a different

PowerProtect Data Manager server IP will un-register the host from the current PowerProtect Data Manager server and register the host to the new server. Standalone agents will continue to operate in standalone mode and will not be registered.

l Un-registering a host will un- register all of the managed agents installed on that host. Standalone agents will not be affected.

l After un-registering a host, the host's assets will still display in the UI in order to support restore of these assets to a different host. However, backups will not be initiated on these assets as the protection policies will be disabled.

Backup and restore features 1. Protection policy creation supported on all registered agents.

2. All scheduled protection policy backups are supported on both agents as per individual protection policies.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 55

Category Supported cases Current limitations

3. Self-service backups are supported on both agents.

4. Restores are supported on both agents.

5. Compliance is supported on both agents as per the individual Service Level Agreements (SLAs).

File System agent prerequisites Review the following prerequisites before installing and enabling the File System agent in PowerProtect Data Manager and discovering the File System assets.

Windows and Linux prerequisites

l Both the PowerProtect Data Manager server software and the File System agent have to be the same version. For example, using a 19.1 version File System agent with PowerProtect Data Manager version 19.2 is not supported.

l Ensure that your host is a 64-bit system. PowerProtect Data Manager supports only 64-bit hosts.

l Ensure that your host is a supported operating system version. Software compatibility information for the PowerProtect Data Manager software is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

l Ensure that all clocks on both the host and PowerProtect Data Manager are time-synced to the local NTP server to ensure discovery of the backups.

l Ensure that the host and the PowerProtect Data Manager network can see and resolve each other. If PowerProtect Data Manager and the File System agent are registered in a different domain, in order to ensure that asset and copy discovery complete successfully, you must add host entries (IP address and FQDN) on both the client and server. This applies to both Windows and Linux clients. For example, on PowerProtect Data Manager, you would be required to add the File System agent host entries, and on the File System agent, you would be required to add the PowerProtect Data Manager host entries:

1. Browse to the path of the hosts file. For example, on Windows C:\Windows \System32\drivers\etc\hosts, and on Linux /etc/hosts.

2. Add an entry to the hosts file, as in the following:

IP address FQDN common name 10.10.100.100 yourdomain.com yourdomain

l Note that LVM/VxVM partitions/volumes are supported, but not physical partitions.

l Each volume group on LVM2 or VxVM must have at least 10% free space for a block based backup to succeed.

l Review the limitations in the section File System agent limitations on page 57.

Enabling the File System Agent

56 PowerProtect Data Manager Administration and User Guide

Linux File System prerequisites

l Ensure that the File System has the /etc/fstab entry. Without the /etc/fstab entry, discovery fails.

l If you plan to perform file level restores on SuSE Linux (SLES) versions 11 SP1, SP2, or SP3, complete the following:

1. Log in to the system you are restoring from as root.

2. In a command prompt, type yast2 iscsi-client .

3. For Service Start, choose Manually, and then click OK.

l Install the lsb_release package:

1. Mount the ISO:

[root@RHEL73-224-16 ~]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 30G 0 disk sda1 8:1 0 1G 0 part /boot sda2 8:2 0 14G 0 part rhel-root 253:0 0 12.5G 0 lvm / rhel-swap 253:1 0 1.5G 0 lvm [SWAP] sdb 8:16 0 30G 0 disk VG1-LV1 253:2 0 2G 0 lvm /volume1_ext3 sr0 11:0 1 3.5G 0 rom /run/media/root/RHEL-7.3 Server.x86_64 [root@RHEL73-224-16 ~]#

2. Add the Local REPO:

[root@RHEL75-224-18 ~]# cat /etc/yum.repos.d/local.repo [local] name=local baseurl=file:///run/media/root/RHEL-7.3\ Server.x86_64 enabled=1 gpgcheck=1 gpgkey=file:///run/media/root/RHEL-7.3\ Server.x86_64/RPM-GPG-KEY- redhat-release *

3. Execute the YUM command:

yum install redhat-lsb

As a result, all the dependency packages are installed.

File System agent limitations Review the following limitations related to File System agent support in PowerProtect Data Manager.

l File System agent block-based backups will exclude the following:

n Application files such as SQL.

n HyperVisor files. Note that the File System agent is installed primarily in the guest operating system for the backup of guest file system volumes, and is not dependent on the underlying HyperVisor.

n Data belonging to individual application writers.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 57

n Unsupported application writer's files.

l For any ESXi version 6.5 and earlier host with Trident storage attached, the Windows operating system deployment/installation cannot proceed and File System agent backup and restore operations will fail if the DiskMaxIOSize parameter is not configured with the proper value. Ensure that you set the DiskMaxIOSize to 1024 KB.

l It is recommended to use different mount points for each drive. Reusing mount points might cause unexpected issues during File System discovery.

l The File System agent does not support non-English operating systems. Software compatibility information for the PowerProtect Data Manager software and the File System agent is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

l If a Windows or Linux File System host is unregistered from PowerProtect Data Manager and then re-registered with a different FQDN, because PowerProtect Data Manager recognizes the registration as a new host by its new name, duplicate asset entries will appear in the UI those for the host registered earlier, as well as for the host registered by the new name. This does not impact backup and restore functionality on the new host.

l IPv6 is not supported. Use IPv4 instead.

l Image-level recovery to a system volume is not supported.

l Recovery of ReFS or deduplicated volumes to Windows 2008 R2 is not supported.

l File system discovery requires an ext3, ext4, or XFS file system type. Note, however, that PowerProtect Data Manager does not support ext4 file systems on SuSE Linux Enterprise Server (SLES) version 11 SP1-SP4 platforms.

l If a Windows or Linux File System host has DNS incorrectly configured or is part of a workgroup with a dummy DNS suffix added, centralized restore of a backup copy performed on this host will fail. This is because the storage name on the protection storage system is created with the actual shortname of the host, and does not include the incorrect suffix. For the same reason, a restore from PowerProtect Data Manager will also fail if the host name or domain name of the client is changed and then re-registered to PowerProtect Data Manager. As a workaround, use the ddfsrc command with the -c flag, with the short name as input to restore the required copies. More information on how to use the ddfsrc command is provided in the section Performing self-service restore of a File System host on page 194.

l If the File System agent will coexist with the Microsoft SQL, Oracle, or SAP HANA application agent, it is recommended that you use either the IP address or FQDN for registering both agents. Registering one agent using an IP address and another using the FQDN will require you to re-approve the host in PowerProtect Data Manager, and might cause other unexpected inconsistencies.

l For a protection policy backup with assets from different hosts, the backup status displays as "Failed" in the UI if the backup of one asset within the policy fails.

l Running the ddfssv and ddfsrc commands to perform self-service backup and restore of File Systems fails if you provide the DD host name for the DFA_SI_DD_HOST variable.

l A File System backup might fail with the error Insufficient space exists in the volume group for creating shadow of the volume when there is not enough space in the volume group for a block based backup to succeed. Each volume group on LVM2 or VxVM must have at least 10% free space.

l On the Linux hosts that have the UEFI Secure Boot option enabled, block based backup drivers do not load, and the error message insmod: ERROR: could not insert module / lib/ modules/ 3.10.0-693.el7.x86_64/ extra/nsrbbb.ko: Required key not available appears. As a workaround, you can disable the Secure Boot option.

l On Linux, the block based incremental backups consistently fail and display a message similar to save: Block Based Error subsystem error while performing Block

Enabling the File System Agent

58 PowerProtect Data Manager Administration and User Guide

Based Backup. Check if any other process is already accessing the snapshot, or delete the snapshot manually, and then try again.

l If the Bytes of sector sizes of the source and target volumes are different, PowerProtect Data Manager does not support block based image recoveries. For example, you cannot perform a block based image recovery of a volume that has 4096 as the Bytes of sector size to a volume that has 512 as the Bytes of sector size, and vice versa.

Roadmap for protection with the File System agent The following roadmap provides the steps required to configure the File System agent in PowerProtect Data Manager in order to run protection policies.

Procedure

1. Add a storage system.

Add protection storage on page 42 provides information.

2. Install the File System agent on the File System host.

Installing and configuring File System agent on page 59 provides information.

3. Add or approve the File System agent on each File System host.

Manage the File System agent on page 65 provides information.

4. Discover the File system asset.

Discover a File System Host provides information.

5. Create a protection policy to protect the File System.

Add a protection policy for File System protection on page 122 provides information. Note: You cannot perform a backup to a secondary DD system. You can only restore from a secondary DD system.

Installing and configuring File System agent Learn how to install and configure the File System agent for Linux and Windows.

Install the File System agent on Linux Learn how to install the File System agent on supported Linux systems.

Before you begin

l Ensure that you review the prerequisites provided in File System agent prerequisites on page 56.

l Download the File System agent software package to the Linux host.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the File System agent download package for Linux, fsagent194_linux_x86_64.tar.gz.

c. Download the package in the location that you want to install the File System agent.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 59

Note: Relocating the installation to another partition or mount point on Linux is not supported.

2. Untar the installer by running - gunzip * followed by tar -xvf .

3. Run the installation script install.sh.

Note: For installations on Oracle Linux, run install.sh -- skip-driver to skip the block-based backup driver installation. The Oracle Linux version 7 platform does not currently support block-based backups. Therefore, all backups performed by the File System agent on Oracle Linux 7 will be file-based backups.

The following rpms are installed as part of the script:

l To skip the block-based backup driver installation, type install.sh -- skip-driver.

l powerprotect-agentsvc.rpmInstalls or upgrades the agent service component for File System agent.

l ppdm_bbbwt.rpmInstalls the Block Based Backups driver.

l ppdm_fsagent.rpmInstalls the File System agent related files and folders.

4. Type the PowerProtect Data Manager server FQDN or IP address. It is recommended to use the FQDN.

Note: If the File System agent will coexist with another application agent, ensure that you register the agent with the existing PowerProtect Data Manager server FQDN. When you register the agent with a PowerProtect Data Manager server that is different from the currently registered server, no warning message displays, and requests are routed to the newer server instance.

After you finish

If the host is not already whitelisted or approved, add the File System host to the PowerProtect Data Manager server. Add or manage Application/File System Agents provides more information.

Discover File System assets. Discover a File System Host provides more information.

Note: If you change the IP address of the client at any point, ensure that you run the register.sh script again to re-register the client with the PowerProtect Data Manager server.

Silent installation or upgrade of the File System agent on Linux On Linux, review the following commands to perform a silent installation or upgrade of the File System agent.

Note: If a value is not provided for PowerProtect Server IP in the installation and upgrade commands, the product is installed without PowerProtect registration, and no backups can be initiated from the UI.

Silent installation commands

Use the following commands to perform a silent installation on Linux:

l To run the agent installer, type install.sh l To run the installation and register the agent with the PowerProtect server, type install.sh

--server=PowerProtect Server IP l To run the installer in debug mode, type install.sh -- debug | -d l To skip the block-based backup driver installation, type install.sh -- skip-driver.

Enabling the File System Agent

60 PowerProtect Data Manager Administration and User Guide

Silent upgrade commands

Use the following commands to perform a silent upgrade on Linux:

l To run the agent upgrade, type install.sh -u | --upgrade l To run the upgrade and register the agent with the PowerProtect server, type install.sh -u

--server=PowerProtect Server IP

Uninstall the File System agent on Linux On Linux, you can uninstall the File System agent by performing the following steps:

Procedure

1. Run ./uninstall.sh.

A message appears indicating Other application agents might be using powerprotect-agentsvc. Do you wish to uninstall powerprotect- agentsvc? [y/n]

2. Type Y to confirm that you want to uninstall the File System agent.

Install the File System agent on Windows Learn how to install the File System agent on supported Windows systems.

Before you begin

l Ensure that you carry out the prerequisites provided in File System agent prerequisites on page 56.

l Download the File System agent software package.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the File System agent download package for Windows, fsagent194_win_x64.zip.

c. Download the package in the location that you want to install the File System agent.

2. Open the fsagent-19.4.0.0.exe installation file.

3. Follow the wizard installation steps to provide the installation location and the PowerProtect Data Manager server IP address.

Note: If the File System agent will coexist with another application agent, ensure that you register the agent with the existing PowerProtect Data Manager server IP. When you register the agent with a PowerProtect Data Manager server that is different from the currently registered server, no warning message displays, and requests are routed to the newer server instance.

4. Click Install.

The following msi files are used for the installation:

l AgentService.msiInstalls or upgrades the agent service component for File System agent.

l BBBWT.msiInstalls the Block Based Backups driver.

l Fsagent.msiInstalls the File System agent related files and folders.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 61

5. Click Finish.

Note: If a change occurred to the IP address of the client, the installation completes successfully but the registration fails. To re-register the client to the correct IP address, use the Modify option under Add/Remove programs for the File System agent, and then restart the PowerProtect service agent service on the client.

After you finish

If the host is not already whitelisted or approved, add the File System host to the PowerProtect Data Manager server. Add or manage Application/File System Agents provides more information.

Discover File System assets. Discover a File System Host provides more information.

Note: If you change the IP address of the client at any point, use the Modify option under Add/Remove programs to update the registration information for the File System agent, and then restart the adm agent service on the client to reregister the client with the PowerProtect Data Manager server.

Silent installation or uninstallation of File System agent on Windows On Windows, review the following commands to perform a silent installation or uninstallation of the File System agent.

Note: The File System agent installer for Windows does not support the --help option. Running the installer executable with --help initiates the actual installation process.

Silent installation commands

To perform the silent installation to the default path, run:

fsagent-19.4.0.0.exe /s PPDMHostName=< >

To perform the silent installation to a different path, run:

fsagent-19.4.0.0.exe /s PPDMHostName=< > ProductInstallPath="D:\alternate-path"

Note: PPDMHostName is a mandatory option in the command line. If a value is not provided, the product is installed without PowerProtect registration, and no backups can be initiated from the UI. Specifying ProductInstallPath is optional, but if used, the value cannot be empty.

Silent uninstallation commands

To perform a silent uninstall without uninstalling common components (such ADM or BBB), run:

fsagent-19.4.0.0.exe /s /uninstall

To perform a silent uninstall while also uninstalling common components, run:

fsagent-19.4.0.0.exe /s /uninstall UnInstallPPDMAgent="1" UnInstallBBBWT="1"

Enabling the File System Agent

62 PowerProtect Data Manager Administration and User Guide

Uninstall the File System agent on Windows On Windows, you can uninstall the File System agent with the setup file.

Procedure

1. Launch fsagent-19.4.0.0.exe.

2. On the Install Modification page, select Remove, and then click Next.

3. On the Complete the Setup page, click Finish.

Upgrading the File System agent The File System agent supports a direct upgrade from an earlier version if you are using an earlier version of PowerProtect Data Manager. You can upgrade the PowerProtect Data Manager File System agent to the latest version on Windows or Linux.

About this task

Upgrade and register the latest version of the PowerProtect Data Manager File System agent for Linux or Windows with the same PowerProtect Data Manager server in the same location. Upgrade the File system agent on Linux on page 63 and Upgrade the File system agent on Windows on page 64 provide instructions.

Note: When you install or upgrade the File system agent, other app agents on the system must be upgraded to the same version as the File system agent.

Upgrade the File system agent on Linux Learn how to upgrade the File System agent on supported Linux systems.

Before you begin

l Ensure that you review the prerequisites provided in File System agent prerequisites on page 56.

l Download the File System agent software package to the Linux host.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the File System agent download package for Linux, fsagent194_linux_x86_64.tar.gz.

c. Download the package in the location that you want to install the File System agent.

Note: Relocating the installation to another partition or mount point on Linux is not supported.

2. Untar the installer by running - gunzip * followed by tar -xvf .

3. Run the install.sh -u script.

The following rpms are installed as part of the script:

l powerprotect-agentsvc.rpmInstalls or upgrades the agent service component for File System agent.

l ppdm_bbbwt.rpmInstalls the Block Based Backups driver.

l ppdm_fsagent.rpmInstalls the File System agent related files and folders.

4. Type the PowerProtect Data Manager server FQDN or IP address. It is recommended to use the FQDN.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 63

Note: If the File System agent will coexist with another application agent, ensure that you register the agent with the existing PowerProtect Data Manager server FQDN. When you register the agent with a PowerProtect Data Manager server that is different from the currently registered server, no warning message displays, and requests are routed to the newer server instance.

Upgrade the File system agent on Windows Learn how to install the File System agent on supported Windows systems.

Before you begin

l Ensure that you carry out the prerequisites provided in File System agent prerequisites on page 56.

l Download the File System agent software package.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the File System agent download package for Windows, fsagent194_win_x64.zip.

c. Download the package in the location that you want to install the File System agent.

2. Open the fsagent-19.4.0.0.exe installation file.

3. Follow the upgrade steps in the wizard to provide the installation location and the PowerProtect Data Manager server IP address.

Note: If the File System agent will coexist with another application agent, ensure that you register the agent with the existing PowerProtect Data Manager server IP. When you register the agent with a PowerProtect Data Manager server that is different from the currently registered server, no warning message displays, and requests are routed to the newer server instance.

4. Click Upgrade.

The following msi files are used for the installation:

l AgentService.msiInstalls or upgrades the agent service component for File System agent.

l BBBWT.msiInstalls the Block Based Backups driver.

l Fsagent.msiInstalls the File System agent related files and folders.

5. Click Finish.

Note: If a change occurred to the IP address of the client, the installation completes successfully but the registration fails. To re-register the client to the correct IP address, use the Modify option under Add/Remove programs for the File System agent, and then restart the agent service on the client.

Troubleshooting File system agent upgrade When you upgrade the File system agent from 19.3 to 19.4 on either Windows or Linux, the required configuration files are copied from the 19.3 installation path to the new installation path

Enabling the File System Agent

64 PowerProtect Data Manager Administration and User Guide

for 19.4. In some cases, these files are not copied successfully, which might cause the upgrade to fail. To troubleshoot this issue, complete the following steps.

Before you begin

Note: These steps are only required when upgrading the File system agent from 19.3 to 19.4.

Procedure

1. Verify that the File system agent 19.3 installation path contains the following configuration files:

l fsab.rec l app.settings l agents.clb l agents.clb.FCD If one or more of these files are not present in the File system agent 19.3 installation path, proceed to step 3.

2. If all the required files are present in the File system agent 19.3 installation path, manually copy the files to the installation path for 19.4:

l Copy /dpsfsagent/settings/fsab.rec to /dpsapps/fsagent/settings/fsab.rec

l Copy /dpsfsagent/settings/.app.settings to /dpsfsagent/settings/.app.settings

l Copy /dpsfsagent/lockbox/agents.clb to /dpsapps/fsagent/lockbox/agents.clb

l Copy /dpsfsagent/lockbox/agents.clb.FCD to /dpsapps/fsagent/lockbox/agents.clb.FCD

Where is the location of the File system agent installation.

3. If the required files are missing in the installation path for 19.3, perform the following steps to regenerate the files:

a. Set the lockbox in the PowerProtect Data Manager UI:

l Go to Protection > Protection Policies.

l Select the protection policy for the client that is being upgraded, and click Set Lockbox.

b. Run the ddfsadmin sync command. Using the ddfsadmin utility for File Systems on page 194 provides more information.

Manage the File System agent You can add a File System agent, approve and reject pending agent requests, and edit and delete existing agents.

About this task

Note: PowerProtect Data Manager supports the coexistence of the following agents on the same Windows or Linux host:

l SQL agent and File System agent on Windows.

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 65

l Oracle RMAN agent and File System agent on Linux.

l SAP HANA agent and File System agent on Linux.

Procedure

1. Select Infrastructure > Application Agents.

2. In the Application Agents window, click Add.

3. In the Add Application/FS Agent window, select one of the following options:

l Add IP Address Perform the following steps:

a. Type the IP Address for the application agent.

b. Specify the date until which the application agent is pre-approved.

c. Click Save.

l CSV Filename Perform the following steps:

a. Click the Choose File icon. Note: The contents of the .CSV file must be in the following format, for example:

"10.25.115.113" "10.25.115.112" "10.25.115.145"

The Explorer window appears.

b. Select the .csv file, and then click Open. The file displays in the Application/FS Agents window.

c. Select the date until which the application or File System agent is preapproved.

d. Click Save.

4. The Auto Whitelist option is disabled by default. When Auto whitelist is enabled, all pre-approved Application Agents are automatically approved.

If you leave the Auto whitelist option disabled, select an application agent, and then select one of the following options:

l Approve

l Reject

l Edit Make the required changes.

l Remove

Troubleshooting database clients About this task

If you are supporting more than 50 database clients and the following error message is displayed, perform the following steps:

Error:Protect Databases failed. The service is unavailable"

Enabling the File System Agent

66 PowerProtect Data Manager Administration and User Guide

Procedure

1. Modify the following parameter in the /usr/local/brs/lib/zuul/conf/ application.yml file.

MaxTotalConnections = (Number of clients * 12)

2. Increase the value in the MaxTotalConnections parameter by a factor of 12 for every client.

For example, to protect 70 SQL clients, set the parameter to MaxTotalConnections=840.

3. Restart the Zuul service:

zuul restart

Enabling the File System Agent

PowerProtect Data Manager Administration and User Guide 67

Enabling the File System Agent

68 PowerProtect Data Manager Administration and User Guide

CHAPTER 6

Enabling the Storage Direct Agent for VMAX Systems

This section includes the following topics:

l About the Storage Direct agent.............................................................................................70 l Storage Direct agent prerequisites........................................................................................70 l Upgrading an existing Storage Direct agent........................................................................... 71 l Roadmap for protection with the Storage Direct agent for new environments...................... 73 l Roadmap for protection with the Storage Direct agent for existing environments................ 74 l Installing or Upgrading Storage Direct...................................................................................76 l Manage the Storage Direct agent......................................................................................... 80 l Storage Direct agent limitations and troubleshooting.............................................................81

PowerProtect Data Manager Administration and User Guide 69

About the Storage Direct agent Storage Direct uses snapshot backup technology to protect data on VMAX storage arrays by moving storage group data from the VMAX array to a DD system.

PowerProtect Data Manager enables application administrators to configure the Storage Direct agent and create centralized or self-service protection policies to set up backups for new environments and import existing environments into PowerProtect Data Manager.

PowerProtect Data Manager also enables you to restore the snapshot backup data with the following options:

l Restore from replica backups (restore to original, restore to an alternate location on the same storage system, and restore to a different storage system).

l Instant access to Storage Direct backups on any host.

You can use the installation wizard to install the Storage Direct agent on the host that you plan to protect. Installing or Upgrading Storage Direct on page 76 provides instructions.

When you install and configure the agent, Storage Direct creates a snapshot of the data on VMAX storage groups and transfers the data to a DD system. Using FTS technology, the host running your applications accesses the source LUNs from the VMAX system where the storage group data resides. A link is established between FTS devices on the VMAX system and the destination DD system, which enables you to create a virtual disk (vDisk), vDisk pool, and MTree on the DD system.

After the Storage Direct agent is approved and registered in the PowerProtect Data Manager UI and the DD system and the SMIS server are added and discovered, the Storage Direct agent is enabled for use. PowerProtect Data Manager can discover the storage groups in the VMAX system and you can assign unprotected storage groups to a protection policy.

The eLab Navigator provides software compatibility information for the PowerProtect Data Manager software and the Storage Direct agent.

Storage Direct agent prerequisites Before you enable the Storage Direct agent and discover VMAX storage groups, ensure that your system meets the requirements.

Only Windows and Linux platforms are supported through the PowerProtect Data Manager server.

Ensure that:

l The vDisk user is an administrator.

l The LUNs of the storage groups to be protected are masked to the host.

l The host is a 64-bit system. PowerProtect Data Manager supports only 64-bit hosts.

l The host is running a supported operating system version. The eLab Navigator provides software compatibility information for PowerProtect Data Manager.

l All clocks on both the host and PowerProtect Data Manager are time-synced to the local NTP server to ensure discovery of the backups.

l The host and the PowerProtect Data Manager network can see and resolve each other.

l For replication, add a secondary DD system.

After DD discovery, ensure that the vDisk Pool and DD Boost storage units are available: In PowerProtect Data Manager select Infrastructure > Storage, select the DD system, and then select Manage Storage Units.

Enabling the Storage Direct Agent for VMAX Systems

70 PowerProtect Data Manager Administration and User Guide

Upgrading an existing Storage Direct agent To upgrade an existing Storage Direct agent for a new release of PowerProtect Data Manager, ensure that your configuration is compatible.

Review the following setup requirements to upgrade an existing Storage Direct agent to the latest release of PowerProtect Data Manager.

During the upgrade:

l On the Configure Installation Options page, click PowerProtect Data Manager registration, and then provide the PowerProtect Data Manager server IP address so that the Storage Direct agent can register with the PowerProtect Data Manager server.

l On the Configuration File Input page, click Select the Configuration Files, browse to the location of your configuration file(s), and for each configuration file, click Add.

Configuration file requirements When you create a VMAX Storage Group protection policy, a configuration file is automatically created in the C:\Program Files\DPSAPPS\ppfsagent\config directory. This configuration file contains information about the VMAX and DD system attributes and the storage groups protected by the policy. This file is required for self-service backup and restore procedures.

To ensure that PowerProtect Data Manager can use your existing configuration files, review the files and ensure that the contents and your environment satisfy the following requirements:

l To import a single configuration file, all backup vDisks on the DD system must belong to the same pool. You can create more than one device group. For example, for two source storage groups (SG1 and SG2), you can create one device group for the backup vDisks of SG1 and another device group for the backup vDisks of SG2.

To import multiple configuration files per host, vDisks can belong to different pools.

l The file must contain only storage groups. It must not contain IDs of the source LUNs or details about the secondary DD system.

l The file must contain the Ddboost and DdVdiskUser with their corresponding passwords in the lockbox.

l The Devicepath cannot start with a forward slash (/).

Additionally, the file must be in one of the following formats:

l One restore device group and one restore storage group

l Multiple restore device groups and multiple restore storage groups with one to one mapping between each restore device group and restore storage group

One restore device group and one restore storage group

In this format:

l One entry exists for RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG for all Source Storage Groups.

l All Storage Groups map to a single RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG.

l Only one of the RESTORE_DEVICE_GROUP or VMAX_FASTX_RESTORE_SG attributes is used. Enclose the one not in use in a comment.

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 71

l For RESTORE_DEVICE_GROUP, the corresponding pool information for RESTORE_DEVICE_POOL must be provided and the attribute must not be enclosed in a comment.

l For VMAX_FASTX_RESTORE_SG, enclose the RESTORE_DEVICE_GROUP and RESTORE_DEVICE_POOL attributes in a comment.

Example:

[PRIMARY_SYSTEM] DDBOOST_USER = DEVICE_HOST = DEVICE_PATH = DDVDISK_USER = # RESTORE_DEVICE_POOL = # RESTORE_DEVICE_GROUP = # DD_BOOST_FC = # DD_PORT = VMAX_FASTX_RESTORE_SG = # SELECT_VISIBLE_RESTORE_DEVICES = | | | [BACKUP_SOURCE_DEVICES] # SRC_DEVICE1 = 000196700638:00F1A # SRC_DEVICEn = SRC_GROUP1 = SRC_GROUP2 = SRC_GROUP3 = # SRC_GROUPn =

Multiple restore device groups and restore storage groups

In this format:

l Each source storage group has a corresponding restore storage group and restore device group.

l The number of source storage groups is in a 1:1 mapping, which should be maintained. The same number of entries must exist for RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG. For example, the first RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG entry should correspond to SRC_GROUP1. The second RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG entry should correspond to SRC_GROUP2.

l Only one entry of RESTORE_DEVICE_GROUP and VMAX_FASTX_RESTORE_SG should exist. Enclose other entries in a comment.

Example:

[PRIMARY_SYSTEM] DDBOOST_USER = DEVICE_HOST = DEVICE_PATH = DDVDISK_USER = # RESTORE_DEVICE_POOL = # RESTORE_DEVICE_GROUP = # RESTORE_DEVICE_GROUP = # RESTORE_DEVICE_GROUP = # DD_BOOST_FC = # DD_PORT = VMAX_FASTX_RESTORE_SG = # VMAX_FASTX_RESTORE_SG = # VMAX_FASTX_RESTORE_SG = # SELECT_VISIBLE_RESTORE_DEVICES = | | |

Enabling the Storage Direct Agent for VMAX Systems

72 PowerProtect Data Manager Administration and User Guide

[BACKUP_SOURCE_DEVICES] # SRC_DEVICE1 = 000196700638:00F1A # SRC_DEVICEn = SRC_GROUP1 = SRC_GROUP2 = SRC_GROUP3 = # SRC_GROUPn =

Roadmap for protection with the Storage Direct agent for new environments

For new Storage Direct agent environments, the following roadmap provides the steps required to configure protection of the Storage Direct agent in PowerProtect Data Manager to facilitate movement of snapshot backups from the VMAX storage area to the DD system.

Before you begin

Review the prerequisites and limitations in the following sections:

l Storage Direct agent prerequisites on page 70

l Configuration file requirements on page 71

l Storage Direct agent limitations and troubleshooting on page 81

Procedure

1. Set up the SMIS server in the PowerProtect Data Manager UI:

a. Add the SMIS server.

b. Initiate a discovery of the SMIS server.

c. Verify that the discovery completed successfully.

Add and discover the SMIS server for the Storage Direct agent on page 108 provides information.

2. Set up the DD system in the PowerProtect Data Manager UI:

a. Add a primary DD system.

b. (Optional) If using replication, add a secondary DD system.

c. Initiate a discovery of the DD systems.

d. Verify that the discovery completed successfully.

Add protection storage on page 42 provides information. Note: If you use the Storage Direct agent to move snapshot backups from a VMAX storage array to a DD system, the DD Management Center is not required.

3. Install the Storage Direct agent on the Storage Direct host system.

Installing or Upgrading Storage Direct on page 76 provides information.

4. Approve the Storage Direct agent in the PowerProtect Data Manager UI on each Storage Direct host system.

Manage the Storage Direct agent on page 80 provides information.

5. Ensure that the Storage Direct agent has been discovered.

Discover a Storage Direct agent host on page 108 provides information.

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 73

6. In the PowerProtect Data Manager UI, verify that the VMAX assets (storage groups) have been discovered, and that the host name appears next to these assets.

Add and discover the SMIS server for the Storage Direct agent on page 108 provides information about how to verify that these assets have been discovered, and Add a Self- service Protection Policy for Storage Direct on page 130 provides information about adding assets to a protection policy.

7. Create a centralized or self-service protection policy in the PowerProtect Data Manager UI by selecting the Storage Group policy type and choosing the I want PPDM to automatically provision and manage all storage needed to achieve this objective option.

Add a Centralized Protection Policy for Storage Direct on page 134 and Add a Self-service Protection Policy for Storage Direct on page 130 provide information.

8. If you plan to perform self-service backup and restore, review the configuration file that is automatically generated upon the successful configuration of the Storage Direct agent in PowerProtect Data Manager to ensure that the file contains the information identified in Configuration file requirements on page 71.

Add a Self-service Protection Policy for Storage Direct on page 130 provides information about the type of information that the configuration file contains and how this file is used when executing the backup command.

Note: Do not make any changes to this configuration file.

9. For self-service backups, run the protectpoint snapbackup create command with the configuration file name specified in order to perform the self-service backup.

The Storage Direct Agent Installation and Administration Guide, and the After you finish section of Add a Self-service Protection Policy for Storage Direct on page 130, provide information about running this command with the configuration file.

Roadmap for protection with the Storage Direct agent for existing environments

For existing Storage Direct agent environments, the following roadmap provides the steps required to configure protection of the Storage Direct agent in PowerProtect Data Manager to facilitate movement of snapshot backups from the VMAX storage area to the DD system.

Before you begin

Review any prerequisites in the section Storage Direct agent prerequisites on page 70 and Configuration file requirements on page 71, and make note of any limitations in the section Storage Direct agent limitations and troubleshooting on page 81.

Procedure

1. Set up the SMIS server in the PowerProtect Data Manager UI:

a. Add the SMIS server.

b. Initiate a discovery of the SMIS server.

c. Verify that the discovery completed successfully.

Add and discover the SMIS server for the Storage Direct agent on page 108 provides information.

2. Set up the DD system in the PowerProtect Data Manager UI:

a. Add a primary DD system.

Enabling the Storage Direct Agent for VMAX Systems

74 PowerProtect Data Manager Administration and User Guide

b. (Optional) If using replication, add a secondary DD system.

c. Initiate a discovery of the DD systems.

d. Verify that the discovery completed successfully.

Add protection storage on page 42 provides information. Note: If using the Storage Direct agent to move snapshot backups from a VMAX storage array to a DD system, you do not need to add a DD Management Center.

3. Modify your existing configuration file(s) to ensure that the file contains the information required by PowerProtect Data Manager to run the VMAX Storage Group policy, and to ensure the file is in an acceptable format, as described in the section Configuration file requirements on page 71.

4. Upgrade the Storage Direct agent on the Storage Direct host system.

Installing or Upgrading Storage Direct on page 76 provides information.

5. Approve the Storage Direct agent in the PowerProtect Data Manager UI on each Storage Direct/ProtectPoint host system.

Manage the Storage Direct agent on page 80 provides information.

6. Ensure that the Storage Direct agent has been discovered.

Discover a Storage Direct agent host on page 108 provides information.

7. In the PowerProtect Data Manager UI, verify that the VMAX assets (storage groups) have been discovered, and that the host name appears next to these assets.

Add and discover the SMIS server for the Storage Direct agent on page 108 provides information about how to verify that these assets have been discovered, and Add a Self- service Protection Policy for Storage Direct on page 130 provides information about adding assets to a protection policy.

8. Create a centralized or self-service protection policy in the PowerProtect Data Manager UI by selecting the Storage Group policy type and choosing the I will provision and manage my own storage option.

Add a Centralized Protection Policy for Storage Direct on page 134 and Add a Self-service Protection Policy for Storage Direct on page 130 provide information.

9. If you plan to perform self-service backup and restore, review the configuration file that is automatically generated upon the successful configuration of the Storage Direct agent in PowerProtect Data Manager to ensure that the file contains the information identified in Configuration file requirements on page 71. This configuration file will be used going forward instead of your previous configuration file(s) to perform self-service backup and restore.

Add a Self-service Protection Policy for Storage Direct on page 130 provides information about the type of information that the configuration file contains, and how this file is used when executing the backup command for the initial snapshot.

Note: Do not make any changes to this configuration file.

10. For self-service backups, run the protectpoint snapbackup create command with the configuration file name specified in order to perform the self-service backup.

The Storage Direct Agent Installation and Administration Guide, and the After you finish section of Add a Self-service Protection Policy for Storage Direct on page 130, provide information about running this command with the configuration file.

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 75

Installing or Upgrading Storage Direct Learn how to install or upgrade the Storage Direct agent for Linux or Windows.

Install the Storage Direct agent on Linux Learn how to install the standalone Storage Direct agent for PowerProtect Data Manager on supported Linux systems.

Before you begin

l Ensure that you review the prerequisites provided in Storage Direct agent prerequisites on page 70.

l Download the Storage Direct agent software package to the Linux host.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the Storage Direct agent download package for Linux, storagedirectagent19x_linux_x86_64.tar.gz.

c. Download the package to the location where you want to install the Storage Direct agent.

2. Unpack the Storage Direct software package:

a. Run the following command:

gunzip storagedirectagent19x_ .tar.gz

b. Run the following command:

tar -xvf storagedirectagent19x_ .tar

c. Run the following command:

rpm -import RPM_KEY

3. Provide "Execute" +x permissions on the install.sh file.

4. Install the Storage Direct software as the root user by running the installation script:

install.sh

Enabling the Storage Direct Agent for VMAX Systems

76 PowerProtect Data Manager Administration and User Guide

Note: During the installation, you are prompted for the hostname or IP address of the PowerProtect Data Manager. As an alternative, you can include the --server option when you run the install.sh installation script, as in the following:

install.sh --server=

To obtain a list of all the available command options for the install.sh command, run the command install.sh --help or install.sh -h. The command also supports the -- debug or -d option for debugging purposes.

The product is installed in the /opt/dpsapps/ppfsagent directory. Two RPM files are installed as part of the installation script:

l storagedirectagent-19.x.x.x86_64.rpm l powerprotect-agentsvc-19.x.x.x86_64

To view the status of the PowerProtect agent service, go to the /opt/dpsapps/ agentsvc directory and execute the ./register.sh --status command.

After you finish Complete the host registration with the PowerProtect Data Manager server. Add and discover the SMIS server for the Storage Direct agent on page 108 provides more information.

Approve the pending Storage Direct agent request so that you can discover the VMAX assets, also known as storage groups. Manage the Storage Direct agent on page 80 provides more information.

Upgrade the Storage Direct agent on Linux Learn how to upgrade to the standalone Storage Direct agent for PowerProtect Data Manager on supported Linux systems.

Before you begin

l Ensure that you review the prerequisites provided in Storage Direct agent prerequisites on page 70, and the Upgrade requirements section in Configuration file requirements on page 71.

l Download the Storage Direct agent software package to the Linux host.

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the Storage Direct agent download package for Linux, storagedirectagent19x_linux_x86_64.tar.gz.

c. Download the package to the location where you want to install the Storage Direct agent.

2. Unpack the Storage Direct software package:

a. Run the following command:

gunzip storagedirectagent19x_ .tar.gz

b. Run the following command:

tar -xvf storagedirectagent19x_ .tar

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 77

c. Run the following command:

rpm -import RPM_KEY

3. Provide "Execute" +x permissions on the install.sh file.

4. Upgrade the Storage Direct software as the root user by running the installation script with the -u option, as in the following:

install.sh -u

Note: Later in the upgrade, you are prompted for the hostname or IP address of the PowerProtect Data Manager. As an alternative, you can include the --server option when you run the install.sh -u command, as in the following:

install.sh -u -- server=

The product is upgraded in the /opt/dpsapps/ppfsagent directory. Two rpms are installed as part of the installation script:

l storagedirectagent-19.x.x.x86_64.rpm

l powerprotect-agentsvc-19.x.x.x86_64

5. For Do you wish to give existing config file path?, type y, and then provide the path to the configuration files.

A prompt appears requesting if you have additional configuration files. If you have more than one existing configuration file, type y, and provide the additional path.

6. For Do you wish to upgrade adm-agent?, type y.

7. If you did not specify the PowerProtect Data Manager server name when running the install.sh -u command, a prompt appears requesting if you want to register Storage Direct with the PowerProtect Data Manager server. Type y, and then type the PowerProtect Data Manager server FQDN or IP address.

After you finish

Complete the host registration with the PowerProtect Data Manager server. Add and discover the SMIS server for the Storage Direct agent on page 108 provides more information.

Approve the pending Storage Direct agent request so that you can discover the VMAX assets, also known as storage groups. Manage the Storage Direct agent on page 80 provides more information.

Install or upgrade the Storage Direct agent on Windows Learn how to install or upgrade to the standalone Storage Direct agent for PowerProtect Data Manager on supported Windows systems.

Before you begin

l Ensure that you review the prerequisites provided in Storage Direct agent prerequisites on page 70, and the Upgrade requirements section in Configuration file requirements on page 71.

l Download the Storage Direct agent software package to the Windows host.

Enabling the Storage Direct Agent for VMAX Systems

78 PowerProtect Data Manager Administration and User Guide

Procedure

1. In the PowerProtect Data Manager UI:

a. Select Agent Downloads from the System Settings menu.

b. Select the Storage Direct agent download package for Windows, for example, storagedirectagent19x_win_x64.zip.

c. Download the package in the location that you want to install the Storage Direct agent.

2. To launch the installer, unzip the storagedirectagent19x_win_x64.zip file and then run the storagedirectagent19x_win_x64.exe program.

The installation wizard opens.

3. Click Next.

4. Select I accept the terms in the License Agreement, and then click Next.

5. On the Configure Installation Options page, click PowerProtect Data Manager registration, and then and type the PowerProtect Data Manager server hostname or IP address in the Appliance hostname or IP address text box so that the Storage Direct agent can register with the PowerProtect Data Manager server.

6. If upgrading, on the Configuration File Input page, click Select the Configuration Files, browse to the location of your configuration file(s), and for each configuration file, click Add.

7. When completed, click Install.

8. Click Finish to exit the installation wizard.

After you finish

Complete the host registration with the PowerProtect Data Manager server. Add and discover the SMIS server for the Storage Direct agent on page 108 provides more information. For upgrades, if the installed product is already registered with any PowerProtect Data Manager server, then this information will appear automatically in the UI.

Approve the pending Storage Direct agent request so that you can discover the VMAX assets, also known as storage groups. Manage the Storage Direct agent on page 80 provides more information.

Silent installation of the Storage Direct agent You can perform a silent installation of the Storage Direct agent on Linux or Windows.

Silent installation commands

To perform the silent installation to the default path:

l On Linux, run install.sh -- server PPDM server name l On Windows, run storagedirectagent-19.x.x.exe /s PPDMHostName=

Note: PPDMHostName is a mandatory option in the command line. If a value is not provided, the product is installed without PowerProtect registration, and no backups can be initiated from the application host. Specifying ProductInstallPath is optional, but if used, the value cannot be empty.

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 79

Uninstall the Storage Direct agent on Linux You can uninstall the Storage Direct agent by using the uninstall.sh script, which is included when you untar the installer.

Procedure

1. Run uninstall.sh.

2. Type y to confirm that you want to uninstall the agent.

If you have the powerprotect agentsvc installed as well, a message appears indicating Other application agents might be using powerprotect-agentsvc... Do you wish to uninstall powerprotect-agentsvc[y/n]:

3. Type y or n for the powerprotect agentsvc uninstall.

The Storage Direct agent uninstall starts.

Uninstall the Storage Direct agent on Windows You can uninstall the Storage Direct agent by using the setup file.

Procedure

1. Launch storagedirectagent-19.x.x.exe.

2. On the Install Modification page, select Remove, and then click Next.

3. On the Complete the Setup page, click Finish.

4. After the uninstall completes, remove the working directory located at C:\Program Files\DPSAPPS\ppfsagent.

Manage the Storage Direct agent After the Storage Direct installation completes, an entry with the agent host name appears in the Infrastructure > Application Agents window of the PowerProtect Data Manager UI. From this window, you can approve or reject a pending Storage Direct agent request, and edit and delete existing agents.

About this task

Procedure

1. Select Infrastructure > Application Agents.

2. In the Application Agents window, select the entry that contains the host name, and click Approve.

The status changes from Awaiting Approval to Registered. Note: The Auto whitelist option, which enables you to pre-approve application agents automatically, is disabled by default. When you enable this option, the Storage Direct agent registration is approved automatically.

Enabling the Storage Direct Agent for VMAX Systems

80 PowerProtect Data Manager Administration and User Guide

Storage Direct agent limitations and troubleshooting Review the following limitations that apply to PowerProtect Data Manager support for the Storage Direct agent.

Coexistence of the Storage Direct agent with other application agents is not supported

PowerProtect Data Manager does not support the coexistence of the Storage Direct agent with other application agents, such as the Oracle, SAP HANA, or SQL application agent in PowerProtect Data Manager.

Configuration Change Management not supported for existing Storage Direct users

The Configuration Change Management feature is not supported for existing Storage Direct users updating to the Storage Direct agent for PowerProtect Data Manager.

SDFSA install/upgrade fails on trying to install using absolute path

An SDFSA installation or upgrade fails when performed using the absolute path. For example:

Example 1 Installation using absolute path

[root@xxxxx /]# /Softwares/builds/sdfsa_19.x_36/install.sh 2019/09/18 23:18:42 adm-agent rpm not found in current working directory...

Example 2 Upgrade using absolute path

[root@xxxxx sd_cfs]# /Softwares/builds/sdfsa_19.x_40/install.sh -u 2019/09/17 01:49:35 storagedirectagent rpm not found in current working directory... /Softwares/builds/sdfsa_19.x_40/install.sh: line 595: [: -gt: unary operator expected /Softwares/builds/sdfsa_19.x_40/install.sh: line 597: [: -gt: unary operator expected /Softwares/builds/sdfsa_19.x_40/install.sh: line 599: [: -gt: unary operator expected /Softwares/builds/sdfsa_19.x_40/install.sh: line 601: [: -gt: unary operator expected 2019/09/17 01:49:35 storagedirectagent rpm not found in current working directory... rpm -U --quiet --test rpm: no packages given for install 2019/09/17 01:49:35 storagedirectagent upgrade failed... 2019/09/17 01:49:35 storagedirectagent upgrade failed...

To work around this issue, change the directory to the location of install.sh and run ./install.sh.

Encapsulation fails during policy creation if a retention lock exists on VMAX or SMIS services that are not running

When a protection policy is created, a process that is called encapsulation occurs, which creates backup and restore FTS devices on the VMAX system and links the DD vDisk with FTS. If a

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 81

retention lock exists on the VMAX system, or if the SMIS services are not running, encapsulation fails.

To ensure that there is no retention lock on the VMAX system, run the following command as the root user from the SMIS server:

symcfg list -lockn all The output is similar to the following:

S Y M M E T R I X L O C K S

Lock Lock Lock Time SymmID Attachment Status Number Usage Held (Sec)

000196700638 Local Locked 15 Config Change 13572 -> Almost 4 hours 000192604348 Remote N/A N/A N/A N/A 000297000476 Remote N/A N/A N/A N/A

If SMIS services are not running, an exception appears in the logs indicating that the storsvd service is not available and a connection to SMIS cannot be established using the SYMAPI calls. If this exception occurs:

1. Run the following command as the root user from the SMIS server to verify the status of storsvd: ./stordaemon show storsrvd If the service is unavailable, the message *** Daemon storsrvd is not currently running appears.

2. Restart the service by running ./stordaemon start storsrvd.

3. Run the ./stordaemon show storsrvd command again to verify that the status is now Running.

4. To view the remote server details, run ./stordaemon action storsrvd -cmd show server.

5. To view the network configuration, run ./stordaemon action storsrvd -cmd show - netinfo.

Restart of encapsulation fails

When an encapsulation job for the Storage Direct agent does not complete successfully, a restart of the job in the PowerProtect Data Manager UI fails with the message error: Data Domain vDisk pool not provided remediation: null.

Encapsulation fails with error "SYMAPI_C_NET_HANDSHAKE_FAILED"

If the encapsulation of a device fails with the error

SYMAPI_C_NET_HANDSHAKE_FAILED:

1. Ensure that proper name resolution can occur by verifying that the PowerProtect Data Manager server/SMIS server and SDA host are resolvable by either DNS or the hosts file.

2. Perform the following steps to ensure that the PowerProtect Data Manager server can obtain all the necessary information from the SMIS server:

l Log in to PowerProtect Data Manager as an administrator.

l Go to the /usr/emc/API/symapi/config/netcnfg directory.

Enabling the Storage Direct Agent for VMAX Systems

82 PowerProtect Data Manager Administration and User Guide

l Verify that the server entry exists. For example, - TCPIP 2707 - .

l Verify whether the Solutions Enabler base daemon is running. For example:

admin@xxxxx:~> stordaemon list -all Available Daemons ('[*]': Currently Running, '[NI]': Not Installed): [*] storapid EMC Solutions Enabler Base Daemon storgnsd EMC Solutions Enabler GNS Daemon storrdfd EMC Solutions Enabler RDF Daemon storevntd EMC Solutions Enabler Event Daemon [*] storwatchd EMC Solutions Enabler Watchdog Daemon storsrmd EMC Solutions Enabler SRM Daemon

l Export the environment variables SYMCLI_CONNECT_TYPE=REMOTE and SYMCLI_CONNECT= .

l Run symcfg list. The command output should display all VMAX and PowerMax systems that have been added to the SMIS server.

Configuration file validation fails when multiple storage group assets are selected for policy inclusion if the configuration file is not formatted correctly

When you select multiple storage group assets as part of a VMAX Storage Group protection policy in PowerProtect Data Manager, validation fails if the configuration file is not formatted correctly. For example, a configuration file with the following format might be pushed to the host:

DDBOOST_USER = 148_78-xxxxx-932c9 DEVICE_HOST = IP address DEVICE_PATH = /148_78-xxxxx-932c9-SU DDVDISK_USER = 148_78-xxxxx-932c9 #RESTORE_DEVICE_POOL = 148_78-xxxxx-932c9 #RESTORE_DEVICE_GROUP = R-sdm_xxxxx_SG7-0638 #RESTORE_DEVICE_GROUP = R-sdm_xxxxx_SG8-0638 # DD_BOOST_FC = # DD_PORT = VMAX_FASTX_RESTORE_SG = R-sdm_xxxxx_SG7-0638 #VMAX_FASTX_RESTORE_SG = R-sdm_xxxxx_SG8-0638

To work around this issue, enclose VMAX_FASTX_RESTORE_SG in a comment and remove RESTORE_DEVICE_POOL and one of the entries for RESTORE_DEVICE_GROUP from the comment.

MTree replication fails when adding replication stage for multiple protection policies if assets have the same user/vDisk pool

If an existing Storage Direct user has upgraded to the Storage Direct agent for PowerProtect Data Manager and uses the same user/vDisk pool for protected assets to create multiple protection policies with a replication stage, an MTree replication job fails with an error similar to the following: Unable to create DataDomain user xxxx, User xxxx already exists. To work around this issue, manually add the secondary DD system details in the configuration file.

Replication not supported for assets in a Storage Group policy for existing Storage Direct users if replication is already configured for stand-alone agent

The addition of a replication stage as part of a Storage Group protection policy in PowerProtect Data Manager is not supported for existing Storage Direct user assets if replication has already been configured on the stand-alone Storage Direct (ProtectPoint) agent.

To upgrade the Storage Direct agent, remove the secondary DD system details from the configuration file before importing it.

Enabling the Storage Direct Agent for VMAX Systems

PowerProtect Data Manager Administration and User Guide 83

Enabling the Storage Direct Agent for VMAX Systems

84 PowerProtect Data Manager Administration and User Guide

CHAPTER 7

Managing Assets

This section includes the following topics:

l About asset sources, assets, and storage..............................................................................86 l About Kubernetes cluster asset sources and namespace assets............................................86 l About vCenter Server asset sources and virtual assets......................................................... 87 l Prerequisites for discovering asset sources...........................................................................88 l Adding a vCenter Server asset source...................................................................................88 l VM Direct protection engine overview.................................................................................. 93 l Discover a File System Host.................................................................................................107 l Discover a Storage Direct agent host.................................................................................. 108 l Add and discover the SMIS server for the Storage Direct agent..........................................108 l Adding a Kubernetes cluster asset source............................................................................109

PowerProtect Data Manager Administration and User Guide 85

About asset sources, assets, and storage In PowerProtect Data Manager, assets are the basic unit that PowerProtect Data Manager protects. Asset sources are the mechanism that PowerProtect Data Manager uses to communicate with and manage the storage and assets. Storage is where PowerProtect Data Manager adds and stores copies and protection.

PowerProtect Data Manager supports DD Management Center (DDMC) as the storage and programmatic interface for controlling the DD systems, and external DD systems.

Assets can be virtual machines, SQL databases, Oracle databases, SAP HANA databases, File systems, Kubernetes clusters, or VMAX storage groups.

PowerProtect Data Manager supports backing up assets and adding the asset sources either through a PowerProtect Application Agent for DD Boost backups, or by connecting to vCenter and performing virtual machine backups.

About Kubernetes cluster asset sources and namespace assets

Kubernetes clusters and containers play an important role in the speed and efficiency of deploying and developing applications, and also in reducing downtime when a change to application scaling is required. PowerProtect Data Manager enables you to protect the Kubernetes environment by adding a Kubernetes cluster as an asset source, and discovering namespaces as assets for data protection operations.

In a traditional application, an environment might consist of a web server, application server, and database server, with the web server servicing requests in front of a load balancer. Scaling this application, for example, by increasing the web layer by adding servers, requires the involvement of many resources to manually change the configuration. In a Kubernetes cluster, however, once you develop the code and write a YAML file that indicates the required systems and configuration details, Kubernetes deploys these containers and the application can be started quickly. Also, a change to the scale of the application only requires you to change the YAML file and post the updated file to the cluster.

A typical Kubernetes cluster can contain several physical and virtual systems. Once the clusters are running, the applications, binaries, and a framework are bundled into a container, which is then wrapped in a pod. Before you can run the pod in a Kubernetes cluster, the cluster must be divided into namespaces. A namespace is a pool of resources that are divided logically in the cluster. It is these namespaces that are protected as assets within the PowerProtect Data Manager UI for the purposes of backup and recovery.

However, because pods only last for a short time, to persist state information Kubernetes uses Persistent Volumes. You can create Persistent Volumes on external storage and then attach to a particular pod using PersistentVolumeClaims (PVCs). PVCs can then be included along with other namespaces in PowerProtect Data Manager backup and recovery operations.

Note: Kubernetes versions 1.13 to 1.16 support alpha CSI volume snapshots. However, only beta CSI volume snapshots are supported in Kubernetes versions 1.17 and later. The article "Kubernetes 1.17 Feature: Kubernetes Volume Snapshot Moves to Beta" at https:// kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-cis-volume-snapshot-beta/provides instructions on how to deploy support for Beta snapshots in a Kubernetes cluster.

Optimized data path and First Class Disks

When the Kubernetes cluster is running on vSphere and using vSphere CNS storage, backup and recovery operations utilize the optimized data path, where persistent volumes on vSphere-

Managing Assets

86 PowerProtect Data Manager Administration and User Guide

managed storage are backed up by VMDKs called improvised virtual disks, or First Class Disks (FCDs). These FCDs are created on the back-end and assigned a globally unique UUID whenever persistent volumes are dynamically provisioned by vSphere CSI in Kubernetes. Since FCDs are not associated with any particular virtual machine, they can be managed independently.

PowerProtect Data Manager detects whether a persistent volume is backed by an FCD when the storageclass of the persistent volume has the provisioner as csi.vsphere.vmware.com. When this occurs, PowerProtect Data Manager switches to using the optimized data path.

Optimized data path differs from CSI management in primarily two ways:

l FCD uses the VMware VADP API to take the snapshot instead of using the CSI driver.

l Supports both incremental and full backups, making use of changed block tracking (CBT).

The following configuration changes are required prior to running the Kubernetes protection policy in order to make use of optimized data path:

l FCD CSI support requires a minimum version of vCenter 6.7 U3.

l Enable CBT on the Kubernetes worker node virtual machines before the pods (application) start using dynamically provisioned PVCs. To enable CBT on the nodes, run the command source /opt/emc/vproxy/unit/ vproxy.env on the PowerProtect Data Manager host, and then run the following command for each node:

/opt/emc/vproxy/bin/vmconfig -u vCenter user with administrator privileges -p user password -v vCenter host FQDN or IP -l ip -k Kubernetes node IP -c enable-cbt" If your Kubernetes cluster nodes do not have VMWare Tools installed, you might not be able to use the IP address as one of the inputs to the tool. In this case, use the VM Moref as the identifier of the VMs:

/opt/emc/vproxy/bin/vmconfig -u vCenter user with administrator privileges -p user password -v vCenter host FQDN or IP -l moref -k Kubernetes VM node moref -c enable-cbt"

l The PowerProtect Data Manager proxy pods use NBD protocol to read the contents of the FCD-based persistent volumes in order to back up these volumes. Ensure that the NBD default port 902 is open on all of the Kubernetes nodes.

You can verify that a Kubernetes protection policy backup or restore is using optimized data path by viewing the details for the operation in the Jobs window. Additionally, the Recent Tasks pane of the vSphere Client displays the message Create a virtual disk object when a new PVC is added.

About vCenter Server asset sources and virtual assets After you add a vCenter Server as an asset source in PowerProtect Data Manager, an automatic discovery of VMware entity information from the vCenter Server is initiated.

The virtual assets for the vCenter Server appear in the Assets window of the PowerProtect Data Manager UI under the Virtual Machines tab.

The initial vCenter Server discovery identifies all ESXi clusters, hosts, and virtual machines within the vCenter Server. Subsequent discoveries are performed automatically, according to a fixed interval, to identify any additional or changed VMware entities since the last discovery operation. You can also manually initiate a discovery of VMware entities at any time from the vCenter tab of the Asset Sources window by selecting a vCenter Server and clicking Discover.

Upon vCenter Server and virtual asset discovery, the PowerProtect Data Manager VM Direct protection engine facilitates the management of virtual assets as PowerProtect Data Manager resources for the purposes of backup and recovery. Dell EMC recommends that you also add an

Managing Assets

PowerProtect Data Manager Administration and User Guide 87

external VM Direct Engine in the Protection Engines window. You can protect virtual machine assets by manually adding the assets to a virtual machine protection policy or by using dynamic filters to determine which assets are included in a protection policy according to predefined rules.

Prerequisites for discovering asset sources Perform these tasks before you discover the asset sources.

l Ensure that the PowerProtect Data Manager is deployed and configured in the environment. The PowerProtect Data Manager Deployment Guide provides information.

l Log in with administrative rights.

l Configure all asset sources with an NTP server.

l Before you register an SQL application, ensure that the DD system has been discovered successfully.

l For discovery of App/File System asset sources:

n Ensure that all clocks on both the App/File System host and PowerProtect Data Manager are time-synced to the local NTP server to ensure discovery of the backups.

n Ensure that the App/File System host and the PowerProtect Data Manager network can see/resolve each other.

n Ensure that port 7000 is open on the App/File System host.

Adding a vCenter Server asset source After you register a vCenter Server with PowerProtect Data Manager, you can use the Asset Sources window in the PowerProtect Data Manager UI to add a vCenter Server asset source to the PowerProtect Data Manager environment.

About this task

Adding a vCenter Server asset source is required if you want to schedule a backup through PowerProtect Data Manager.

Add a VMware vCenter Server Perform the following steps to add a vCenter Server as an asset source in the PowerProtect Data Manager UI:

Before you begin

l You must have Administrator privileges.

l By default, PowerProtect Data Manager enforces SSL certificates during communication with vCenter Server. If a certificate appears and you trust the certificate, click Verify. Note, however, that a requirement of SSL certificate enforcement is that the common name (cn) of the x509 certificate on the vCenter Server must match the hostname of the vCenter URL. The common name of the x509 certificate is typically the vCenter server fully qualified domain name (FQDN), but it could be the vCenter server IP address. You can inspect the vCenter server SSL certificate to determine whether the x509 common name is a FQDN or an IP. When creating an asset source resource, in order to pass SSL certificate enforcement, the asset source resource hostname must match the common name of the x509 certificate on the vCenter server.

Note: It is highly recommended that you do not disable certificate enforcement. If disabling the certificate is required, carefully review the instructions in the section Disable SSL certification on the vCenter Server on page 101.

Managing Assets

88 PowerProtect Data Manager Administration and User Guide

Procedure

1. Select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the vCenter tab.

3. Click Add.

The Add vCenter dialog displays.

4. Specify the source attributes:

a. In the Name field, specify the vCenter Server name.

b. In the Address field, specify the fully qualified domain name (FQDN) or the IP address.

Note: For a vCenter Server, it is recommended that you use the FQDN instead of the IP address.

c. In the Port field, specify the port for communication if you are not using the default port, 443.

5. Under Host Credentials, choose an existing entry from the list to use for the vCenter user credentials. Alternatively, you can click Add from this list to add new credentials, and then click Save.

Note: Ensure that you specify the credentials for a user whose role is defined at the vCenter level, as opposed to being restricted to a lower-level container object in the vSphere object hierarchy.

6. If you want to make a subset of the PowerProtect Data Manager UI functionality available within the vSphere Client, move the vSphere Plugin slider to the right.

Available functionality includes:

l The monitoring of active virtual machine/VMDK protection policies, and

l Restore options such as Restore to Original, Restore to New, and Instant Access.

Note: You can unregister the vSphere plug-in at any time by moving the slider to the left.

7. By default, the vCenter discovery occurs automatically after adding the vCenter, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, select the Schedule Discovery check box, and then specify a time.

8. If the vCenter server SSL certificate cannot be trusted automatically, a dialog box appears requesting certificate approval. Review the certificate, and then click Verify.

9. Click Save.

The vCenter Server information that you entered now appears as an entry in a table on the Asset Sources window.

Note: Although PowerProtect Data Manager automatically synchronizes with the vCenter server under most circumstances, certain conditions might require you to initiate a manual discovery.

After discovery, PowerProtect Data Manager starts an incremental discovery in the background periodically to keep updating PowerProtect Data Manager with vCenter changes. You can always do an on-demand discovery.

Managing Assets

PowerProtect Data Manager Administration and User Guide 89

10. Select Infrastructure > Assets.

The Assets window appears.

11. If not already selected, click the Virtual Machines tab.

Upon a successful discovery, the virtual machine assets that are discovered in the vCenter appear. Discovery time is based on networking bandwidth. The resources that are discovered and the resources that are performing the discovery impact performance each time that you initiate a discovery process. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.

After you finish

Upon successful discovery of the vCenter virtual machine assets, you can add a VM Direct appliance to facilitate data movement, and then create virtual machine protection policies to back up these assets. The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that external proxies should always be deployed since the embedded proxy has limited capacity for performing parallel backups. To add a VM Direct Engine, go to Infrastructure > Protection Engines.

Creating a dedicated vCenter user account Dell EMC strongly recommends that you set up a separate vCenter user account at the root level of the vCenter that is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter as an asset source in the UI. When you add the vCenter, ensure that you specify a user whose role is defined at the vCenter level and not restricted to a lower level container object in the vSphere object hierarchy.

Specify the required privileges for a dedicated vCenter user account You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere. The following table includes the privileges required for this user.

About this task

Table 19 Minimum required vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms l Create alarm

l Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'Global.Licenses', 'Global.Settings', 'Global.DisableMethods',

Datastore l Allocate space

l Browse datastore

l Configure datastore

l Low-level file operations

l Move datastore

Managing Assets

90 PowerProtect Data Manager Administration and User Guide

Table 19 Minimum required vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

l Remove datastore

l Remove file

l Rename datastore

'Global.EnableMethods', 'Folder.Create', 'Datastore.Rename', 'Datastore.Move', 'Datastore.Delete', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Network.Config', 'Network.Assign', 'Host.Config.Storage', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInteract', 'VirtualMachine.Interact.DeviceConnection', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify', 'VirtualMachine.GuestOperations.Execute', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk', 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice', 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHardwa re', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot', 'VirtualMachine.State.RemoveSnapshot', 'VirtualMachine.Provisioning.MarkAsTemplate ', 'VirtualMachine.Provisioning.DiskRandomAcce ss', 'VirtualMachine.Provisioning.DiskRandomRead ', 'VirtualMachine.Provisioning.PutVmFiles', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Alarm.Create', 'Alarm.Edit', 'Task.Create', 'Task.Update', 'Sessions.ValidateSession', 'Extension.Register',

Extension l Register extension

l Unregister extension

l Update extension

Folder l Create folder

Global l Cancel task

l Disable methods

l Enable methods

l Licenses

l Log event

l Manage custom attributes

l Settings

l Set custom attribute

Host l Configuration > Storage partition configuration

Network l Assign network

l Configure

Resource l Assign virtual machine to resource pool

l Migrate powered off virtual machine

l Migrate powered on virtual machine

Sessions l Validate session

Tasks l Create task

l Update task

vApp l Export

l Import

l vApp application configuration

Virtual Machine

Configuration l Add existing disk

l Add new disk

l Add or remove device

l Advanced

Managing Assets

PowerProtect Data Manager Administration and User Guide 91

Table 19 Minimum required vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

l Change CPU count

l Change resource

l Configure managed by

l Disk change tracking

l Disk Lease

l Extend virtual disk

l Host USB device

l Memory

l Modify device settings

l Raw device

l Reload from path

l Remove disk

l Rename

l Reset guest information

l Set annotation

l Settings

l Swapfile placement

l Upgrade virtual machine compatibility

'Extension.Update', 'Extension.Unregister', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import' )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Cryptographic Permissions

l Add disk

l Direct access

l Register VM

Guest Operations

l Guest operation modifications

l Guest operation program execution

l Guest operation queries

Interactions l Configure CD media

l Console interaction

l Device Connection

l Guest operating system management by VIX API

l Power off

l Power on

l Reset

l VMware Tools install

Inventory l Create new

l Register

Managing Assets

92 PowerProtect Data Manager Administration and User Guide

Table 19 Minimum required vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

l Remove

l Unregister

Provisioning l Allow disk access

l Allow read-only disk access

l Allow virtual machine download

l Mark as Template

Snapshot Management

l Create snapshot

l Remove Snapshot

l Revert to snapshot

VM Direct protection engine overview The VM Direct protection engine is the virtual machine data protection solution within PowerProtect Data Manager. This solution enables you to deploy a VM Direct Engine in the vSphere environment to perform virtual machine snapshot backups, moving the data to a DD system.

The VM Direct protection engine is enabled after you add a vCenter Server in the Asset Sources window, which enables you to collect VMware entity information from the vCenter server and save the virtual machines as PowerProtect Data Manager resources for the purposes of backup and recovery.

To view statistics for the VM Direct engine, manage and monitor VM Direct engines, and add an external VM Direct engine to facilitate data movement, go to Infrastructure > Protection Engines. Add a VM Direct Engine on page 94 provides more information.

Note: In the VM Direct Engines pane, VMs Protected refers to the number of assets protected by PowerProtect Data Manager. This count does not indicate that all of the virtual machines have been protected successfully. To determine the success or failure of asset protection, use the Jobs window.

When you add an external VM Direct Engine, the VM Direct Engines pane provides the following information:

l The VM Direct Engine IP address, name, gateway, DNS, network, and build version. This information is useful for troubleshooting network issues.

l The vCenter and ESXi hostname.

l The VM Direct Engine status (green check mark if the VM Direct Engine is ready, red x if the VM Direct Engine is not fully operational). The status includes a short explanation to help you determine why a VM Direct Engine is not in a fully operational state.

l The transport mode that you selected when adding the VM Direct Engine (Hot Add, Network Block Device, or the default setting Hot Add, Failback to Network Block Device).

Managing Assets

PowerProtect Data Manager Administration and User Guide 93

Add a VM Direct Engine In the Protection Engines window, perform the following steps to deploy a VM Direct Engine to facilitate data movement with the VM Direct protection engine.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. Dell EMC recommends that you deploy external proxies because the embedded proxy has limited capacity for performing parallel backups.

Procedure

1. In the VM Direct Engines pane of the Protection Engines window, click Add.

2. In the Add VM Direct Engines dialog box, complete the required fields, which are marked with an asterisk.

Consider the following:

l Only IPv4 addresses are supported for the Gateway, IP Address, Netmask, and Primary DNS.

l If you have added multiple vCenter Server instances, the vCenter to Deploy list enables you to select the vCenter on which to deploy the VM Direct Engine.

Note: Do NOT select the internal vCenter in this step.

l The ESX Host/Cluster list enables you to select on which cluster or ESXi host you want to deploy the additional VM Direct Engine.

l The Network list shows all the networks that are available under the selected ESXi Host/Cluster.

l The Data Store list shows all datastores that are accessible to the selected ESXi Host/ Cluster based on ranking (whether the datastores are shared, local, or NFS), and available capacity (the datastore with the most capacity appearing at the top of the list).

l You can choose the specific datastore on which the VM Direct Engine will reside or leave the default selection of to enable PowerProtect Data Manager to determine the best location to host the VM Direct Engine.

l The Transport Mode list enables you to select either Hot Add or Network Block Device (NBD) transport mode or to default to Hot Add mode and fail back to NBD only if Hot Add cannot be used.

Note: When configuring the VM Direct Engine in a VMware Cloud on AWS environment, ensure that you select the transport mode as Hot Add. VMware Cloud on AWS does not support the NBD transport mode.

3. Click Save.

The VM Direct Engine is added to the VM Direct Engines pane. Note that it can take several minutes before the new VM Direct Engine is registered in PowerProtect Data Manager. The VM Direct Engine appears in the vSphere Client window.

Results

When an extra VM Direct Engine is deployed and registered, this asset is used by PowerProtect Data Manager instead of the embedded VM Direct for any data protection operations involving virtual machine protection policies, unless all added VM Direct Engines are unavailable. If no added VM Direct Engine is available, the embedded VM Direct Engine is used as a fallback to perform limited scale backups and restores. If you do not want to use an added VM Direct Engine, you can disable that proxy. Additional VM Direct actions on page 95 provides more information.

Managing Assets

94 PowerProtect Data Manager Administration and User Guide

After you finish

If the VM Direct Engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, you must delete the failed VM Direct Engine and then add the VM Direct Engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if the VM Direct Engine is deployed to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Additional VM Direct actions For additional VM Direct actions, such as enabling, disabling, redeploying or deleting the VM Direct Engine, use the Protection Engines window.

Disable a VM Direct Engine

You can disable an added VM Direct Engine that you do not currently require for virtual machine backup and recovery. To disable a VM Direct Engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to disable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots.

3. From the menu, select Disable.

Note: A disabled VM Direct Engine is not used for any new protection activities, and is not automatically upgraded during a PowerProtect Data Manager upgrade.

Delete a VM Direct Engine

When you disable a VM Direct Engine, the Delete button is enabled. If you no longer require the VM Direct Engine, perform the following steps to delete the engine:

1. Select the VM Direct Engine that you want to remove from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots.

3. From the menu, select Disable.

4. Click Delete.

Enable a disabled VM Direct Engine

When you want to make a disabled VM Direct Engine available again for running new protection activities, perform the following steps to re-enable the VM Direct Engine.

1. Select the VM Direct Engine that you want to re-enable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots.

3. From the menu, select Enable.

Note: If a PowerProtect Data Manager version upgrade occurred while the VM Direct Engine was disabled, a manual redeployment of the VM Direct Engine is also required.

Redeploy a VM Direct Engine

If a PowerProtect Data Manager software update occurred while a VM Direct Engine was disabled, or an automatic upgrade of the VM Direct Engine did not occur due to network inaccessibility or an environment error, the Redeploy option enables you to manually update the VM Direct Engine to the version currently in use with the PowerProtect Data Manager software. Perform the following steps to manually redeploy the VM Direct Engine.

Managing Assets

PowerProtect Data Manager Administration and User Guide 95

1. Select the VM Direct Engine that you want to redeploy from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots.

3. If the VM Direct Engine is not yet enabled, select Enable from the menu.

4. When the VM Direct Engine is enabled, select Redeploy from the menu.

The VM Direct Engine is redeployed with its previous configuration details.

Best practices for VM Direct Engines Observe the following best practices when using PowerProtect Data Manager with the VM Direct protection engine.

l Install VMware Tools on each virtual machine by using the vSphere Client. VMware Tools adds additional backup and recovery capabilities that quiesce certain processes on the guest operating system before backup.

l Use Hot Add transport mode for faster backups and restores and less exposure to network routing, firewall, and SSL certificate issues. To support Hot Add mode, deploy the VM Direct Engine on an ESXi host that has a path to the storage that holds the target virtual disks for backup.

Note: Hot Add mode requires VMware hardware version 7 or later. Ensure all virtual machines that you want to back up are using Virtual Machine hardware version 7 or later.

For sites that contain many virtual machines that do not support Hot Add requirements, Network Block Device (NBD) transport mode is used. This mode can cause congestion on the ESXi host management network. Plan your backup network carefully for large-scale NBD installs. You may consider configuring one of the following options:

n Set up Management network redundancy.

n Set up backup network to ESXi for NBD.

n Set up storage heartbeats. http://www.vmware.com/files/pdf/techpaper/vmw-vsphere- high-availability.pdf provides more information.

l If you have vFlash-enabled disks and are using hotadd transport mode, ensure that you configure the vFlash resource for the VM Direct host with sufficient resources (greater than or equal to the virtual machine resources), or migrate the VM Direct Engine to a host with vFlash already configured. Otherwise, backup of any vFlash-enabled disks fails with the error VDDK Error: 13: You do not have access rights to this file and the error on the vCenter server The available virtual flash resource '0' MB ('0' bytes) is not sufficient for the requested operation.

l Avoid deploying VMs with IDE virtual disks; using IDE virtual disks degrades backup performance. Use SCSI virtual disks instead whenever possible.

Note: You cannot use Hot Add mode with IDE Virtual disks. Backup of IDE Virtual disks is performed using NBD mode.

l During policy configuration, assign virtual machines to a protection group based on logical grouping to allow for better scheduling of backups. Grouping helps avoid resource contention and creates more organized logs for review.

l When configuring or unconfiguring many virtual machines (300 or more) in a protection policy, an error message might display indicating that the request is too large. You can click OK and proceed, but system performance will be impacted due to the size of the request. As a best practice, it is recommended to use dynamic filters to automatically determine which assets are assigned to protection policies when the assets are discovered.

l When planning your protection policies, ensure that PowerProtect Data Manager supports the disk types that you use in the environment. PowerProtect Data Manager does not support the following disk types:

Managing Assets

96 PowerProtect Data Manager Administration and User Guide

n First Class Disks

n Independent (persistent and nonpersistent)

n RDM Independent - Virtual Compatibility Mode

n RDM Physical Compatibility Mode

l The VM Direct Engine uses Changed Block Tracking (CBT) by default. If CBT is disabled on the virtual machine, then it enables CBT automatically. If you add a disk to the virtual machine after the first full backup, the next policy run automatically performs a full backup for the newly added disk and an incremental backup for the existing disk.

l When backing up thin-provisioned Virtual Machines or disks for Virtual Machines on NFS datastores, an NFS datastore recovery does not preserve thin provisioning. VMware knowledge base article 2137818 at http://kb.vmware.com/kb/2137818 provides more information.

l Virtual Machines with very high I/O might stall during consolidation due to the ESXi forced operation called synchronous consolidate. Plan your backups of such Virtual Machines according to the amount of workload on the Virtual Machine.

Software and hardware requirements The following table lists the required components for PowerProtect Data Manager and the VM Direct protection engine.

Table 20 PowerProtect Data Manager and VM Direct Engine requirements

Component Requirements

PowerProtect Data Manager with the VM Direct Engine

Version 19.4 or later

vCenter Server l vSphere and ESXi versions 6.0, 6.5, 6.7, 7.0. Note: Version 6.5 and later is required to perform Microsoft SQL Server application-aware protection.

Refer to VMware documentation on physical host requirements for the ESXi hosts:

l ESXi 6.5 and later minimum requirements

l ESXi 6.0 hardware requirements

VMware Tools Version 10 or later. Note: Version 10.1 and later is required to perform Microsoft SQL Server application-aware protection.

PowerProtect DD systems

l A minimum of one configured DD Boost device is required. All models of DD systems are supported.

l DD operating system (DD OS) version 6.1 or later and the DD Management Console (DDMC).

l Make note of the hosts writing backups to your DD systems.

Web browser The latest version of the Google Chrome browser to access the PowerProtect Data Manager UI.

Managing Assets

PowerProtect Data Manager Administration and User Guide 97

PowerProtect Data Manager resource requirements in a VMware environment Learn the minimum system requirements for PowerProtect Data Manager in a VMware environment (ESXi server).

l 10 CPU cores

l 18 GB of RAM for PowerProtect Data Manager

l Seven disks with the following capacities:

n Disk 1100 GB

n Disk 2500 GB

n Disks 3 and 410 GB each

n Disks 5 through 75 GB each

l One 1-GB NIC

Note: If you plan to use Cloud DR, your system must also meet the following requirements:

l CPU requirement = 14

Memory requirement = 22

Configuration checklist for common issues The following configuration checklist provides best practices and troubleshooting tips that might help resolve some common issues.

Basic configuration

Review the following basic configuration requirements:

l Synchronize system time between vCenter and ESX/ESXi/vSphere.

l Assign IPs carefully do not reuse any IP addresses.

l Use Fully Qualified Domain Names (FQDNs) where possible.

l For any network related issue, confirm that forward and reverse DNS lookups work for each host in the datazone.

Virtual machine configuration

Review the following virtual machine configuration requirements:

l Ensure that the virtual machine has access to and name resolution for the DD system.

l Ensure that the virtual machine firewall has port rules for the DD system.

l For application-aware backups, ensure that Microsoft SQL Server instances are enabled for data protection using a SYSTEM account, as described in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager for Microsoft Application Agent SQL Server User Guide.

VM Direct Engine performance and scalability The VM Direct Engine performance and scalability of depends on several factors, including the number of vCenter Servers and proxies and the number of concurrent virtual machine backups. The following table provides information on these scalability factors and maximum recommendations, in addition to concurrence recommendations for sessions created from backups using the VM Direct Engine.

The count of sessions is driven by the number of proxies, and backups running through this server.

Managing Assets

98 PowerProtect Data Manager Administration and User Guide

Table 21 Performance and scalability factors

Component Maximum limit

Recommended count

Notes

Number of concurrent NBD backups per ESXi Server

50 (10G network)

VMware uses Network File Copy (NFC) protocol to read VMDK using NBD transport mode. You need one VMware NFC connection for each VMDK file being backed up. The VMware Documentation provides more information on vCenter NFC session connection limits.

Concurrent VMDK backups per vCenter Server

100 Can be achieved with a combination of the number of proxies multiplied by the number of configured Hot Add sessions per VM Direct Engine.

Number of proxies per vCenter Server

25 4 A limit of 25 concurrent backup and recovery sessions.

Number of files/ directories per file level recovery

200,000 File-level recovery is recommended for quickly recovering a small set of files. Image-level or VMDK-level recoveries are optimized and recommended for recovering a large set of files/ folders.

Table 22 Proxy session limits by proxy type

Component Total number of sessions (backup and recovery) maximum

Notes

Added (External) VM Direct Engine 25

Embedded VM Direct Engine (the proxy pre-bundled with the PowerProtect Data Manager software)

4 The embedded proxy is only used as a fallback when all other proxies are disabled or in Failed state.

Increasing the number of instant access sessions PowerProtect Data Manager supports up to 32 concurrent instant access sessions at the storage level.

You can be increase the number of sessions by adding an external VM Direct appliance and modifying a configuration file to override the automatically deployed proxy's maximum sessions value. Note that sessions created in excess of the maximum concurrent sessions supported will be queued for 24 hours before timing out. To increase the number of concurrent sessions manually to match the capability of the underlying cluster, perform the following steps.

1. Create a file named vmdm_recovery.properties in the /usr/local/brs/lib/vmdm/ config/ directory.

2. Add the parameter value to override the default value. For example: vmdm.recovery.queue.ia_session_allowance=32

3. Run vmdm stop and then vmdm start to restart the vmdm service.

Managing Assets

PowerProtect Data Manager Administration and User Guide 99

Enabling or disabling Changed Block Tracking The VM Direct Engine uses changed block tracking (CBT) automatically upon the first virtual machine backup so that only changed disk areas on the virtual machine are backed up. Some virtual machines, however, do not support CBT and you may be required to disable CBT for those virtual machines.

A vCenter administrator can control the application of CBT by using the custom field EMC vProxy Disable CBT in the vSphere Client. You can set this custom field to true to disable CBT, or false to enable CBT. If you do not set this field for a virtual machine, or the field is not present, CBT is enabled by default for that virtual machine.

To set CBT for virtual machines, perform the following:

1. Log into the vSphere Client (vSphere versions 6 and earlier) or vSphere Web Client (vSphere versions 6.5 and later) as an administrator.

2. Select a virtual machine in the vCenter tree, and then click the Summary tab.

3. Edit the virtual machine attributes:

l In vSphere versions 6.x and earlier, click Edit in the Annotation box.

l In vSphere versions 6.5 and later, click Edit under Custom Attributes.

4. Locate the EMC vProxy Disable CBT field, or create a string for EMC vProxy Disable CBT. The string must match the field name exactly and is case-sensitive.

5. Set the value to true to disable CBT on the virtual machine, or to false (or leave the field blank) to enable CBT on the virtual machine. Setting or resetting the field for one virtual machine does not affect the other virtual machines in the vCenter.

Fixing CBT if corrupted on virtual machine

If CBT becomes corrupted on the virtual machine, warnings similar to the following appear in the backup logs:

WARN: Change block tracking needs to be reset. WARN: Change Block Tracking could not be reset, causing full backup: Second attempt failed. NOTICE: Change block tracking cannot be reset by proxy. Please remediate VM.

If these messages appear, you can use PowerCLI commands to disable and then enable CBT without powering off the virtual machines as described in the VMware knowledgebase article at https://kb.vmware.com/selfservice/search.do? cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1031873, or perform the following steps to clean up CBT:

1. Power down the virtual machine.

2. Remove CBT flags.

3. Delete CTK files from the datastore.

4. Power ON the virtual machine.

Configure a backup to support vSAN datastores Backup and recovery functionality is supported for vSAN virtual machines.

About this task

When performing backups or restores of virtual machines residing on vSAN datastores, it is highly recommended to deploy the VM Direct appliance on a vSAN datastore. A VM Direct appliance

Managing Assets

100 PowerProtect Data Manager Administration and User Guide

deployed on any one vSAN datastore can be used for backing up virtual machines from other vSAN or non-vSAN datastores by using Hot Add or nbdssl transport modes, as applicable.

Disable SSL certification on the vCenter Server If the vCenter's SSL certificate cannot be trusted automatically, a dialog box appears when adding the vCenter Server as an asset source in the PowerProtect Data Manager UI, requesting certificate approval. It is highly recommended that you do not disable certificate enforcement.

If disabling of the SSL certificate is required, you can perform the following procedure.

WARNING These steps should only be performed if you are very familiar with certificate handling and the issues that can arise from disabling a certificate.

1. Create the following files (and file contents) in the /home/admin directory on the VM Direct appliance: A file named cbs_vmware_connection.properties with the line cbs.vmware_connection.ignore_vcenter_certificate=true A file named vmdm_vmware_connection.properties with the line vmdm.vmware_connection.ignore_vcenter_cert=true A file named .vmdm_discovery.properties with the line vmdm.discovery.ignore_vcenter_cert=true

Note: Note the period at the start of this file.

2. Run cbs stop to stop the cbs service, and then cbs start to restart the service.

3. Run vmdm stop to stop the vmdm service, and then vmdm start to restart the service.

4. Perform a test to determine if SSL certificate disabling was successful by adding a vCenter Server using the vCenter's IP address (if the SSL certificate uses FQDN), and then verify that the asset source was added and virtual machine discovery was successful.

Troubleshooting virtual machine backup issues This section provides information about issues related to virtual machine backup operations with the VM Direct protection engine.

VM Direct Engine limitations and unsupported features Review the following limitations and unsupported features related to the VM Direct Engine.

VMware limitations by vSphere version

VMware limitations for vSphere 6.0 and later versions are available at https:// configmax.vmware.com/home. For vSphere 5.5, go to https://www.vmware.com/pdf/ vsphere5/r55/vsphere-55-configuration-maximums.pdf.

VM Direct Engine configuration settings cannot be modified after adding the VM Direct Engine

After adding a VM Direct Engine, the only field you can modify is the Transport Mode. Any other configuration changes require you to delete and then re-add the VM Direct Engine. Additional VM Direct actions on page 95 provides more information.

Limitations to SQL Server application consistent data protection

Review the SQL Server application-consistent protection support limitations in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager for Microsoft Application Agent SQL Server User Guide.

Managing Assets

PowerProtect Data Manager Administration and User Guide 101

Network configuration settings are not restored with virtual machine after recovery of a vApp backup

Network configuration settings are not backed up with the virtual machine as part of a vApp backup. As a result, when you restore a vApp backup, you must manually reconfigure the network settings.

VM Direct Engine configured with dual stack is not supported

The VM Direct Engine does not support dual stack (IPv4 and IPv6) addressing. If you want to run backups and restores using the VM Direct Engine, use IPv4 only addressing.

Virtual machine alert "VM MAC conflict" may appear after successful recovery of virtual machine

After performing a successful recovery of a virtual machine through vCenter version 6, an alert may appear indicating a "VM MAC conflict" for the recovered virtual machine, even though the new virtual machine will have a different and unique MAC address. You must manually acknowledge the alert or clear the alert after resolving the MAC address conflict. Note that this alert can be triggered even when the MAC address conflict is resolved.

The VMware release notes at http://pubs.vmware.com/Release_Notes/en/vsphere/60/ vsphere-vcenter-server-60u2-release-notes.html provide more information.

Protection fails for virtual machine name containing { or }

A PowerProtect Data Manager virtual machine protection policy fails to back up virtual machines that contain the special characters { or } in the name. This limitation exists with vSphere versions previous to 6.7. If you do not have vSphere 6.7 or later installed, avoid using these two characters in virtual machine names.

Datastore names cannot contain special characters

Using special characters in datastore names can cause problems with the VM Direct Engine, such as failed backups and restores. Special characters include the following: % & * $ # @ ! \ / : * ? " < > | ;, and so on.

Hot Add backups fail when datacenter names contain special characters

Virtual machine backups fail when the datacenter name contains special characters and the transport mode specified for VM Direct backups is Hot Add only. Avoid using special characters in the datacenter name, for example, "Datacenter_#2@3", or specify Hotadd with fallback to Network Block Device for the transport mode.

Hot Add backups fail when virtual machine protection policy configured with Virtual Flash Read Cache value

When using Hot Add transport mode for a virtual machine protection policy, the backup fails with the following error if configured with the Virtual Flash Read Cache (vFRC) value:

"Backup has FAILED. Failed to backup virtual disk \"Hard disk \". Failed to initialize Block Reader. Failed to open source VMDK \ / \": VDDK Error: 13: You do not have access rights to this file. (500)".

Backups fail for resource pools recreated with the same name as deleted pool

When you delete a resource pool in vCenter and then recreate a resource pool with the same name, backups fail. Re-configure the protection group with the newly created resource pool.

DD Boost over fibre channel not supported

PowerProtect Data Manager does not support DD Boost over fibre channel (DFC).

Managing Assets

102 PowerProtect Data Manager Administration and User Guide

SAN transport mode not supported

PowerProtect Data Manager supports only the Hot Add and NBD transport modes. The Hot Add mode is the default transport mode. For a protection policy, you can specify to use only Hot Add mode, only NBD mode, or Hot Add mode with fallback to NBD of Hot Add is not available.

Specify NBD for datastores if VM Direct should use NBD mode only

For a VM Direct Engine that will only use NBD transport mode, you must also specify the datastores for which you want the proxy to perform only NBD backups to ensure that any backups of virtual machines running on these datastores are always performed using NBD mode. This also ensures that the same NBD-only proxies are never used for backups of virtual machines residing on any other datastores.

Backup of individual folders within a virtual machine is not supported

PowerProtect Data Manager only supports image-level backup and disk-level backup. You cannot perform backups of individual folders within the virtual machine.

I/O contention when all Virtual Machines on a single data store

I/O contention may occur during snapshot creation and backup read operations when all Virtual Machines reside on a single datastore.

VMware snapshot for backup is not supported for independent disks

When using independent disks you cannot perform VMware snapshot for backup.

Deleting vCenter asset sources or moving ESXi to another vCenter When you delete a vCenter Server asset source from PowerProtect Data Manager without removing any vProxy/Search Nodes that the vCenter is hosting, the Nodes will become non- operational and move into Failed status upon the next health check. As a result, PowerProtect Data Manager upgrades will fail. This issue also occurs when you move the ESXi hosting the vProxy/Search Nodes from one vCenter to another vCenter.

To correct this issue, you can perform one of the following actions:

l Manually delete the vProxy/Search Nodes. The section Delete vProxy/Search Nodes when vCenter Server asset source is no longer required on page 103 provides the required steps.

l Return the vProxy/Search Nodes to an Operational/Ready state using the vproxymgmt and infranodemgmt tools. Choose this action if you want to add the vCenter again, or you want to add the vCenter that the ESXi has been moved to. The section Return vProxy/Search Nodes to operational state when re-adding vCenter on page 104 provides the required steps.

Delete vProxy/Search Nodes when vCenter Server asset source is no longer required

Perform the following procedure when you delete a vCenter server as an asset source in PowerProtect Data Manager and you will not be re-adding the vCenter:

About this task

Note: Manual cleanup of the virtual machine for the vProxy/Search Node has to be performed from the vCenter Server.

Procedure

1. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 2. For vProxy removal:

Managing Assets

PowerProtect Data Manager Administration and User Guide 103

a. Obtain the list of vProxies that require removal by running /opt/emc/vmdirect/bin/ vproxymgmt get

b. Make note of the ID of any vProxy that needs to be deleted.

c. Use the vproxymgmt tool to delete vProxies by running /opt/emc/vmdirect/bin/ vproxymgmt delete -vproxy_id ProxyID

3. For Search Node removal:

a. Obtain the list of Search Nodes that require removal by running /opt/emc/ vmdirect/bin/infranodemgmt get

b. Make note of the ID of any Search Node that needs to be deleted.

c. Use the infranodemgmt tool to delete Search Nodes by running /opt/emc/ vmdirect/bin/infranodemgmt delete -node_id NodeID

4. In the PowerProtect Data Manager UI, ensure that any sessions have been removed for both the vProxy/Search Node.

Return vProxy/Search Nodes to operational state when re-adding vCenter

When you want to re-add a vCenter that you deleted from PowerProtect Data Manager, or you want to add a vCenter that an ESXi has been moved to, perform the following procedure in order to return the vProxy/Search Nodes to an Operational/Ready state.

Procedure

1. Re-add the deleted vCenter as an asset source in the PowerProtect Data Manager UI, or note the name of the new vCenter where the ESXi has been moved.

2. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 3. For vProxy updates:

a. Obtain the list of vProxies that require updating by running /opt/emc/ vmdirect/bin/vproxymgmt get

b. Make note of the ID of any vProxy that needs to be updated.

c. Use the vproxymgmt tool to update the vCenter name by running /opt/emc/ vmdirect/bin/vproxymgmt modify -vcenter_hostname vCenter-FQDN -vproxy_id ProxyID

4. For Search Node updates:

a. Obtain the list of Search Nodes that require updating by running /opt/emc/ vmdirect/bin/infranodemgmt get

b. Make note of the ID of any Search Node that needs to be updated.

c. Use the infranodemgmt tool to update the vCenter name by running /opt/emc/ vmdirect/bin/infranodemgmt modify -vcenter_hostname vCenter-FQDN - node_id NodeID

5. In the PowerProtect Data Manager UI, ensure that any sessions for the vProxy/Search Node and Cluster have changed to Operational/Ready state.

Managing command execution for VM Direct Agent operations on Linux The VM Direct Agent automatically creates a PAM service file named vproxyra in the /etc/ pam.d system directory, if the file does not already exist.

This file, which enables you to manage command execution through the VM Direct Agent, is modeled on the corresponding vmtoolsd file. The settings in this file permit command execution

Managing Assets

104 PowerProtect Data Manager Administration and User Guide

by any user who is able to perform VM Direct operations on the guest virtual machine. A system administrator can further modify this file to specify which users can perform VM Direct Agent operations, for example, file-level restore and SQL application-aware protection. For more information on the configuration of PAM service files, see the system documentation for your specific guest virtual machine operating system.

SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"

SQL Server application-consistent virtual machine backups might fail with the following error when the disk.EnableUUID variable for the virtual machine is set to False.

Unable to find VSS metadata files in directory C:\Program Files\DPSAPPS \MSVMAPPAGENT\tmp\VSSMetadata.xxxx. To resolve this issue, ensure that the disk.EnableUUID variable for the virtual machines included in an SQL Server application-consistent backup is set to True.

SQL Server application-aware backup displays an error about disk.EnableUUID variable

Issue

A SQL Server application-aware virtual machine backup succeeds but displays the following error when the disk.EnableUUID variable for the virtual machine is set to TRUE:

VM ' ' configuration parameter 'disk.EnableUUID' cannot be evaluated. Map item 'disk.EnableUUID' not found. (1071) Workaround

After you set the disk.EnableUUID variable to TRUE, reboot the virtual machine.

Failed to lock Virtual Machine for backup: Another EMC VM Direct operation 'Backup' is active on VM

This error message appears when a backup fails for a virtual machine or when a previous backup of the virtual machine was abruptly ended and the VM annotation string was not cleared.

To resolve this issue, clear the annotation string value for the virtual machine.

1. Connect to the vCenter server and navigate Home > Inventory > Hosts and Clusters.

2. Select the virtual machine, and then select the Summary tab.

3. Clear the value that appears in the EMC Proxy Session field.

vMotion operations are not allowed during active backup operations The vSphere vMotion feature enables the live migration of running virtual machines from one physical server to another. You cannot run vMotion operations on the VM Direct appliance or VMware Backup appliance during active backup operations. This is expected behavior. Wait until all backup operations have completed prior to performing a vMotion operation.

Backup fails when names include special characters When spaces or special characters are included in the virtual machine name, datastore, folder, or datacenter names, the .vmx file is not included in the backup.

The VM Direct appliance does not back up objects that include the following special characters (format: character/escape sequence):

l & %26

Managing Assets

PowerProtect Data Manager Administration and User Guide 105

l + %2B

l / %2F

l = %3D

l ? %3F

l % %25

l \ %5C

l ~ %7E

l ] %5D

Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails

During VM Direct backup and recovery operations, a lock is placed on the virtual machine. If a VM Direct appliance failure occurs during one of these sessions, the lock is extended to a period of 24 hours, during which full backups and transaction log backups will fail with the following error until the lock is manually released: Cannot lock VM 'W2K8R2-SQL-2014' (vm-522): Another EMC vProxy operation 'Backup' is active on VM vm-522.

Workaround

To manually release the lock on the virtual machine:

1. Open the vSphere Web Client.

2. Select the virtual machine and select Summary.

3. Select Custom attribute and click Edit.

4. Remove the attribute EMC VM Direct Session.

Trailing spaces not supported in SQL database names

Due to a VSS limitation, you cannot use trailing spaces within the names of SQL databases protected by an application-consistent data protection policy.

SQL databases skipped during virtual machine transaction log backup When an advanced application-consistent policy is enabled with transaction log backup, the msvmagent_appbackup.exe program evaluates databases to determine if transaction log backup is appropriate.

If transaction log backup is not appropriate for a database, the database will automatically be skipped. Databases are skipped for the following reasons:

Table 23 SQL Skipped Database Cases and Descriptions

Case Description

Database has been restored

When a database has been restored, this database will be skipped during transaction log backup because there is no Backup Promotion.

System Database

System databases are automatically skipped for transaction log backup.

Database State Database is not in a state that allows backup. For example, the database is in the NORECOVERY state.

Managing Assets

106 PowerProtect Data Manager Administration and User Guide

Table 23 SQL Skipped Database Cases and Descriptions (continued)

Case Description

Recovery Model

Database is in SIMPLE recovery model, which does not support transaction log backup

Other Backup Product

Most recent backup for the database was performed by a different backup product.

New Database Database was created after most recent full backup.

Backup Failure Database was in state to allow backup, backup was attempted, but backup failed.

All skipped databases will be backed up as part of the next full backup. Also, a skipped database will not result in msvmagent_appbackup.exe failure. The only instance in which msvmagent_appbackup.exe would potentially fail is if all databases failed to back up.

The msvmagent_appbackup.exe program generates a history report of the databases, if the database backup status was success/skipped/failed, and a reason if they were skipped or failed if applicable. This history report is visible in the action logs for the VM Direct Engine, which are available as part of the appbackup logs.

Note: For SQL virtual machine application-consistent data protection, the SQL and operating system versions follow the NMM support matrix available at http:// compatibilityguide.emc.com:8080/CompGuideApp/.

Accessing Knowledge Base Articles

Additional troubleshooting information is available through the Featured VMware Documentation Sets website at https://www.vmware.com/support/pubs/. Select Support > Search Knowledge Base.

Discover a File System Host Perform the following steps to discover a File System Host as an asset source in the PowerProtect Data Manager UI.

Procedure

1. Select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the App/File System Host tab.

3. Select the file system host and click Discover.

The Discover dialog appears with an option to set the discovery schedule.

4. From the Discovery Schedule list, select the time of day to initiate the discovery, or select Manual to disable scheduled discovery. You can also select the Discover Now checkbox to perform the discovery upon completion of this procedure.

Note: From the App/File System Host tab, you can click Discover at any time if any additions or other changes to your Asset Sources have taken place outside of the PowerProtect Data Manager environment. Asset discovery is also initiated by default after registration of the host to PowerProtect Data Manager and at hourly intervals. Discovery time is based on networking bandwidth. Note that each time you initiate a

Managing Assets

PowerProtect Data Manager Administration and User Guide 107

discovery process, the resources that are discovered and those that are handling the discovery impact system performance.

5. Click Save.

Results

When the File System is configured correctly, it can be added to a PowerProtect Data Manager protection policy.

Discover a Storage Direct agent host By default, discovery of the Storage Direct agent host occurs automatically upon approval of the agent in the PowerProtect Data Manager UI. If the Storage Direct agent storage group assets have not yet been discovered, or if you added a storage group after approving the Storage Direct agent, perform the following steps to initiate a manual discovery of the Storage Direct agent host.

Procedure

1. Select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the App/File System Host tab.

Available agents display in the table with their host name. If an agent has not yet been successfully discovered, the Discovery Status displays as Failed or Unknown.

3. Select the Storage Direct agent host and click Discover.

The Discover dialog appears with an option to set the discovery schedule.

4. From the Discovery Schedule list, select the time of day to initiate the discovery, or select Manual to disable scheduled discovery. You can also select the Discover Now checkbox to perform the discovery upon completion of this procedure.

Note: From the App/File System Host tab, you can click Discover at any time if any additions or other changes to your Asset Sources have taken place outside of the PowerProtect Data Manager environment. Asset discovery is also initiated by default after registration of the host to PowerProtect Data Manager and at hourly intervals. Discovery time is based on networking bandwidth. Note that each time that you initiate a discovery process, the resources that are discovered and those that are handling the discovery impact system performance.

5. Click Save.

Results

If the Storage Direct agent is properly configured, the storage group assets can now be added to a PowerProtect Data Manager Storage Group protection policy.

Add and discover the SMIS server for the Storage Direct agent

In order to enable protection of data with the Storage Direct agent in PowerProtect Data Manager, the addition of an SMIS server is required. The SMIS server facilitates the discovery of LUNs for the storage groups configured in the VMAX. Perform the following steps to discover the SMIS server as an asset source in the PowerProtect Data Manager UI.

Managing Assets

108 PowerProtect Data Manager Administration and User Guide

Procedure

1. Select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the SMIS server tab.

3. Click Add.

The Add SMIS Server dialog box appears.

4. Provide the name, IP address, and port number of the SMIS server.

5. Under Host Credentials, choose an existing entry from the list to use for the SMIS server user credentials, or click Add from this list to add new credentials.

6. Click Verify to check that the trusted certificate is valid for the specified host.

7. Click Save.

An entry appears for SMIS in the table on the Asset Sources window. Note: A message does not appear if credential verification for this host was unsuccessful. If the credentials are invalid, the status of the SMIS server entry in the SMIS Server tab of the Infrastructure > Asset Sources window will indicate Failed.

8. Select the checkbox next to the entry and click Discover to initiate discovery of the assets, or storage groups, in the VMAX.

Note: Asset discovery is also initiated by default after registration of the host to PowerProtect Data Manager, and at daily intervals. Discovery time is based on networking bandwidth. Note that each time that you initiate a discovery process, the resources that are discovered and those that are handling the discovery impact system performance.

When the discovery completes successfully, the Discovery Status column updates to OK.

After you finish

PowerProtect Data Manager initiates the automatic discovery of the assets (storage groups) within the VMAX. To verify the discovery of storage groups, go to the Infrastructure > Assets window and select the VMAX Storage Groups tab. Upon host registration with the PowerProtect Data Manager server, all of the assets for the host (both those currently protected and unprotected) display in the Assets window along with the host name.

Note: Ensure that you run a Discover of the SMIS server each time that you add a LUN to a storage group.

Adding a Kubernetes cluster asset source Adding a Kubernetes cluster as an asset source in PowerProtect Data Manager enables you to protect namespaces and Persistent Volume Claims (PVCs) within the cluster. You can use the Asset Sources window in the PowerProtect Data Manager UI to add a Kubernetes cluster asset source to the PowerProtect Data Manager environment.

Docker Hub images required for successful Kubernetes cluster discovery After discovery of the Kubernetes cluster asset source, PowerProtect Data Manager deploys the following images on the Kubernetes cluster:

l dellemc/powerprotect-k8s-controller l dellemc/powerprotect-cproxy, which is pulled during the first backup

Managing Assets

PowerProtect Data Manager Administration and User Guide 109

l dellemc/powerprotect-velero-dd l velero/velero By default, these images are pulled from Docker Hub at https://hub.docker.com/. However, if a Kubernetes cluster cannot access Docker Hub due to firewall or other restrictions, you can pull images to a local registry that the cluster can access. Ensure that you keep the image names and version tags the same in the local registry as they appear in Docker Hub.

After pulling the images to a local registry, perform the following steps to configure PowerProtect Data Manager to use the local registry when creating deployment resources:

1. Create an application.properties file /usr/local/brs/lib/cndm/config/ application.properties on the PowerProtect Data Manager appliance with the following contents:

l k8s.docker.registry=registry fqdn:port. For example, artifacts.example.com:8446

l k8s.image.pullsecrets=secret resource name. Specify this entry only if you require an image pull secret.

2. Run cndm restart to apply the properties.

You can now add the Kubernetes asset source in the PowerProtect Data Manager UI. If you already added the Kubernetes cluster as an asset source, perform these steps and then initiate a manual discovery of the Kubernetes cluster asset source to update the cluster. The configmap and deployment resources in the powerprotect namespace, and the deployment resource in the velero-ppdm namespace, automatically update to use the new images upon successful discovery.

Add a Kubernetes cluster You can use the PowerProtect Data Manager UI to add a Kubernetes cluster as an asset source. When added, PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.

Before you begin

l You must have Administrator privileges.

l If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub, review the procedure in the section Docker Hub images required for successful Kubernetes cluster discovery on page 109.

About this task

Note: Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only Persistent Volumes with the VolumeMode Filesystem are supported.

Procedure

1. Select Infrastructure > Asset Sources.

2. In the Asset Sources window, select the Kubernetes cluster tab.

3. Click Add.

4. In the Add Kubernetes cluster dialog box, specify the source attributes:

a. Namethe cluster name

b. Addressthe fully qualified domain name (FQDN) or the IP address.

Managing Assets

110 PowerProtect Data Manager Administration and User Guide

Note: It is recommended that you use the FQDN instead of the IP address.

c. Port specify the port to use for communication when not using the default port, 443.

Note: The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager first to enable outgoing communication. The procedure that is described in Recommendations and considerations when using a Kubernetes cluster on page 112 provides more information.

5. Under Host Credentials, click Add to add the service account token for the Kubernetes cluster, and then click Save.

The service account must have the following privileges:

l Get/Create/Update/List CustomResourceDefinitions l Get/Create/Update ClusterRoleBinding for 'cluster-admin' role l Create/Update 'powerprotect' namespace l Get/List/Create/Update/Delete all kinds of resources inside

'powerprotect' namespace l Get/List/Watch all namespaces in the cluster as well as PV, PVC and pods

in all these namespaces Note: The admin-user service account in the kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.

6. Click Verify to review the certificate and token information, and then click Accept.

Upon successful validation, the status for the new credentials updates to indicate Accepted.

7. Click Save.

The Kubernetes cluster information that you entered now appears as an entry on the Asset Sources window, with a Discovery status of Unknown.

Note: Although PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.

8. (Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click Discover.

Incremental discovery for a Kubernetes cluster in PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.

Note: Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.

9. Verify that the Discovery Status column indicates OK, and then go to the Assets window.

Results

The namespaces in the Kubernetes cluster appear in the Kubernetes tab of the Assets window. To view more details, click the magnifying glass icon next to an entry. Also, if a namespace has

Managing Assets

PowerProtect Data Manager Administration and User Guide 111

associated PVCs that you want to exclude from a policy, you can click the link in the PVCs Exclusion column.

Note: If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in step 5.

After you finish

Create Kubernetes protection policies to back up namespaces and PVCs.

Recommendations and considerations when using a Kubernetes cluster Review the following information that is related to the deployment, configuration, and use of the Kubernetes cluster as an asset source in PowerProtect Data Manager:

NodePort service requires port 30095

PowerProtect Data Manager creates a NodePort service on the Kubernetes cluster to download logs from the powerprotect-k8s-controller pod. The NodePort is opened on port 30095. Ensure that this port is not blocked by any firewalls between the PowerProtect Data Manager appliance and the Kubernetes cluster.

Add line to custom-ports file when not using port 443 or 6443 for Kubernetes API server

If a Kubernetes API server listens on a port other than 443 or 6443, an update is required to the PowerProtect Data Manager firewall to allow outgoing communication on the port being used. Before you add the Kubernetes cluster as an asset source, perform the following steps to ensure that the port is open:

1. Log in to PowerProtect Data Manager, and change the user to root.

2. Add a line to the file /etc/sysconfig/scripts/custom-ports that includes the port number that you want to open.

3. Run the command service SuSEfirewall2 restart.

This procedure should be performed after a PowerProtect Data Manager upgrade, restart, or server disaster recovery.

Log locations for Kubernetes asset backup and restore operations and pod networking

All session logs for Kubernetes asset backup and restore operations are pulled into the /var/log/brs/cndm/k8s folder on the PowerProtect Data Manager host. If you cannot locate the logs in this location, ensure that the PowerProtect Data Manager NodePort service port 30095 is not blocked by firewall and is reachable from all of the Kubernetes worker and master nodes. If using Calico pod networking, ensure that the cluster CIDR block matches the Calico CIDR block.

PVC parallel backup and restore performance considerations

To throttle system performance, PowerProtect Data Manager supports only five parallel namespace backups and two parallel namespace restores per Kubernetes cluster. PVCs within a namespace are backed up sequentially, but restored in parallel.

You can queue up to 50 PVC backups across protection policies in PowerProtect Data Manager.

Overhead of PowerProtect Data Manager components on Kubernetes cluster

Memory and CPU overhead of PowerProtect Data Manager components is only apparent during the backup window, and is due to the invocation of backup data mover processes. For example, powerprotect-cproxy pods are launched and running only during the PVC backup and restore.

The impact of this overhead is less than the Kubernetes services (such as kubelet, kube- proxy, and dockerd) running in the cluster nodes.

Managing Assets

112 PowerProtect Data Manager Administration and User Guide

Only Persistent Volumes with VolumeMode Filesystem supported

Backup and recovery of Kubernetes cluster assets in PowerProtect Data Manager is only supported for Persistent Volumes with the VolumeMode Filesystem.

Pods in pending state due to missing PVC cause namespace backups to fail

If a Kubernetes namespace contains a pod that is in pending state because the pod references a PVC that is not present, the backup of that namespace will fail.

Workaround

To resolve this issue, perform one of the following:

l Create the missing PVC, or

l Delete the pod if it is no longer required.

Troubleshooting Velero or Controller pod failures

The PowerProtect Data Manager Velero or Controller pod might fail to start, for example, due to a deployment failure or a bad image URI. If one of these pods fails to start, an alert appears indicating that the pod is not running on the cluster.

Workaround

If the PowerProtect Data Manager Controller pod is not running, run the following command:

kubectl describe pod -n powerprotect If the PowerProtect Data Manager Velero pod is not running, run the following command:

kubectl describe pod -n velero-ppdm Errors or events in the command output enable you to determine why the failure occurred.

Removing PowerProtect Data Manager components from a Kubernetes cluster Review the following sections if you need to remove PowerProtect Data Manager components from the Kubernetes cluster:

Remove PowerProtect Data Manager components

Run the following commands to remove the PowerProtect Data Manager components:

l kubectl delete crd -l app.kubernetes.io/part-of=powerprotect.dell.com l kubectl delete clusterrolebinding powerprotect:cluster-role-binding l kubectl delete namespace powerprotect Remove Velero components

Run the following commands to remove the Velero components:

l kubectl delete crd -l component=velero l kubectl delete clusterrolebinding velero l kubectl delete namespace velero-ppdm Remove images from cluster nodes

Run the following commands to remove the Docker Hub images from the cluster nodes:

l On the worker nodes, run sudo docker image ls

Managing Assets

PowerProtect Data Manager Administration and User Guide 113

l To remove any images that return powerprotect-cproxy, powerprotect-k8s- controller, powerprotect-velero-dd, or velero, run sudo docker image remove IMAGEID

Managing Assets

114 PowerProtect Data Manager Administration and User Guide

CHAPTER 8

Managing Protection Policies

This section includes the following topics:

l Protection policies................................................................................................................116 l Before you create a protection policy................................................................................... 117 l Add a protection policy for a virtual machine........................................................................ 118 l Add a protection policy for File System protection.............................................................. 122 l Add a Self-service Protection Policy for Storage Direct...................................................... 130 l Add a Centralized Protection Policy for Storage Direct....................................................... 134 l Add a protection policy for Kubernetes namespace protection............................................ 138 l Add a Cloud Tier schedule to a protection policy.................................................................. 141 l Manual backups of protected assets.................................................................................... 142 l On-demand cloud tiering of protected assets...................................................................... 142 l Edit a protection policy........................................................................................................ 143 l Change the DD Boost storage unit password....................................................................... 144 l Removing expired backup copies......................................................................................... 145 l Export protection ................................................................................................................146 l Delete a protection policy.....................................................................................................147 l Add a Service Level Agreement............................................................................................147 l Export Asset Compliance..................................................................................................... 150 l Dynamic filters .....................................................................................................................151

PowerProtect Data Manager Administration and User Guide 115

Protection policies Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each plan type has its own set of user objectives.

Users with the System Admin role can create protection policies.

You can create the following types of protection policies:

l VMware Virtual Machines

l SQL Databases

l Oracle Databases

l SAP HANA Databases

l File Systems

l Kubernetes clusters

l VMAX storage groups

PowerProtect DD protection considerations PowerProtect DD protection policies in PowerProtect Data Manager have certain restrictions and best practices.

Be aware of the following considerations:

l The Storage Units that were created in PowerProtect Data Manager must not be changed by the DD administrator to set up Storage Units replication.

l The Storage Units that were created in PowerProtect Data Manager must not be configured for cloud tiering.

l When you create a protection policy, PowerProtect Data Manager creates a DD Boost storage unit and assigns a DD Boost user to it. The following limitations apply to the number of supported PowerProtect Data Manager protection policies on the supported DD model to the number of active DD Storage Units.

Table 24 Supported PowerProtect Data Manager protection policies and Storage Units for DD OS versions

PowerProtect DD System

DD OS Version Storage Units Supported

Supported configurable concurrently active Storage Units /supported number of PowerProtect Data Manager protection policies

DD9800 6.0 and later 256 256

DD9500 5.7 and later 256 256

DD6800, DD9300 6.0 and later 128 128

DD6300 6.0 and later 100 32

DD990, DD4200, DD4500, DD7200

5.7 and later 128 128

All other DD systems 5.7 and later 100 Up to 32 based on the model

DD9500 5.6 100 64

Managing Protection Policies

116 PowerProtect Data Manager Administration and User Guide

Table 24 Supported PowerProtect Data Manager protection policies and Storage Units for DD OS versions (continued)

PowerProtect DD System

DD OS Version Storage Units Supported

Supported configurable concurrently active Storage Units /supported number of PowerProtect Data Manager protection policies

DD990, DD890 5.3 and later 100 Up to 32 based on the model

DD7200, DD4500, DD4200

5.4 and later 100 Up to 32 based on the model

All other DD systems 5.2 and later 100 Up to 14 based on the model

Table 25 Supported Storage Units in DDVE by TB

Number TBs in DDVE Maximum Number of Storage Units

Supported configurable concurrently active Storage Units / supported number of PowerProtect Data Manager protection policies

4 6

8

100 6

32 48

100 14

64 96

100 32

Before you create a protection policy Consider the following best practices before creating a protection policy.

l An asset can be protected by only one policy at a time. To move assets to a different protection policy, ensure that you remove the assets from the current policy before adding them to the new policy.

Note: If a SQL Server is hosted on a virtual machine, you can protect the SQL database with an application-consistent backup without interfering with the SQL agent-based backup.

l When creating a policy, limit the number of database assets within the policy to under 500 and stagger the start time of replication policies to avoid potential replication failures.

l Before adding replication to a protection policy, ensure that you add a remote DD system as the replication location. Add Protection Storage provides detailed instructions about adding a remote DD system.

Managing backup frequency

To avoid high CPU usage that can lead to failure issues, do not schedule backups more often than recommended in the following table:

Backup type Minimum frequency recommendation

Archive Log 30 minutes

Differential 6 hours

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 117

Backup type Minimum frequency recommendation

Incremental Cumulative 12 hours

Full Daily

Add a protection policy for a virtual machine A protection policy enables you to select a specific group of assets that you want to back up. Use the PowerProtect Data Manager UI to create a virtual machine protection policy.

Before you begin

It is recommended that you distribute virtual machine asset protection workloads over multiple ESXi hosts so that you do not exceed the ESXi NBD session limit. If the limit is reached, you can manage the workload by deploying an external VM Direct Engine on the host/cluster using Hot Add transport mode.

To create Application Aware protection policies for virtual machines, ensure that:

l You manually update the vmx configuration parameter disk.EnableUUID to True by using the vSphere Web Client.

l The vSphere version that you are running uses a supported version of VMware Tools. Software compatibility information for the PowerProtect Data Manager software is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/modernHomeDataProtection.

l The virtual machine has direct access to the DD client.

l The virtual machine uses SCSI disks only, and the number of available SCSI slots matches at least the number of disks.

l The Windows account that is used for the protection policy is limited to the local system Administrator or the domain Administrator. This user requires both Microsoft Windows administrative rights and Microsoft SQL Server login and sysadmin rights.

l SQL configuration support is limited to Microsoft SQL Server stand-alone instances and a Microsoft SQL Server Always On availability group (AAG) configured with file share witness. Unsupported configurations include Microsoft SQL Server failover cluster instances that are configured with shared drives, and Microsoft SQL Server cluster-less AAG configurations.

l For Microsoft SQL Server AAG configurations, the database administrator specifies the AAG backup preferences for backup in the Microsoft SQL Server Management Studio (SSMS). These preferences control which AAG node is selected as the preferred node when you perform a transaction log backup of AAG databases.

Procedure

1. Select Protection > Protection Policies.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

l NameType a descriptive name for the protection policy.

l DescriptionType a description for the policy.

l TypeSelect Virtual Machine, which includes protection for SQL application-aware virtual machines.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

Managing Protection Policies

118 PowerProtect Data Manager Administration and User Guide

l Crash ConsistentSelect this type for point-in-time backup of virtual machines. By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is suitable for backups. If the file system cannot be quiesced on the first attempt, then the snapshot and backup are performed without quiescing.

VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.

n Enable indexing for file search and restoreSelect this option to enable indexing.

n Disable guest file system quiescingSelect this option to perform crash consistent backups without quiescing.

l Application AwareFor virtual machines with a SQL application installed, select this type to quiesce the application to perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection policy level and/or the virtual machine asset level. When you provide the credentials at both levels, the virtual machine asset credentials override the policy credentials.

l ExclusionSelect this type if there are virtual machine assets within the protection policy that you plan to exclude from data protection operations.

5. On the Assets page, select the unprotected assets that you want to back up as part of this protection policy.

Note: When you select a virtual machine asset, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of this asset. To dismiss the dialog for other selections, select the check box and click OK.

If the virtual machines that you want to protect are not listed, do one of the following:

l Click Find More Assets to perform an updated asset discovery of the vCenter.

l Use the Search box to search by asset name.

l Select vCenter Hierarchy or All Virtual Machines from the filter on the right side of the window to display a different view.

Note: When you configure a virtual machine application-aware protection policy to protect a Microsoft SQL Server Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure proper protection. Failure to do so might result in missed transaction log backups.

For the virtual machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.

6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded.

Note: For PowerProtect Data Manager version 19.3, a virtual machine with disk exclusion and Cloud Disaster Recovery (DR) cannot coexist in the same protection

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 119

policy. If you exclude disks from a virtual machine protection policy, Cloud DR is not supported.

c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from the protection policy.

Note: If you remove an asset from a protection policy, any VMDKs that you set to Excluded for the asset are reset to Included.

7. Click Next.

8. On the Schedule page, click + Backup to create a schedule.

9. On the Add Primary Backup page, specify the backup schedule fields, and then click OK:

l RecurrenceSpecify how often backups occur.

l Create CopySpecify how often to create an incremental backup.

l Transaction Log EveryFor application-aware protection policies, specify the interval in minutes for log generation.

Note: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences for a transaction log backup in the Microsoft SQL Server Management Studio.

l Keep ForSpecify the retention period for the backup. Note: You can extend the retention period for specific backups. For example, you can keep the daily scheduled backups for 30 days, but keep the ones taken on Sundays for 90 days. To change the retention period for specific backup copies:

a. Select the checkbox next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

For database backups, PowerProtect Data Manager chains the dependent backups together. For example, the incremental or transaction log backups are chained to their base full backup. The backups do not expire until the last backup in the chain expires. This ensures that all incremental and transaction log backups are recoverable until they have all expired.

l Start TimeSpecify the time of day to start initiating backups.

l End TimeSpecify the time of day to stop initiating backups. Note: Any backups started before the End Time occurs continue until completion.

l Create FullSelect this option if you want to periodically force a full (level 0) backup, and then specify how often to create these backups. When you select this option, the backup chain is reset.

The Schedule page updates with the added backup schedule. Note: After completing a backup schedule, you can change any schedule details by selecting the check box next to the added schedule and clicking Edit.

10. To extend the latest primary backup copy to long-term retention:

a. Select the checkbox next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

11. To replicate these backups to a remote DD system:

Managing Protection Policies

120 PowerProtect Data Manager Administration and User Guide

a. Select the checkbox next to the primary backup schedule and click Replicate.

b. Complete the schedule details in the Add Primary Replication dialog box, and then click OK.

Note: To enable replication, ensure that you add a remote DD system as the replication location.

12. From the SLA list, select an existing service level agreement that you want to apply to this schedule, or select Add to create an SLA within the Add Backup Service Level Agreement window.

Add a new SLA provides instructions.

13. From the Storage Name list:

l Select the backup destination from the list of existing DD systems.

l To add a system, select Add, and complete the details in the Storage Target window.

When you select the destination storage, the Space field updates with the available capacity on the system.

14. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

Note: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more information about MTree quota configuration.

a. Capacity QuotaControls the total size of precompression data that is written to the DD system.

b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation is consuming too many system resources.

15. Select the Retention Lock check box to enable retention locking for these backups on the selected system.

Note: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not assigned a default retention lock period. If you select this check box for a replicated backup, ensure that you set the Keep For field in the Add Primary Replicate backup schedule dialog to a minimum number of 14 days so that the replicated backup does not expire before the primary backup.

16. From the Network interface list, select a network adapter, if applicable.

17. Click Next.

The Summary page appears.

18. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy. When the new protection policy group is created, PowerProtect Data

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 121

Manager automatically performs a full backup. For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine. Subsequent backups are performed according to the schedule specified.

19. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

More options for managing virtual machine backups After you create a virtual machine protection policy, additional options become available for virtual machine assets that are backed up as part of the policy.

To access these options:

1. Select Infrastructure > Assets.

2. From the Assets window, select the Virtual Machines tab. If a policy has been assigned, the table lists the virtual machine assets that have been discovered in the vCenter, along with the associated protection policy.

Note: You can click the link in the Disk Excluded column next to a virtual machine asset to view VMDKs that have been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion from this window. To change the disks that are excluded for a protected asset, select the policy from the Protection Policies window and click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the VM icon, for example, DD. The table in the right pane lists the backup copies.

Depending on whether the asset is retention locked, you can perform the following functions from this window:

l Edit the retention period for a backup copySelect a backup copy from the table and click Edit Retention.

l Delete a backup copyIf you no longer require a copy and the retention lock is not enabled, select the copy from the table and click Delete.

Add a protection policy for File System protection Use the PowerProtect Data Manager UI to add a protection policy to protect File System data.

Before you begin

Review the prerequisites in the section File System agent prerequisites on page 56 Procedure

1. Select Protection > Protection Policies.

The Protection Policy window appears.

2. Click Add.

The Add Policy window appears.

3. In the Type page, specify the new protection policies group fields. For example, if you are creating a protection policy for daily backups in the Windows 2012 Server:

a. In the Name field, specify the name of the protection policy. For example, File System Prod.

Note: The name that you specify here becomes part of the DD MTree entry.

Managing Protection Policies

122 PowerProtect Data Manager Administration and User Guide

b. In the Description field, specify a short description of the protection policy. For example, File System Prod Daily Backups

c. In theType field, select File System.

d. Click Next.

The Purpose page appears.

4. In the Purpose page, specify the following fields to indicate the purpose of the new protection policy:

a. The type of protection policies group.

For File System, you can select from three types:

l To use PowerProtect Data Manager to manage all protection centrally, click Centralized Protection.

l To use the File System to create local backup protection, click Self-Service Protection. PowerProtect Data Manager creates a protection policy and manages extra stages.

l If there are assets within the protection policy that you plan to exclude from data protection operations, click Exclusion.

b. Click Next.

The Assets page appears.

5. Select the unprotected assets that you want to add to the backup of this protection policy group. The window enables you to filter by asset name to locate the required assets.

Also, you can change the assets view to display all assets discovered by PowerProtect Data Manager, or a hierarchical view to display the assets in a tree structure underneath the application host. A hierarchical view might be helpful, for example, if you have added multiple File Systems, so that you can more easily identify which assets belong to which host.

Note: PowerProtect Data Manager does not support including CSV and non-CSV volumes in the same protection policy.

6. Click Next.

l If you selected Exclusion in the Purpose page, the Summary page appears. Skip to step 18 on page 125.

l If you selected Centralized Protection or Self-Service Protection, the File Exclusions page appears. To enable exclusions, click Enable.

a. Select one or more filters to apply, provide the parameters, and click Add Filter. Click Add a saved filter to use an existing filter or group of filters as a template.

Note: Add an exclusion filter on page 126 provides more details about exclusion filters.

b. Enter a name and description for the filter and click Save.

7. Click + Backup.

The Add Primary Backup dialog box appears.

8. Specify the backup schedule fields:

l For Centralized Protection:

a. In the Recurrence field, select the interval at which the backup job runs within the window that you specify.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 123

Recurrence relates to Start Time and End Time fields.

When you select Hourly, Daily,Weekly, and Monthly recurrence, you are selecting the interval at which the backup job runs within the window that you specify.

b. Create CopySpecify how often to create an incremental backup.

c. To create a log, click Log, and then specify the interval in minutes.

d. In the Keep For field, specify the retention time.

e. In the Start Time field, specify the time when new backups will be initiated in this policy.

f. In the End Time field, specify the time after which no new backup will be initiated in this policy. It does not mean that any policy that is running is stopped at this time.

g. Create FullSelect this option if you want to periodically force a full (level 0) backup, and then specify how often to create these backups. By default, if you do not select this option, all subsequent backups are incremental backups.

Note: It is not mandatory to create periodic full backups. When you select this option, the File System agent forces the next backup to be a Full Backup. A full backup ensures protection from potential corruption that can be carried over from previous backups. However, these backups require more time and resources.

If you do not select this option, the File System agent identifies changes since the last full backup and uses the previous backup copy to create a new full backup.

h. Click OK. The Schedule page updates with the newly added backup schedule.

l For Self-Service Protection:

a. In the Keep For field, specify the retention time.

b. Click OK.

After completing a backup schedule, you can change any schedule details by selecting the checkbox next to the added schedule and clicking Edit.

9. To reduce the number of backups when daily, weekly, and/or monthly backups coincide, turn on auto promotion:

a. Select the check box next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

10. To replicate these backups to a remote DD system:

a. Select the checkbox next to the added schedule and click Replicate.

b. Complete the schedule details in the Add Primary Replication dialog box, and then click OK.

Note: To enable replication, ensure that you add a remote DD system as the replication location.

11. Select the check box next to the added schedule.

When you select the check box, the SLA, Storage Name, and Network interface lists are enabled for selection.

12. From the SLA list, select an existing service level agreement that you want to apply to this schedule, or select Add to create a SLA within the Add Backup Service Level Agreement window.

Managing Protection Policies

124 PowerProtect Data Manager Administration and User Guide

13. From the Storage Name list:

l Select the backup destination from the list of existing DD systems.

l To add a system, select Add, and complete the details in the Storage Target window.

When you select the destination storage, the Space field updates with the available capacity on the system.

14. From the Network interface list, select a network interface card (NIC), if applicable.

15. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

Note: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more information about MTree quota configuration.

a. Capacity Quota Controls the total size of precompression data that is written to the DD system.

b. Stream Quota The number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively if a data protection operation is consuming too many system resources.

16. Select the Retention Lock check box to enable retention locking for these backups on the selected system.

Note: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not assigned a default retention lock period. If you select this check box for a replicated backup, ensure that you set the Keep For field in the Add Primary Replicate backup schedule dialog box to a minimum number of 14 days so that the replicated backup does not expire before the primary backup.

17. Click Next.

The Summary page appears.

18. Review the protection policy group configuration details. You can click Edit next to any completed window's details to change any information. When completed, click Finish.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy. When the new protection policy is created, PowerProtect Data Manager automatically performs a full backup.

19. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

Exclusion filters Exclusion filters enable you to exclude certain files and folders from protection, based on the filter's conditions (conditions for exclusion).

Use the PowerProtect Data Manager UI to add, edit, and delete exclusion filters for file system files and folders.

When you create or edit a protection policy, you can apply exclusion filters to the protection policy.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 125

When an exclusion filter is applied to a protection policy, the File System Agent performs file- based backups of the protected assets. File-based backups traverse through the entire directory structure of the file system to back up all the files in each directory of the file system. While file- based backups can provide additional capabilities such as exclusion, these backups take longer to complete when compared to block-based backups.

Note: Exclusion filters cannot be applied to self-service protection policies and to backups taken through self-service CLI.

Add an exclusion filter Use the PowerProtect Data Manager UI to add filters that exclude specific files and folders based on certain conditions, such as file type, file size, modification time, and file path. When a file or folder meets the conditions, the filter excludes the data from the backup for the protection policy.

About this task

Use this procedure to add up to four filters for a file.

Procedure

1. Select Protection > File Exclusion.

The File Exclusion window appears, which displays the following information:

l Name

l Description

l Conditions

l Logical Operator

2. Click ADD.

The Filter Information window appears.

3. In the Filter Name field, type a name for the filter.

4. In the Description field, describe the purpose of the filter.

5. Select a filtering condition. You can add multiple filters.

The filter excludes all files and folders that match these criteria from the backup for the protection policy. When you add multiple conditions, a file is excluded only if it meets all filter conditions. Within a filter, you can add a condition only once.

Available filtering conditions:

File Size

Exclude files and folders that are larger or smaller than a specified size. Specify a value in either the Greater than or Less than field.

File type

Exclude files or folders based on file type. Specify a file name extension or multiple file name extensions that are separated by commas.

Modified time

Exclude files or folders that were modified before or after a certain date. Specify a date in either the After or Before field.

Folder Path

Exclude files and folders in a specific path. Specify the file path, and then enclose the file path in quotations.

You can specify an absolute or relative path.

Managing Protection Policies

126 PowerProtect Data Manager Administration and User Guide

6. When you are finished building the filter, click Add Filters.

The new filter appears in the table.

7. You can add up to four filters using the previous steps. When you are finished, click Next.

8. In the Summary confirmation page, verify the filter information and click Finish.

Guidelines for exclusion filters Review the following guidelines for exclusion filters.

Using wildcards

Supported wildcards include an asterisk (*) to represent zero or more characters and a question mark (?) to represent zero or one character.

Note: Be careful when using the wildcard *. Depending on the wildcard location, you can match folders whose name matches the filter pattern and their contents, even when the names of those files do not match the filter. For example, *\\log*.txt also excludes files with the .txt extension in a folder whose name starts with log, even if the names of the files do not start with log

Excluding by file type

The File Type filter enables you to exclude files and folders based on file extension.

You can specify a single extension or multiple file extensions. Separate multiple entries with a comma and do not add a space between entries. You can also specify related extensions by using wildcards. For example, *.doc? matches both .doc files and .docx files.

Excluding by type and path

You can combine extension and path to exclude all files of a particular type without respect to the file location.

For example *\\log*.txt matches all text files (.txt) where the file name starts with log, at any path.

You can also exclude all files of a particular type from a specific path. For example, C:\\abc\ \*.txt matches all text files in the folder C:\abc. All matching files under subfolders of that specific path are recursively excluded.

You can combine these guidelines to exclude all files that match a specific name pattern under a particular path. For example, C:\\folder\\log*.txt.

Excluding by file path

The Path filter enables you to exclude files and folders in a specific path.

You can specify an absolute or relative path.

The following table provides examples for excluding files and folders using absolute and relative paths.

Table 26 Absolute and relative path examples

Type of path Folder File

Absolute F:\\folder1\ \folder2\\*

F:\\folder1\\folder2\ \sample.txt

In this example, the filter excludes all files and

In this example, the filter excludes the sample.txt file under

F:\folder1\folder2.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 127

Table 26 Absolute and relative path examples (continued)

Type of path Folder File

folders under F:\folder1\folder2.

Relative *\\folder1\ \folder2\\*

*\\folder1\\folder2\ \sample.log

In this example, the filter excludes all files and folders under any volume with the hierarchy folder1\folder2.

In this example, the filter excludes all sample.log files under any

volume with the hierarchy folder1\folder2.

D:\\*\ \folder1\folder2\\*

D:\\*\\folder1\folder2\ \sample.log

In this example, the filter excludes all files and folders under any folder in D: with the hierarchy

folder1\folder2.

In this example, the filter excludes all sample.log files under any

folder in D: with the hierarchy

folder1\folder2.

Edit or delete an exclusion filter Use the PowerProtect Data Manager to edit or delete an exclusion filter. You can change the filter name, description, logical operator, and the filtering conditions.

Procedure

1. Select Protection > Filters.

The Exclusion Filters window appears, which displays the following information:

l Name

l Description

l Conditions

l Logical Operator

2. To edit a filter, complete the following tasks:

a. Select a filter, and click Edit.

The Edit Exclusion Filter wizard appears.

b. Modify the desired fields, and then click Next.

The Summary page appears.

c. Click Finish to save your changes.

3. To delete a filter, select the filter that you want to delete, and then click Delete.

Managing Protection Policies

128 PowerProtect Data Manager Administration and User Guide

Apply an exclusion filter to a protection policy When adding or editing a protection policy, you can apply a predefined exclusion filter to the protection policy. The File Exclusions page of the Add Policy or Edit Policy wizard enables you to select an exclusion filter and apply it to a protection policy.

Before you begin

An exclusion filter must already exist.

About this task

To create a protection policy for file system protection and apply an exclusion filter to it, follow the steps in Add a protection policy for File System protection on page 122.

To apply an exclusion filter to an existing protection policy, complete the following steps:

Procedure

1. Select Protection > Protection Policies.

The Protection Policy window appears.

2. Select a protection policy from the list, and then click Edit.

The Summary page appears.

3. Click File Exclusions > Edit.

The File Exculsions page appears.

4. Toggle the Disabled switch to enable exclusion.

5. Add a saved filter or build a new filter according to the steps provided in Add an exclusion filter on page 126.

6. Click Next twice, review the details on the Summary page, and click Finish.

PowerProtect Data Manager applies the exclusion filter to the protection policy.

Results

After the backup starts, you can view details about the files that are excluded from the protection policy. To view the excluded files:

l Open the Jobs window, and then click Running.

l Click the Details icon to the left of the job name.

l In the Task Summary section, click the link that indicates the total number of tasks.

l Click the Details icon to the left of the task, and then review the protection policy details and excluded files.

Remove an exclusion filter from a protection policy The File Exclusions page of the Edit Policy wizard enables you to remove an exclusion filter from a protection policy.

Procedure

1. Select Protection > Protection Policies.

The Protection Policy window appears.

2. Select a protection policy from the list, and then click Edit.

The Summary page appears.

3. Select File Exclusions > Edit.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 129

4. Clear the check box next to the filter that you want to remove from the protection policy.

5. Click Next.

The Summary page appears.

6. Review the details, and click Finish.

Add a Self-service Protection Policy for Storage Direct Select a self-service protection policy if you want your backup application to manage the local protection stage, and PowerProtect Data Manager to handle the additional stage by backing up selected assets within a policy. You can use the PowerProtect Data Manager UI to add a self- service protection policy for Storage Direct data protection.

Before you begin

l Review the prerequisites.

l If you have added a LUN to a storage group since the last SMIS server discovery, run a Discover of the SMIS server.

l Ensure that there is no lock on the VMAX.

Procedure

1. Select Protection > Protection Policies.

The Protection Policy window appears.

2. Click Add.

The Add Policy window appears.

3. In the Type page, specify the new protection policy fields.

a. In the Name field, specify the name of the protection policy. For example, Storage Direct VMAX Policy

Note: The name that you specify here becomes part of the DD MTree entry.

b. In the Description field, specify a short description of the protection policy. For example, Storage Direct VMAX Policy Daily Backups.

c. In the Type field, select Storage Group.

d. Click Next.

The Purpose page appears.

4. In the Purpose page:

a. Select Self-service Protection. PowerProtect Data Manager.

b. Select one of the following options:

l If this is a new Storage Direct environment, select PowerProtect Data Manager will automatically provision and manage all storage required to meet this objective. When selected, PowerProtect Data Manager will perform the provisioning of the Storage Direct environment and create the required configuration on both the VMAX storage and the DD system. For example, a backup device group and restore device group are created on the DD system, and a backup storage group that is linked with the source storage group, and a restore storage group, are created on the VMAX.

l If this is an existing Storage Direct environment, select PowerProtect Data Manager will not provision and manage my storage. When selected, no additional configuration is performed since this configuration was already completed during setup of the standalone Storage Direct environment. The

Managing Protection Policies

130 PowerProtect Data Manager Administration and User Guide

configuration will be read from the configuration file and stored in the PowerProtect Data Manager database.

c. Click Next.

The Assets page appears.

5. Select the unprotected storage groups that you want to add to the backup of this protection policy group. Within this page, you can filter by host or asset name to locate the required assets. Ensure that any assets you add to the policy have a hostname entry in the Host column.

The Assets page displays the storage groups that are attached to the host that are unprotected (storage groups that have not been assigned to a protection policy).

Note: If the assets that you want to protect do not display, cancel the policy creation and run the Storage Direct host discovery again:

a. Go to Infrastructure > Asset Sources.

b. Select the App/File System Host tab.

c. Select the Storage Direct agent host, and then click Discover.

d. Go back to Protection > Protection Policies to re-create the protection policy.

6. Click Next.

The Schedule page appears.

7. Click + Backup.

The Add Primary Backup dialog box appears.

8. On the Add Primary Backup dialog box, specify the following:

a. Keep ForSpecify the retention period for the backup.

b. If you want to create an application-consistent policy, specify a Pre Snapshot Script and a Post Snapshot Script. For example, specify preSnap.sh and postSnap.sh, which are the names of the provided files.

Application consistency ensures that before the snapshot is taken on the VMAX and the data is moved to DD system, the database is quiesced and there is no current activity on the database that would result in the snapshot being in an inconsistent state. The preSnap.sh script is executed before the snapshot is taken, and the postSnap.sh script is executed after the snapshot completes. If the pre-snapshot script fails, then the backup fails immediately. If the pre-snapshot script executes successfully but the post-snapshot script fails, the backup continues unless you have specified a return code of -1, which forces the backup to fail if the post- snapshot script fails.

Note: The provided pre-snapshot and post-snapshot script files should be located under scripts folder of the Storage Direct standalone agent installer on the host. If the files are not currently in the scripts folder, ensure that you manually copy the files to this folder, otherwise the backup will fail.

c. Click OK to exit the dialog and return to the Schedule page.

The Schedule page updates with the new details. You can change this information by selecting the check box next to the added schedule and clicking Edit.

9. In the Keep For field, specify the retention time, and then click OK to exit the dialog.

The Schedule page updates with the new details. You can change this information by selecting the check box next to the added schedule and clicking Edit.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 131

10. Select the check box next to the added schedule for the primary backup.

If you are a new Storage Direct user, the Storage Name and Network interface lists and the Retention Lock check box are enabled for selection. If you are an existing Storage Direct user, the DD system destination is selected automatically and you cannot modify the selection. Also, the Retention Lock check box is not selected.

11. From the Storage Name list:

l For the primary backup, select a destination from the list of existing DD systems.

l For the replicated backup, select a second destination from the list of existing DD systems.

When you select the destination storage, the Space field updates with the available capacity on the system.

12. From the Network interface list, select a network interface card (NIC), if applicable.

13. Select the Retention Lock check box to enable retention locking for these backups on the selected system.

Primary backups are assigned a default retention lock period of 14 days, so the backup is locked for 14 days or until expiry of the retention period specified in the Keep For field, whichever is less.

14. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

Note: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more information about MTree quota configuration.

a. Capacity QuotaControls the total size of precompression data that is written to the DD system.

b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation consumes too many system resources.

15. To reduce the number of backups when daily, weekly, or monthly backups coincide, turn on auto promotion:

a. Select the checkbox next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

16. To replicate the primary backup to a secondary DD system:

a. Select the checkbox next to the added schedule and click Replicate. The Add Primary Replication dialog box appears, indicating that MTree replication will be added for replication of the backup to a secondary DD system.

Note: The retention period that is used will be the same Keep For value that you specified for the backup schedule.

b. Click OK.

Managing Protection Policies

132 PowerProtect Data Manager Administration and User Guide

Note: To enable replication, ensure that you add a second DD system for use as the replication location. Add Protection Storage provides detailed instructions about adding a secondary or remote DD system.

17. Click Next.

The Summary page appears.

18. Review the protection policy configuration details. You can click Edit next to any details to make changes. When completed, click Finish.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

19. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

The Jobs window breaks down the Storage Group protection by VMAX storage group. Click the link next to the storage group to open the Details pane, where you can view more specific information about the job tasks, such as:

l Creation of vDisks in the DD system and creation of backup and recovery storage groups.

l Encapsulation, which involves creating backup and restore FTS devices on the VMAX and linking the DD vDisk with FTS.

l Creation of the initial snapshot backup, and linking of the snapshot to the protection storage group.

l Notification that a new configuration file has been pushed to the host.

l If replication was selected, notification that a job for MTree replication was also initiated.

Job tasks vary depending on whether you are a new user or an existing Storage Direct user.

After you finish

Run the protectpoint snapbackup create command to perform the self-service backup. This command uses the configuration file that is created automatically upon the addition of storage groups to a Storage Group protection policy. The configuration file provides information about the VMAX and DD system attributes and the storage groups protected by this policy.

You can access the configuration file, for example, VMAXPolicy1.config, by going to the C:\Program Files\DPSAPPS\ppfsagent\config directory. The file name contains the name that you provided for the Storage Group policy.

Note: Do not modify this configuration file.

Before running the backup command, run the following command for the host to verify that snapshots will be created for each storage group in the protection policy, and to ensure that a successful relationship has been established between the source device and the backup FTS device for movement of data from the VMAX to DD system.

symsnapvx - sid xxx -sg storage group name list An X in the Flags section of this output, as shown in the following, indicates that the relationship has been established without any issues.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 133

Figure 5 Storage group list command output

Once the snapshots and relationship are verified, you can run the following command to perform the self-service backup. This command example is from a Windows system.

C:\Program Files\DPSAPPS\ppfsagent\config>protectpoint snapbackup create description "Backup using sdm configuration" VMAX policy name.config Upon successful completion of the backup, output similar to the following displays: Figure 6 Snapbackup command output

Add a Centralized Protection Policy for Storage Direct Select the centralized protection policy for Storage Direct if you want PowerProtect Data Manager to centrally manage all stages of the protection policy. You can use the PowerProtect Data Manager UI to add a centralized protection policy for Storage Direct data protection.

Before you begin

l Review the prerequisites.

l If you have added a LUN to a storage group since the last SMIS server discovery, run a Discover of the SMIS server.

l Ensure that there is no lock on the VMAX.

Procedure

1. Select Protection > Protection Policies.

The Protection Policy window appears.

2. Click Add.

The Add Policy window appears.

3. In the Type page, specify the new protection policy fields.

a. In the Name field, specify the name of the protection policy. For example, Storage Direct VMAX Policy

Note: The name that you specify here becomes part of the DD MTree entry.

Managing Protection Policies

134 PowerProtect Data Manager Administration and User Guide

b. In the Description field, specify a short description of the protection policy. For example, Storage Direct VMAX Policy Daily Backups.

c. In the Type field, select Storage Group.

d. Click Next.

The Purpose page appears.

4. In the Purpose page:

a. Select Centralized Protection.

b. Select one of the following options:

l If this is a new Storage Direct environment, select PowerProtect Data Manager will automatically provision and manage all storage required to meet this objective. When selected, PowerProtect Data Manager will perform the provisioning of the Storage Direct environment and create the required configuration on both the VMAX storage and the DD system. For example, a backup device group and restore device group are created on the DD system, and a backup storage group that is linked with the source storage group, and a restore storage group, are created on the VMAX.

l If this is an existing Storage Direct environment, select PowerProtect Data Manager will not provision and manage my storage. When selected, no additional configuration is performed since this configuration was already completed during setup of the standalone Storage Direct environment. The configuration will be read from the configuration file and stored in the PowerProtect Data Manager database.

l Keep ForSpecify the retention period for the backup.

l Start TimeSpecify the time of day to start initiating backups.

l End TimeSpecify the time of day to stop initiating backups. Note: Any backups started before the End Time occurs continue until completion.

c. Click Next.

The Assets page appears.

5. Select the unprotected storage groups that you want to add to the backup of this protection policy group. Within this page, you can filter by host or asset name to locate the required assets. Ensure that any assets you add to the policy have a hostname entry in the Host column.

The Assets page displays the storage groups that are attached to the host that are unprotected (storage groups that have not been assigned to a protection policy).

Note: If the assets that you want to protect do not display, cancel the policy creation and run the Storage Direct host discovery again:

a. Go to Infrastructure > Asset Sources.

b. Select the App/File System Host tab.

c. Select the Storage Direct agent host, and then click Discover.

d. Go back to Protection > Protection Policies to re-create the protection policy.

6. Click Next.

The Schedule page appears.

7. Click + Backup.

The Add Primary Backup dialog box appears.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 135

8. On the Add Primary Backup dialog box, specify the following:

a. Create CopySpecify how often to create a backup.

b. Keep ForSpecify the retention period for the backup.

c. Start TimeSpecify the time of day to start initiating backups.

d. End TimeSpecify the time of day to stop initiating backups.

Note: Any backups started before the End Time occurs continue until completion.

e. If you want to create an application-consistent policy, specify a Pre Snapshot Script and a Post Snapshot Script. For example, specify preSnap.sh and postSnap.sh, which are the names of the provided files. The preSnap.sh script is executed before the snapshot is taken, and the postSnap.sh script is executed after the snapshot completes.

Application consistency ensures that before the snapshot is taken on the VMAX and the data is moved to the DD system, the database is quiesced and there is no current activity on the database that would result in the snapshot being in an inconsistent state. If the pre-snapshot script fails, then the backup fails immediately. If the pre-snapshot script executes successfully but the post-snapshot script fails, the backup continues unless you have specified a return code of -1 which forces the backup to fail if the post- snapshot script fails.

Note: The provided pre-snapshot and post-snapshot script files should be located under scripts folder of the Storage Direct standalone agent installer on the host. If the files are not currently in the scripts folder, ensure that you manually copy the files to this folder, otherwise the backup will fail.

f. Click OK to exit the dialog and return to the Schedule page.

The Schedule page updates with the new details. You can change this information by selecting the check box next to the added schedule and clicking Edit.

9. Select the check box next to the added schedule for the primary backup.

If you are a new Storage Direct user, the Storage Name and Network interface lists and the Retention Lock check box are enabled for selection. If you are an existing Storage Direct user, the DD system destination is selected automatically and you cannot modify the selection. Also, the Retention Lock check box is not selected.

10. From the Storage Name list:

l For the primary backup, select a destination from the list of existing DD systems.

l For the replicated backup, select a second destination from the list of existing DD systems.

When you select the destination storage, the Space field updates with the available capacity on the system.

11. From the Network interface list, select a network interface card (NIC), if applicable.

12. Select the Retention Lock check box to enable retention locking for these backups on the selected system.

Primary backups are assigned a default retention lock period of 14 days, so the backup is locked for 14 days or until expiry of the retention period specified in the Keep For field, whichever is less.

13. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard

Managing Protection Policies

136 PowerProtect Data Manager Administration and User Guide

limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

Note: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more information about MTree quota configuration.

a. Capacity QuotaControls the total size of precompression data that is written to the DD system.

b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation consumes too many system resources.

14. To reduce the number of backups when daily, weekly, or monthly backups coincide, turn on auto promotion:

a. Select the checkbox next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

15. To replicate the primary backup to a secondary DD system:

a. Select the checkbox next to the added schedule and click Replicate. The Add Primary Replication dialog box appears, indicating that MTree replication will be added for replication of the backup to a secondary DD system.

Note: The retention period that is used will be the same Keep For value that you specified for the backup schedule.

b. Click OK.

Note: To enable replication, ensure that you add a second DD system for use as the replication location. Add Protection Storage provides detailed instructions about adding a secondary or remote DD system.

16. Click Next.

The Summary page appears.

17. Review the protection policy configuration details. You can click Edit next to any details to make changes. When completed, click Finish.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

18. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the configuration of the new protection policy group.

When configuration is in progress, the job entry indicates Configuring Storage Groups - storage group name. Any job that specifies Auto Full, for example, Protecting Storage Groups - storage group name - Auto Full, indicates that a scheduled centralized Storage Direct policy backup has been started.

The Jobs window breaks down the Storage Group protection by VMAX storage group. Click the link next to the storage group to open the Details pane, where you can view more specific information about the job tasks, such as:

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 137

l Creation of vDisks in the DD system and creation of backup and recovery storage groups.

l Encapsulation, which involves creating backup and restore FTS devices on the VMAX and linking the DD vDisk with FTS.

l Creation of the initial snapshot backup, and linking of the snapshot to the protection storage group.

l Notification that a new configuration file has been pushed to the host.

l If replication was selected, notification that a job for MTree replication was also initiated.

Job tasks vary depending on whether you are a new user or an existing Storage Direct user.

Add a protection policy for Kubernetes namespace protection A Kubernetes protection policy enables you to select a namespace that you want to back up. Use the PowerProtect Data Manager UI to create a Kubernetes namespace protection policy.

Before you begin

In the PowerProtect Data Manager UI, you can only perform protection policy backups of namespaces from CSI-based storage.

Procedure

1. Select Protection > Protection Policies.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

l NameType a descriptive name for the protection policy.

l DescriptionType a description for the policy.

l TypeFor the policy type, select Kubernetes.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

l Crash ConsistentSelect this type for point-in-time backup of namespaces.

l ExclusionSelect this type if there are assets within the protection policy that you plan to exclude from data protection operations.

5. In the Assets page, select one or more unprotected namespaces that you want to back up as part of this protection policy.

Note: Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. If you select a namespace from non-CSI storage, the backup fails. Optionally, if you want to protect a namespace that contains non-CSI storage, you can exclude the non-CSI PVC from the backup. If excluding the PVC, ensure that such a policy still meets your protection requirements.

If the namespace that you want to protect is not listed, perform one of the following:

l Click Find More Assets to perform an updated discovery of the Kubernetes cluster.

l Use the Search box to search by asset name.

Managing Protection Policies

138 PowerProtect Data Manager Administration and User Guide

6. (Optional) For the selected namespaces, click the link in the PVCs Excluded column, if available, to clear any PVCs that you want to exclude from the backup. By default, all PVCs are selected for inclusion.

7. Click Next.

The Schedule page appears.

8. On the Schedule page, click + Backup to create a schedule.

9. On the Add Primary Backup page, specify the backup schedule fields, and then click OK:

l RecurrenceSpecify how often backups occur.

l Create EverySpecify how often to create an incremental backup.

l Keep ForSpecify the retention period for the backup.

l Start TimeSpecify the time of day to start initiating backups.

l End TimeSpecify the time of day to stop initiating backups.

The Schedule page updates with the added backup schedule. Note: After completing a backup schedule, you can change any schedule details by selecting the check box next to the added schedule and clicking Edit.

10. To extend the latest primary backup copy to long-term retention:

a. Select the checkbox next to the added schedule and click + Backup.

b. Complete the schedule details in the Add Promotion Backup dialog box, and then click OK.

11. To replicate these backups to a remote DD system:

a. Select the checkbox next to the primary backup schedule and click Replicate.

b. Complete the schedule details in the Add Primary Replication dialog box, and then click OK.

Note: To enable replication, ensure that you add a remote DD system as the replication location. Add Protection Storage provides detailed instructions about adding a remote DD system.

12. Optionally, if you want to add a Cloud stage for the purpose of moving backups from DD storage to Cloud Tier, select the check box next to the primary or replication schedule, and then select Cloud Tier. Add a Cloud Tier schedule to a protection policy on page 141 provides more information.

Note: In order to move a backup or replica to Cloud Tier, schedules must have a minimum weekly recurrence and a retention time of 14 days or greater. Also, discovery of a DD system configured with a Cloud unit is required.

13. From the SLA list, select an existing service level agreement that you want to apply to this schedule, or select Add to create an SLA within the Add Backup Service Level Agreement window.

Add a new SLA provides instructions. Note: The Promotion SLA type is not supported for Kubernetes protection policies.

14. From the Storage Name list in the schedule entry:

l Select the backup destination from the list of existing DD systems.

l To add a system, select Add, and complete the details in the Storage Target window.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 139

When you select the destination storage, the Space field updates with the available capacity on the system.

15. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

Note: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more information about MTree quota configuration.

a. Capacity QuotaControls the total size of pre-compression data that is written to the DD system.

b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation is consuming too many system resources.

16. Select the Retention Lock check box to enable retention locking for these backups on the selected system.

Note: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not assigned a default retention lock period. If you select this check box for a replicated backup, ensure that you set the Keep For field in the Add Primary Replicate backup schedule dialog to a minimum number of 14 days so that the replicated backup does not expire before the primary backup.

Note: Retention lock is not supported for the Cloud Tier schedule.

17. From the Network interface list, select a network interface card, if applicable.

18. Click Next.

The Summary page appears.

19. Review the protection policy group configuration details, and then click Finish. Except for the protection policy type, you can click Edit next to any details to change the policy information.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy. When the new protection policy group is created, PowerProtect Data Manager automatically performs a full backup. Subsequent backups are performed according to the schedule specified.

20. Click OK to exit the window, or click Go to Jobs to open the Jobs window.

From the Jobs window, you can monitor the progress of the new Kubernetes cluster protection policy backup and associated tasks. You can also cancel any in-progress or queued job or task.

Note: If a Kubernetes cluster is running on vSphere and using vSphere CSI storage, the job details will indicate that the optimized data path is being used for the backup.

After you finish

If the backup fails with the error Failed to create Proxy Pods. Creating Pod exceeds safeguard limit of 10 minutes, verify that the CSI driver is functioning

Managing Protection Policies

140 PowerProtect Data Manager Administration and User Guide

properly, such that the driver can create snapshots and a PVC from the VolumeSnapshot datasource. Also, ensure that you clean up any orphan VolumeSnapshot resources that still exist in the namespace.

Add a Cloud Tier schedule to a protection policy For some protection policy types, you can add a cloud tier schedule to a protection policy in order to perform backups to cloud tier.

Before you begin

Ensure that a DD system is set up for cloud tiering.

About this task

You can create the cloud tier schedule from both primary and replication stages. Schedules must have a minimum weekly recurrence and a retention time of 14 days or greater.

Procedure

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select Protection > Protection Policies > Add.

3. On the Type page, enter a name and description, select the type of system to back up, and click Next.

The following protection policy types support cloud tiering:

l Virtual machine

l SQL

l Oracle

l SAP HANA

l File System

l Kubernetes

4. On the Purpose page, select from the available options to indicate the purpose of the new protection policy, and then click Next.

5. On the Assets page, select the assets that you want to protect with this policy, and then click Next.

6. On the Schedule page, select + Backup.

7. On the Add Primary page, set the following parameters, and then click OK:

l RecurrenceSelect Weekly or Monthly.

l Keep forCloud Tier backup requires a minimum of 2 weeks.

l Optionally, change the Start Time and End Time.

8. Select the protection policy that you created, and then select Cloud Tier.

9. In the Add Cloud Tier dialog box, set the following parameters and then click OK:

l Select the appropriate unit from the Cloud Target list.

l For Tier After, set a time of at least 2 weeks.

The new protection policy is now enabled with cloud tiering.

10. Click Next, verify the information, and then click Finish.

A new job is created, which you can view under the Jobs tab after the job completes.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 141

Results

Once an asset is protected with a Cloud Tier stage, you can also perform a manual backup of the asset. On-demand cloud tiering of protected assets on page 142 provides more information.

Managing Cloud Tier asset copies You can manage Cloud Tier copies of assets by changing copy retention time, deleting copies, and recalling copies.

Procedure

1. In the PowerProtect Data Manager dashboard, go to Infrastructure > Assets.

2. Select an asset and click View Copies.

3. Click an asset copy icon.

Cloud Tier backups are listed by cloud storage in the Location column.

4. Select a Cloud Tier backup and click Edit Retention to change how long copies remain in cloud storage.

5. Select a Cloud Tier backup and click Delete to delete the copy in cloud storage.

6. Select a Cloud Tier backup and click Recall to return the cloud backup to your local DD system for recovery or backup.

Note: If you use Amazon's network to copy data from AWS storage, Amazon charges you for the data transfer.

Manual backups of protected assets Once assets have been added to a protection policy, you can perform manual backups by using the Backup Now functionality in the PowerProtect Data Manager UI.

When a virtual machine is part of an application-aware protection policy, the manual backup is a full application-aware backup.

To perform a manual backup:

1. Select Infrastructure > Assets.

2. Select the tab for the asset type you want to back up. A list of assets appears.

3. Select an asset from the table that has an associated protection policy. Note: You can only select one asset at a time for manual backup. Also, the protection policy that is associated with the asset cannot be an exclusion policy.

4. Click Backup Now. A notification appears indicating whether the request was processed successfully.

On-demand cloud tiering of protected assets Once you add assets to a protection policy that contains a cloud tier stage, you can perform on- demand tiering of these assets by using the PowerProtect Data Manager UI.

Note: On-demand cloud tiering of a copy set requires the related protection policy to have a cloud tier stage.

To perform on-demand cloud tiering:

1. Select Infrastructure > Assets.

Managing Protection Policies

142 PowerProtect Data Manager Administration and User Guide

2. On the Assets window, select the tab for the asset type you want to back up. A list of assets appears.

3. Select an asset from the table that has an associated protection policy, and then click View Copies.

Note: You can only select one asset at a time, and the protection policy that is associated with the asset cannot be an exclusion policy.

4. Click the DD icon to display the available backup copies in the right pane.

5. Select a backup copy, and then click Tier. A notification appears indicating whether the request was processed successfully.

Go to the Jobs window to monitor the progress of the tiering operation.

Edit a protection policy Use the PowerProtect Data Manager UI to edit a protection policy name, description, or schedule.

About this task

You can also edit a protection policy to add or remove assets, and to modify the settings for the network interface card, storage quotas, and retention lock. You cannot modify a protection policy type or purpose. Add or remove assets in a protection policy on page 143 provides instructions.

Note: You cannot remove assets from a VMAX Storage Group policy.

Note: We recommend that you do not edit the network interface for App Agent assets such as File System, SQL, ORACLE, and SAP HANA, because it will cause subsequent backup failure. The workaround is to set the lockbox, which will trigger a new asset configuration.

Procedure

1. Select Protection > Protection Policy.

The Protection Policy window opens.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page.

3. In the Name, Description, or Schedule rows, click Edit.

The Edit Policy window displays the appropriate page according to your selection. For example, if you click Edit next to the Name or Description rows, the Type page opens.

4. After making your changes, click Next to save the changes and go to the Summary page.

5. On the Summary page, click Finish

An informational dialog displays.

6. Click OK to exit the dialog, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

Add or remove assets in a protection policy Use the PowerProtect Data Manager UI to add or remove an asset in a protection policy.

About this task

When a protection policy is edited and new assets are added, backups for the new assets start from the next scheduled FULL backup job for the protection policy.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 143

Procedure

1. Select Protection > Protection Policy.

The Protection Policy window appears.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page.

3. In the Assets row, click Edit.

The Assets page appears.

4. To add an asset to the protection policy, click + Add.

The Add Unprotected Assets dialog displays any assets that are unprotected.

5. Select the unprotected assets that you want to add to the policy, and click Add.

The added assets now appear in the table on the Assets page.

6. To remove assets, select the assets that you want to remove from the backup of this protection policy, and click Delete.

The window enables you to filter by asset name to locate the required assets. You can change the assets view to display all assets that are discovered by PowerProtect Data Manager.

7. Click Next to save the changes and go to the Summary page.

8. In the Summary page, click Finish

An informational dialog box appears.

9. Click OK to exit the dialog box, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

Change the DD Boost storage unit password When a storage unit is created on a DD system for a PowerProtect Data Manager protection policy backup, PowerProtect Data Manager automatically generates a DD Boost username and password for the new storage unit. You can change this password from PowerProtect Data Manager by using the REST API. The change synchronizes automatically with the DD system. To change the password, perform the following steps:

Before you begin

Before making a password change, verify that recent backup operations completed successfully by checking the backup status history in the Jobs window or performing a new backup of the protection policy.

Note: This procedure requires you to obtain the name of the DD MTree where the DD Boost storage unit resides. The instruction for obtaining the MTree name is included below.

About this task

It is recommended that you change passwords periodically for security purposes. The PowerProtect Data Manager API documentation at https://developer.dellemc.com provides more information about using the REST API.

Procedure

1. Call the API to obtain the DD MTree of the target policy:

GET /api/v2/protection-policies For example, GET https://{{ip}}:8443/api/v2/protection-policies?filter=name eq policy name.

Managing Protection Policies

144 PowerProtect Data Manager Administration and User Guide

In the resulting output, the storageSystemId is the ID of the storage system, and the dataTargetId is the ID of the storage unit.

Note: You can skip this step if you have already obtained the ID or the name of the target MTree.

2. Call the API to obtain the DD MTree credentials ID:

GET /api/v2/datadomain-mtrees?filter=name eq policy name Where policy name is the name of the protection policy being backed up to the DD system.

Note: The policy name is also used as the DDBoost username for the new storage unit credentials.

3. Search the response for the MTree credentials ID, and specify this ID in the following API call to update the password:

PUT /api/v2/credentials/MTree Credentials ID

The output displays the following information, where you can then specify the new password. For example:

{ "id": "MTree Credentials ID", "name": "policy name", "username": "policy name", "password": "new password", "type": "DATADOMAIN" }

4. If any application aware virtual machine protection policy uses this DD MTree:

a. In the PowerProtect Data Manager UI, select this policy within the Protection > Protection Policies window, and click Edit.

b. Click Edit next to the Schedule row to open the Edit Primary Backup dialog, and then change the value in the Transaction Log Every field to a different value. Make note of the original value.

c. Click Finish to save the changes.

d. Re-edit the policy to restore the Transaction Log Every field in the Edit Primary Backup dialog to the original value, and then click Finish to save the new changes.

Editing the policy settings forces the password change to be passed to the agents, and avoids transaction log backup failures.

5. Perform another backup of the protection policy and verify that the backup completes successfully.

Removing expired backup copies PowerProtect Data Manager deletes the backup copies of an asset automatically when the retention period of the copy expires.

Information about specifying retention periods for a protection policy schedule is provided within the topic for each policy type.

In order for an expired copy to be deleted, the asset must be managed by PowerProtect Data Manager and in one of the following states:

l Protected The asset is currently assigned to a protection policy.

l Previously Protected The asset has been unassigned from a protection policy and has not yet been re-assigned to another policy.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 145

Expired copy cleanup occurs at 00:00 AM UTC each day. If a copy deletion fails, a warning alert appears in the audit log under Alerts > System.

Note: For virtual machine assets, you can also manually delete a backup copy at any time from the Assets window if you no longer require the copy and the retention lock is not enabled. More options for managing virtual machine backups on page 122provides more information.

Export protection This option enables you to export protection jobs and compliance records to a .CSV file so that you can download an Excel file of protection results data.

Procedure

1. Select Protection > Protection Policy.

The Protection Policy window appears, which displays the following information:

l Asset type

l Purpose

l Group Name

l Number of Protected Assets

l Asset Capacity

l Number of Failures

l Number of SLA Violations

2. Select the protection policy for which you would like to export the protection records.

If you do not select a protection policy, PowerProtect Data Manager exports the protection records for all the protection policies.

3. Click Export.

The Export Asset Protection window appears.

4. Specify the following fields for the export:

a. The Time Range.

The default is Last 24 hours.

This refers to the last complete midnight-to-midnight 24-hour period; that is, yesterday. So, any events that have occurred since the most recent midnight are not in the CSV export. For example, if you run the CSV export at 9am, any events that have occurred in the last 9 hours are not in the CSV export. This is to prevent the overlapping of or partial exporting when queried mid-day on a regular or irregular basis.

b. The Job Status.

c. Click Download .CSV.

If applicable, the navigation window appears for you to select the location to save the CSV file.

5. If applicable, save the .CSV file in the desired location and then click Save.

Managing Protection Policies

146 PowerProtect Data Manager Administration and User Guide

Delete a protection policy You can delete a protection policy that is not protecting any assets.

Before you begin

If the policy you want to delete is protecting assets, you must associate those assets with a different protection policy before you can delete the policy.

About this task

Use the PowerProtect Data Manager UI to delete a protection policy.

Procedure

1. Select Protection > Protection Policy.

2. Select the policy you want to delete and click Delete.

Add a Service Level Agreement The SLA Compliance window in the PowerProtect Data Manager UI enables you to add a service level agreement (SLA) that identifies your Service Level Objectives (SLOs). You use the SLOs to verify that your protected assets are meeting the Service Level Agreements (SLAs).

About this task

Note: When you create an SLA for Cloud Tier, you can include only full backups in the SLA.

Procedure

1. Select Protection > SLA Compliance.

The SLA Compliance window displays with the following information:

l SLA Name

l Stage Type

l Policies At Risk

l Objectives Out of Compliance

l Impacted Assets

2. Select the type of asset for which you want to add the SLA, and click Add.

The Add Service Level Agreement Type window appears.

3. Select the type of SLA that you want to add, and then click Next.

l Policy. If you choose this type, go to step 4

l Backup. If you choose this type, go to step 5.

l Promotion. If you choose this type, go to step 6.

l Replication. If you choose this type, go to step 7.

l Cloud Tier. If you choose this type, go to step 8.

You can select only one type of Service Level Agreement.

4. If you selected Policy, specify the following fields regarding the purpose of the new Policy SLA:

a. The SLA Name.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 147

b. If applicable, select Minimum Copies, and specify the number of Backup and Replication.

c. If applicable, select Maximum Copies, and specify the number of Backup and Replication.

d. If applicable, select Available Location and select the applicable locations. To add a location, click Add Location.

Options are:

l InInclude locations of all copies in the SLO locations. Does not require every SLO location to have a copy.

l Must InInclude locations of all copies in the SLO locations. Requires every SLO location to have at least one copy.

l ExcludeLocations of all copies must be other than SLO locations.

e. Click Finish and go to step 9.

5. If you selected Backup, specify the following fields regarding the purpose of the new Backup SLA:

a. The SLA Name.

b. If applicable, select Recovery Point Objective (RPO), and then set the duration. The purpose of an RPO is business continuity planning, and refers to the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

Note: You can select only Recovery Point Objective to configure as an independent objective in the SLA, or select both Recovery Point Objective and Compliance Window. If you select both, the RPO setting must be one of the following:

l Greater than 24 hours or more than the Compliance window duration, in which case RPO validation will occur independent of the Compliance Window.

l Less than or equal to the Compliance Window duration, in which case RPO validation will occur within the Compliance Window.

c. If applicable, select Compliance Window, and then set the duration, which refers to the time it takes to create the backup copy. Ensure that the Start Time and End Time of backup copy creation falls within the Compliance Window duration specified.

These are the times in which you can expect the specified activity to take place. Any specified activity that occurs outside of this Start Time and End Time triggers an alert.

d. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

e. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks or Years.

f. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default.

g. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

6. If you selected Promotion, specify the following fields regarding the purpose of the new Promotion SLA:

Managing Protection Policies

148 PowerProtect Data Manager Administration and User Guide

a. The SLA Name.

b. If applicable, specify the Recovery Point Objective.

c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default.

f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

7. If you selected Replication, specify the following fields regarding the purpose of the new Replication SLA:

a. The SLA Name.

b. If applicable, select the Compliance Window, and specify the Start Time and End Time.

These are the times which are permissible and in which you can expect the specified activity to take place. Any specified activity that occurs outside of this start time and end time triggers an alert.

c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default.

f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

8. If you selected Cloud Tier type SLA, specify the following fields regarding the purpose of the new Cloud Tier SLA:

a. The SLA Name.

b. If applicable, select the Verify expired copies are deleted option.

This option is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

c. If applicable, set the Retention Time Objective and specify the number of Days, Months, Weeks, or Years.

d. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default.

e. Click Finish.

9. Add the newly added SLA to the protection policy. Select Protection > Protection Policy.

10. In the Schedule section of the Summary window, click Edit.

11. Do one of the following, and then click Next:

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 149

l Select the added Policy SLA from the Set Policy Level SLA list.

l Create and add the new SLA policy from theSet Policy Level SLA list.

The Summary window appears.

12. Click Finish.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

13. Click Go to Jobs to open the Jobs window to monitor the backup and compliance results, or click OK to exit.

Note: Compliance checks occur automatically every day at 2 am Coordinated Universal Time (UTC).

14. In the Jobs window, click next to an entry to view details on the SLA Compliance result.

Export Asset Compliance This option enables you to export compliance records to a CSV file so that you can download an Excel file of compliance results data.

Procedure

1. Select Protection > SLA Compliance.

The SLA Compliance window appears. The PowerProtect Data Manager SLA Compliance window displays the following information:

l SLA Name

l Stage Type

l Policies At Risk

l Objectives Out of Compliance

l Impacted Assets

2. Select the SLA for which you would like to export the compliance records.

3. Click Export Asset Compliance.

The Export Asset Compliancewindow appears.

4. Specify the following fields for the export:

a. The Time Range.

The default is Last 24 hours.

This refers to the last complete midnight-to-midnight 24 hour period; that is, yesterday. So, any events that have occurred since the most recent midnight are not included in the CSV export. For example, if you run the CSV export at 9am, any events that have occurred in the last 9 hours are not included in the CSV export. This is to prevent the overlapping of or partial exporting when queried mid-day on a regular or irregular basis.

b. The Job Status.

c. Click Download .CSV .

If applicable, the navigation window appears for you to select the location to save the CSV file.

5. If applicable, save the CSV file in the desired location and click Save.

Managing Protection Policies

150 PowerProtect Data Manager Administration and User Guide

Dynamic filters Dynamic filters enable you to automatically determine which assets are assigned to protection policies when the assets are discovered, based on the filter's rule definitions (rules for inclusion).

When you define a dynamic filter for a protection policy, note the following requirements:

l A protection policy must exist prior to creating the dynamic filter.

l An asset can only belong to one protection policy.

l Virtual machine tags created in the vSphere Client can only be applied to a dynamic filter.

l To ensure the protection of homogeneous assets, the dynamic filter must specify a storage asset type.

l A virtual machine application-aware protection policy that protects a Microsoft SQL Server Always On availability group (AAG) must include all the virtual machines of the AAG in the same protection group. Failure to meet this requirement might result in Microsoft SQL Server transaction log backups being skipped. Ensure that the dynamic filters are designed to include all the AAG virtual machines.

Note: With PowerProtect Data Manager 19.4 or later, ensure that Oracle dynamic filters do not use the DB ID and Oracle SID Name field settings that were supported with earlier versions.

Creating virtual machine tags in the vSphere Client Creating virtual machine tags in the vSphere Client is supported by PowerProtect Data Manager with vSphere versions 6.5 and later. Tags enable you to attach metadata to the virtual assets in the vSphere inventory, which makes assets easier to sort and search for when creating a protection policy.

Asset inclusion in a PowerProtect Data Manager protection policy is based on the filtering criteria applied to user-defined rules that you specify when creating a dynamic filter.

When you create a tag in the vSphere Client, the tag must be assigned to a category in order to group related tags together. When defining a category, you can specify the object types to which the tags will be applied and whether more than one tag in the category can be applied to an object. Within a single rule, you can apply up to 50 rule definitions to tags and categories, as shown in the following example where Category is the category name and Bronze is the tag name:

l Category:Category1,Tag:Bronze1

l Category:Category2,Tag:Bronze2

l Category:Category3,Tag:Bronze3

l ... Category:Category50,Tag:Bronze50

In the above example, category names and tag names that exceed 9 or 7 characters respectively, reduce the limit for rule definitions in a single rule to less than 50. When rule definitions exceed the maximum limit, no virtual machines are backed up as part of the group, because no members are associated with the group. As a best practice, keep the number of rule definitions within a single rule to 10 or fewer and, in cases where there are a large number of rule definitions within a single rule, keep the number of characters in category or tag names to 10 or fewer.

To view existing tags for vCenter in the vSphere Client, select Menu > Tags & Custom Attributes, and then select the Tags tab. Click a tag link in the table to view the objects associated with this particular tag.

For PowerProtect Data Manager to include tagged assets in a dynamic filter based on the tags created for the vCenter, you must assign at least one tag to at least one virtual machine. Note that

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 151

tags associated with containers of virtual machines (for example, a virtual machine folder) are not currently supported for tag associations to assets.

Note: Once virtual machines are associated with tags, the association is not reflected in the PowerProtect Data Manager UI until the timeout period has completed. The default timeout to fetch the latest inventory from vCenter is 15 minutes. When adding a dynamic filter and using tags as the asset filter, you must select VM Tags.

Add a dynamic filter Use the PowerProtect Data Manager UI to add dynamic filters. When an asset meets the filter conditions, the asset is automatically assigned to the protection policy that you define for the dynamic filter.

Before you begin

Procedure

1. Select Protection > Dynamic Filter.

The Dynamic Filter window appears, which displays the following information:

l Dynamic Filter Name

l Priority

l Asset Filter

l Assigned Protection Policy

2. Click the Virtual Machines, SQL Databases, Oracle Databases, SAP HANA Databases, File System, or Kubernetes tab to select the type of host for which you would like to add the dynamic filter, and then click Add .

The Add Dynamic Filter wizard opens on the Protection Policy page.

3. Select the target protection policy for the dynamic filter and click Next.

The Asset Filter page appears.

4. Specify the following fields to indicate the purpose of the new Dynamic Filter:

a. Name For example, SQL Rules Prod Finance

b. Description For example, SQL Rules Prod Servers Finance.

Field: Using the three fields, build an asset filter that matches your purpose.

l From the list in the first field, select an asset name (such as Datacenter Name or namespace name), characteristic (such as asset size), or a tag (VM Tags or namespace label) to use as the rule criteria when searching for assets. The options available depend upon the host type selected in step 2.

l From the list in the second field, select the matching criteria. For an asset name, you can select from several options including Begins with, Ends with, Contains, or Equals. For an asset characteristic such as size, you can select Greater than or Less than. For a virtual machine tag or namespace label, you can only select Includes or Does not include.

l In the third field, type a search phrase to apply to the rule criteria to determine a match.

For example, a rule with the filters SQL Server Instance Name, Contains, and Finance helps you create a rule to match the assets in your finance department to the selected protection policy.

Managing Protection Policies

152 PowerProtect Data Manager Administration and User Guide

c. Click Apply.

Any asset that matches the rule and is not currently included in a PowerProtect Data Manager protection policy displays in the Unprotected Assets matching filter table.

d. Verify that the assets that display in the Unprotected Assets matching filter table are the assets that you want to include in the protection policy. If not, clear the filter to view all unprotected assets and build your filter again.

e. When satisfied with the rule matches, click Next.

The Summary page appears.

5. Click Finish.

Results

The dynamic filter is run automatically upon creation.

Manually run a dynamic filter PowerProtect Data Manager automatically runs dynamic filters when new assets are detected or when existing assets are modified. You can also run dynamic filters on demand.

Before you begin

Note: For SQL, Oracle, SAP HANA, and File system asset types, the dynamic filter runs only upon scheduled discovery in PowerProtect Data Manager. Ensure that you schedule discovery for these asset types.

To schedule discovery in the PowerProtect Data Manager UI, complete the following steps:

1. Select Infrastructure > Asset Sources.

2. Select the App/File System Host tab.

3. Select the application host, and then click Discover.

4. From the Discovery Schedule list, select the time of day to initiate the discovery.

Procedure

1. Select Protection > Dynamic Filter.

The Dynamic Filter window appears, which displays the following information:

l Dynamic Filter Name

l Priority

l Asset Filter

l Assigned Protection Policy

2. Select the required dynamic filters, and click Run.

PowerProtect Data Manager runs all the selected dynamic filters of the current asset type.

Edit or delete a dynamic filter Use the PowerProtect Data Manager UI to edit a dynamic filter. You can change the filter name, description, the filter itself, and the associated protection policy.

Procedure

1. Select Protection > Dynamic Filter.

The Dynamic Filter window appears, which displays the following information:

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 153

l Dynamic Filter Name

l Priority

l Asset Filter

l Assigned Protection Policy

2. Select a dynamic filter and click Edit .

The Summary window appears.

3. To edit the name or description of the dynamic filter, modify the desired fields and click Finish.

4. To delete a dynamic filter, select the dynamic filter and click Delete.

When you click Delete, PowerProtect Data Manager will remove the assets that you added by dynamic filters. PowerProtect Data Manager will add those assets again if you do not update related dynamic filters.

Change the priority of the existing dynamic filter Use the PowerProtect Data Manager UI to change the priority of a dynamic filter.

About this task

When multiple dynamic filters exist, you can define the priority of the dynamic filter. Priority determines which dynamic filter PowerProtect Data Manager applies for an asset if an asset matches multiple dynamic filters, and if the matching dynamic filters have conflicting actions. For example, if an asset protection policy assignment matches several dynamic filters and each dynamic filter specifies a different protection policy assignment, the protection policy is determined by the dynamic filter with the highest priority.

An integer is used to represent the priority of the dynamic filter. The smaller value has the higher priority.

Procedure

1. Select Protection > Dynamic Filter.

The Dynamic Filter window appears, which displays the following information:

l Dynamic Filter Name

l Priority

l Asset Filter

l Assigned Protection Policy

2. To change a dynamic filter's priority, select the dynamic filter and click Up or Down.

The smaller value has the higher priority.

Enable dynamic filters to move virtual assets across policies By default, dynamic filters move unprotected assets (assets that have yet to be added to a protection policy) into protection policies. For VMware assets, however, you can enable an option for dynamic filters to move protected virtual assets across protection policies. This option might be useful when you want to move assets from an old protection policy to a new policy, or unprotect assets that no longer require protection. When enabled, if the asset properties or the dynamic filters are changed, PowerProtect Data Manager recalculates the asset policy assignments according to the changed status. To enable this option, perform the following steps:

Managing Protection Policies

154 PowerProtect Data Manager Administration and User Guide

Before you begin

Note: This option is only available for dynamic filters that are applied to VMware virtual assets.

Procedure

1. Log in to the PowerProtect Data Manager server as an admin.

2. Open the /usr/local/brs/lib/cbs/config/application.properties file, or create this file if it does not exist.

3. Add the following line to the file:

"cbs.dynamicFilter.moveVmAssetsAcrossProtectionPoliciesEnabled=true"

4. Run cbs restart to restart the CBS server with the new configuration.

Configure system setting for dynamic filters You can change the system setting for dynamic filters to determine the behavior that results when a filter changes.

Procedure

1. Update the configuration file usr/local/brs/lib/cbs/config/ application.properties as follows to change the behavior of the filters.

Option Description

Set cbs.dynamicFilter.moveVmAssetsAcrossProtectionPoliciesEnabled =false (default)

When the dynamic filter changes, if the filtering rule matches, unprotected assets are assigned to the policy. If the filtering rule becomes unmatched, the protected assets are NOT unassigned. When a vCenter incremental message is received, VMware assets are not assigned or unassigned.

Managing Protection Policies

PowerProtect Data Manager Administration and User Guide 155

Option Description

Set cbs.dynamicFilter.moveVmAssetsAcrossProtectionPoliciesEnabled =true

When the dynamic filter changes, both protected and unprotected assets are assigned or unassigned to address the filtering rule matching. When a vCenter incremental message is received, both protected and unprotected VMware assets are assigned or unassigned to address assets character changes for existing dynamic filters.

Managing Protection Policies

156 PowerProtect Data Manager Administration and User Guide

CHAPTER 9

Restoring Data and Assets

This section includes the following topics:

l Viewing copies..................................................................................................................... 158 l Restore a virtual machine or VMDK..................................................................................... 158 l Restore an application-aware virtual machine backup...........................................................171 l Centralized and file-level restore of a File System host........................................................172 l Restoring a Storage Direct VMAX storage group................................................................. 175 l Restoring a Kubernetes namespace..................................................................................... 178 l Restore the PowerProtect Data Manager server ................................................................ 182 l Restore Cloud Tier backups to the DD system..................................................................... 182 l Troubleshooting virtual machine restore issues....................................................................183

PowerProtect Data Manager Administration and User Guide 157

Viewing copies You can view summaries of protected copy sets in the system. PowerProtect Data Manager displays details such as the name of the storage system containing the copy set, location, the creation and expiry date of the copy set, and size.

Procedure

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets. Alternatively, select Recovery > Assets.

Assets that have copies are listed.

2. Select an asset, or select one of the following tabs to view assets by type:

l Virtual Machines

l Oracle Databases

l SQL Databases

l File System

l Kubernetes

l SAP HANA Databases

The entire list of assets that are associated with this type are listed. Note: You can also search for assets by name. For virtual machines, you can also click the File Search button to search on specific criteria.

3. To view more details, select an asset and click View copies.

The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.

When you click a child node, the right pane displays the following information:

l Storage system where the copy is stored.

l The number of copies

l Details of each copy, including the time that each copy was created, the size of the copy, the backup type, and the retention time.

l For virtual machine backups, a Disk Excluded column enables you to view any virtual disks (VMDKs) that were excluded from the backup.

Restore a virtual machine or VMDK After virtual assets are backed up as part of a virtual machine protection policy in the PowerProtect Data Manager UI, you can perform image-level and file-level recoveries from individual or multiple virtual machine backups, and also restore individual virtual machine disks (VMDKs) to their original location.

All types of recoveries are performed from the Recovery > Assets window. Recovery options include the following:

l Restore and Overwrite Original VM: Restore to the original virtual machine.

l Restore Individual Virtual Disks: Restore select virtual disks to the original location.

Restoring Data and Assets

158 PowerProtect Data Manager Administration and User Guide

l Create and Restore to New VM: Restore to a new virtual machine.

l Instant Access VM: Instant access to the virtual machine backup for browse and restore.

l File Level Restore: Restore individual files/folders the original or a new virtual machine

l Direct Restore to ESXi: Recover the virtual machine directly to an ESXi host without a vCenter server.

The Restore button, which launches the Restore wizard, is disabled until you select one or more virtual assets in the Recovery > Assets window. Selecting multiple assets disables the View Copies button, since this functionality is available within the first page of the Restore wizard.

To access the Restore and Overwrite Original VM, Create and Restore to New VM, and Instant Access VM recovery types, or the Restore Individual Virtual Disks option, select one or more virtual assets and then click Restore to launch the Restore wizard.

To access the File Level Restore and Direct Restore to ESXi recovery options, select a virtual asset and then click View Copies.

In both instances, you must select a backup copy in the first page of the Restore wizard before you can go to the Options page, which displays the available recovery options.

Note: For all options, recovery in the PowerProtect Data Manager UI can only be performed if the backup or replica is on a DD system. If a replica backup does not exist on such storage, you must manually replicate this backup to DD storage before performing the restore.

The following sections describe each recovery option and provide instructions to perform the recovery.

Note: SQL virtual machine full database and transaction log restore from application-aware virtual machine protection policies must be performed using Microsoft application agent tools. The section Restore an application-aware virtual machine backup provides more information.

Prerequisites to restore a virtual machine Review the following requirements before you restore a virtual machine in PowerProtect Data Manager:

l Users who want to perform a virtual machine restore must have Admin or Export and Recovery Admin privileges. Go to Administration > Roles and review the user profile to ensure that the user has the appropriate privileges. A user with the role "User" cannot perform a restore.

l Ensure that you have added the DD system, the DD Management Center (DDMC) or DD Virtual Edition (DDVE), and the vCenter server, and that the protection of virtual machine copies has completed successfully. To check, go to Infrastructure > Assets and Infrastructure > Asset Sources.

l Ensure that protection of the virtual machines completed successfully. If the virtual machines have been backed up by a protection policy, the assets appear in the Recovery > Assets window.

l If performing a restore to a new location, ensure that sufficient space is available on the target datastore.

l Verify that the virtual machine copy that is selected for restore has not expired.

Restore and Overwrite original virtual machine A Restore and Overwrite Original VM recovers a virtual machine backup to its original location on the vCenter. This operation rolls the virtual machines that you backed up with the protection

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 159

policy in PowerProtect Data Manager to an earlier point in time. Use this process for restoring the production system.

Before you begin

Review Prerequisites to virtual machine restore before performing the restore.

About this task

Note: If the original virtual machine was deleted, a Restore and Overwrite Original VM recovery attempts to re-create the virtual machine. However, if the original virtual machine resources such as the datastore and cluster are no longer available, the restore fails and a Restore to New is required.

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all virtual machines available for recovery.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the asset name of the specific virtual machine or use the File Search button to search on specific criteria for files within backed-up virtual machines.

The Recovery wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog box appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup to the original location, and then click Next.

Note: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete successfully.

The Restore Type page displays.

7. On the Restore Type page, select Restore and Overwrite Original VM, and then click Next.

The Options page appears, displaying the current configuration of the virtual machine along with any disks that have been added since the last backup.

8. On the Options page, if there are any hard disks in the current virtual machine configuration that were not part of the original backup:

l Select Delete disks that will be detached to remove these disks upon restore.

l Clear Delete disks that will be detached to keep these disks in their original folders on the virtual machine after the restore. These disks will not be in the virtual machine configuration, but after the restore you can then use the vSphere Client to manually reattach or download these disks as appropriate.

9. Click Next.

Restoring Data and Assets

160 PowerProtect Data Manager Administration and User Guide

The Summary page appears with a confirmation message indicating that the virtual machine will be powered off and that the virtual machine in the datastore will revert to the point in time of the selected backup copy before being powered back on.

10. On the Summary page, click Restore.

An informational dialog box appears indicating that the restore has started.

11. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Restore individual virtual disks A virtual disk (VMDK) restore recovers individual VMDKs to their original location on the vCenter, rolling the VMDKs that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time.

Before you begin

Review Prerequisites to virtual machine restore before you perform the following procedure.

About this task

Note: When you restore individual VMDKs, only the selected disks are restored. The virtual machine configuration does not change.

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all virtual machines available for recovery.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog box appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Individual Virtual Disks to restore specific VMDKs, and then click Next.

The Select Disks page displays.

7. From the Backup Properties pane, select the VMDKs that you want to restore, and then click Next. Note that individual VMDKs can only be restored to the original location.

The Summary page appears with a confirmation message indicating that the selected disk(s) will be overwritten in the current configuration with the copy from the backup.

8. On the Summary page, click Restore.

An informational dialog box appears indicating that the restore has started.

9. Go to the Jobs window to monitor the restore.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 161

A restore job appears with a progress bar and start time.

Restore to a new virtual machine A Create and Restore to New VM enables you to create a new virtual machine using a copy of the original virtual machine backup. Other than having a new name or location and a new vSphere VM Instance UUID, this copy is an exact replica of the virtual machine that you backed up with the protection policy in PowerProtect Data Manager.

Before you begin

Review Prerequisites to virtual machine restore before you perform this procedure.

Procedure

1. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to run file level restore workflows on specific files within VMs.

The Recovery wizard appears.

2. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog box appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. Click OK to save the selection and exit the dialog, and then click Next.

5. On the Purpose page:

l Select Restore Entire VMs if you want to restore an image-level virtual machine backup. Note: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete successfully.

l Select Restore Individual Virtual Disks if you want to restore only specific VMDKs. Note: Individual disks can only be restored to the original location.

6. Click Next.

7. On the Restore Type page, select Create and Restore to New VM, and then click Next.

8. On the VM Information page:

a. Select whether you want to use the original virtual machine name or rename the new virtual machine by appending a suffix to the original name. If the location for the new virtual machine restore will be a different folder than the original location, you can use the original name.

b. From the Restore to vCenter list, select the vCenter server for the new virtual machine restore. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

c. Select the destination data center.

d. Click Next.

9. On the Restore Location page:

Restoring Data and Assets

162 PowerProtect Data Manager Administration and User Guide

a. Select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster.

b. If you select an ESXi host within this page, the next page is unnecessary.

c. Click Next.

10. On the ESX Host page:

l If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click Next.

l If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to proceed.

11. On the Disk Files Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next.

l To restore all disks to the same location, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

l To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. Select a datastore for each disk from the Storage list.

b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

12. On the Options page:

a. For Select Access Level, keep the slider set to Yes if you want to enable instant access for this restore.

When you select this option, the virtual machine is created and turned on while temporarily accessing the VMDKs from DD storage. Storage vMotion is initiated to the target datastore. The virtual machine becomes available for use when it is turned on.

b. (Optional) For the recovery options, select Power on the virtual machine when the recovery completes and Reconnect the virtual machine's NIC when the recovery completes. Power on the virtual machine when the recovery completes is selected by default when instant access is enabled.

c. Click Next.

13. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.

14. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Instant access virtual machine restore An instant access virtual machine restore enables you to create a new virtual machine directly from the original virtual machine backup on the DD system for the purposes of instant backup validation and recovery of individual files. The instant access virtual machine is initially available for 7 days. This process does not copy or move any data from the DD system to the production datastore. An instant access virtual machine restore also provides the option to move the virtual machine to a production datastore when you want to retain access to the virtual machine for a longer time.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 163

Procedure

1. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine, or click the File Search button to search on specific criteria.

The Recovery wizard appears.

2. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog box appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. Click OK to save the selection and exit the dialog, and then click Next.

5. On the Purpose page:

l Select Restore Entire VMs if you want to restore an image-level virtual machine backup. Note: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete successfully.

l Select Restore Individual Virtual Disks if you want to restore only specific VMDKs. Note: Individual disks can only be restored to the original location.

6. On the Restore Type page, select Instant Access VM, and then click Next.

7. On the VM Information page:

a. Select whether you want to use the original virtual machine name for the instant access virtual machine restore, or rename the instant access virtual machine by appending a suffix to the original name.

b. From the Restore to vCenter list, select the vCenter server for the instant access virtual machine restore. You can select the vCenter of the original virtual machine backup, or another vCenter. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

c. Select the destination data center.

d. Click Next.

8. On the Restore Location page, select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster. If you select an ESXi host within this page, the next page is unnecessary. Click Next.

9. On the ESX Host page:

l If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click Next.

l If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to proceed.

10. On the Options page:

a. Specify a name for the Instant Access virtual machine.

b. Optionally, select Power on the virtual machine when the recovery completes and Reconnect the virtual machine's NIC when the recovery completes. Power on the

Restoring Data and Assets

164 PowerProtect Data Manager Administration and User Guide

virtual machine when the recovery completes is selected by default for instant access virtual machine restores.

c. Click Next.

11. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.

A confirmation message displays indicating that the restore has been initiated and providing the option to go to the Jobs window to monitor the restore progress.

12. Go to the Jobs window to view the entry for the instant access virtual machine recovery

and verify when the recovery completes successfully. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Results

To monitor and manage the instant access virtual machine recovery, select Recovery > Running Activities, and then click the Instant Access Sessions tab. From this window, you can also extend the instant access virtual machine session beyond the default period of 7 days.

Note: On a single-node system such as a DD system, instant access/restore functionality has been enhanced to return a failure message when overwhelmed with traffic. For example, if on the target node or the ESXi host there are Live VM and/or Instant Restore sessions that are in conflict, instant access/restore jobs will fail with a message indicating a resource contention issue. If this occurs, you need to clear the conflicts and then restart the session in order for the job to execute.

Manage and monitor Instant Access Sessions The Instant Access Sessions tab in the Recovery > Running Sessionswindow enables you to manage the status of a virtual machine restore to new or instant access virtual machine restore (for example, by extending the availability period or deleting an instant access virtual machine) and monitor vMotion events.

Note: The Instant Access Sessions that are used by a SQL application-aware self-service restore are displayed in the PowerProtect Data Manager UI, but management is disabled. Use the SQL application-aware self-service restore UI to manage these sessions.

When the Jobs window indicates that a recovery has completed successfully, go to Recovery > Running Sessions > Instant Access Sessions to access information about the sessions. This window enables you to monitor and manage all exported copies that you have created from the DD system. An active restore session with a state of Mounting indicates that the restore is still in progress. Once the state changes to Mounted, the restore is complete and the instant access virtual machine is ready. When you select the session in the table, you can choose from three options:

l Extend Click to extend the number of days the instant access virtual machine restore is available. The default retention period of an instant access virtual machine restore is 7 days.

l Migrate Click to open the Migrate Storage vMotion wizard, which enables you to move the instant access virtual machine to a protection datastore. Migrate an instant access session provides instructions.

l Delete Click if you no longer require the active restore session. Note that you can also vMotion from inside the vCenter server, and PowerProtect Data Manager removes the Instant Access Session upon detection.

For instant access virtual machine restores, availability of the instant access virtual machine session is also indicated in the vSphere Client. The session appears in the Recent Tasks pane, and you can expand the cluster and select the instant access virtual machine to view summary information, as shown in the following figure.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 165

Figure 7 instant access virtual machine restore in the vSphere Client

Migrate an Instant Access session Once you validate that the instant access virtual machine is the virtual machine that you require for production, click Migrate to open the Migrate Storage vMotion wizard, which enables you select the session and move the virtual machine to a production datastore.

Procedure

1. Go to Recovery > Running Sessions, and click the Instant Access Sessions tab.

2. Select a session from the table that is in Mounted state, and click Migrate.

The Migrate Storage vMotion wizard displays.

3. On the Disk Files Datastore page, select the datastore where you want to relocate the instant access virtual machine, and then click Next.

l To migrate all VMDKs to the same datastore, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

l To migrate VMDKs to separate datastores, move the Configure per disk slider to the right, and then:

a. Select a datastore for each disk from the Storage list.

b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

4. On the Summary page, review the information to ensure that the details are correct, and then click Migrate.

5. Go to the Jobs window or the Instant Access Sessions window to view the progress of the migration.

In the Jobs window, the migration job appears with a progress bar and start time. You can

also click next to the job to verify what steps have been performed. In the Instant Access Sessions window, you can monitor the vMotion status of the migration. When a vMotion is in progress, the status indicates VMotioning. Once the storage vMotion for the session is complete, the status of the session changes to Deleting as the session is being removed from the Instant Access Sessions window.

Restoring Data and Assets

166 PowerProtect Data Manager Administration and User Guide

File level restore to original virtual machine A file level restore to original virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to the same or a new location on the original vCenter Server.

Before you begin

l Review the section Supported platform versions for file-level restore for supported platform and operating system versions.

l Review the section File-level restore and SQL restore limitations on page 188.

l Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that the agent package is installed and the agent process is running. If the FLR Agent is not installed, the installation is initiated automatically when you start the mount. When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 185 provides more information.

Note: For file-level restores, you can only restore files:

l From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

l To virtual machines within the same vCenter.

About this task

Note: File level restore in the PowerProtect Data Manager UI can only be performed by an administrator.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all the virtual machines available for recovery.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name, or click the File Search button to search on specific criteria.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore.

The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Original Virtual Machine, and then click Next.

6. On the Mount Copy page:

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 167

a. To initiate the disk mount, type the guest operating system user credentials:

l If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

l If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount.

If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

Note: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual machine completes successfully.

d. Upon successful mount, click Next.

7. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

Note: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result, when you select an object from one location, the object is selected in the duplicate location as well.

8. On the Options page, select from one of the following options, and then click Next.

l Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original location on the original virtual machine.

l Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original virtual machine.

9. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information.

b. Click Restore.

10. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

File level restore to alternate virtual machine A file level restore to alternate virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to a new location on a new virtual machine. This restore can be performed to a primary or secondary vCenter Server.

Before you begin

l Review the section Supported platform versions for file-level restore for supported platform and operating system versions.

l Review the section File-level restore and SQL restore limitations on page 188.

l Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that the agent package is installed and the agent process is running. If

Restoring Data and Assets

168 PowerProtect Data Manager Administration and User Guide

the FLR Agent is not installed, the installation is initiated automatically when you start the mount. When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 185 provides more information.

Note: For file-level restores, you can only restore files:

l From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

l To virtual machines within the same vCenter.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all the virtual machines available for recovery.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name, or click the File Search button to search on specific criteria.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore.

The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Alternate Virtual Machine, and then click Next.

6. On the Select Target VM page, choose from one of the following options:

l Search for a target virtual machine by typing the name.

l Browse from the available vCenter Servers to locate the destination virtual machine.

7. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

l If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

l If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount.

If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 169

Note: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual machine completes successfully.

d. Upon successful mount, click Next.

8. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

Note: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result, when you select an object from one location, the object is selected in the duplicate location as well.

9. On the Restore Location page:

a. Browse the folder structure of the destination virtual machine to select the folder where you want to restore the objects.

b. Click Next.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore.

11. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Direct restore to ESXi If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but this virtual machine and vCenter is now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Before you begin

Direct Restore to ESXi restore requires either the embedded or an added VM Direct appliance that is registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all of the virtual machines available for recovery.

2. Select the checkbox next to the desired virtual machine and click View Copies.

Note: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.

The Recovery > Asset window provides a map view in the left pane and copy details in the right pane. When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the

Restoring Data and Assets

170 PowerProtect Data Manager Administration and User Guide

left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi.

The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the recovery completes, if desired. Power on the virtual machine when the recovery completes is selected by default.

b. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup.

b. Specify the root Username and Password for the ESXi Server.

c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next.

l To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

l To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list.

b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct.

b. Click Restore.

9. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Restore an application-aware virtual machine backup When virtual machine applications are protected within a protection policy in PowerProtect Data Manager, you can recover the application data using the Microsoft application agent.

The PowerProtect Microsoft Application Agent SQL Server User Guide provides instructions on how to restore an application-aware virtual machine using the VM Direct SQL Server Management Studio (SSMS) plug-in.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 171

Centralized and file-level restore of a File System host When File Systems are protected within a protection policy in PowerProtect Data Manager, you can recover the File System data using the centralized restore and file-level restore functionality in the PowerProtect Data Manager UI.

Prerequisites for File System restores

Before performing centralized and file-level restores of File Systems:

l Ensure that the target or destination volume is not a system volume.

l Ensure that the File System agent is not installed and running on the target volume.

l Ensure that there is sufficient space on the target volume for the restore.

l Review the section Supported platform and OS versions for File System file-level restore on page 174.

Increasing the restore timeout

By default, the mount operation times out after 30 minutes and the backup copy is unmounted. When restoring large files, you can increase the restore timeout. Perform this task if restores for large files timeout before completing.

1. Create a file with the name browsersvc.cmd in one of the following locations:

l On Windows, C:\Program Files\DPSFSAGENT\settings l On Linux, /opt/dpsfsagent/settings

2. Add the following line to the file, and specify the timeout value. For example: { "-resexpiry":"timeout" } Where timeout represents 2 minutes.

Centralized restore of File Systems A File System host image-level restore enables you to recover data from backups of file systems performed in the PowerProtect Data Manager UI.

Before you begin

Ensure the following for Linux File System hosts:

l You have disabled Security-Enhanced Linux (SELinux) by running one of the following relevant commands:

n RHEL 7.x or CentOS7.x: setsebool -P nis_enabled 1 n RHEL 6.x or CentOS 6.x: setsebool -P allow_ypbind 1

l You have installed the iscsiadm utility by installing one of the following relevant packages on the Linux client:

n RHEL or CentOS: iscsi-initiator-utils .rpm

n SLES: open-iscsi .rpm

l On SLES, if you want to start the iscsiadm utility for the first time, restart the iSCSI services by running the following command: service open-iscsi restart

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the File System tab.

The Recovery window displays all of the file systems available for recovery.

Restoring Data and Assets

172 PowerProtect Data Manager Administration and User Guide

2. Select the checkbox next to the desired file system and click View Copies.

You can also use the Search field, the filter in the Name column to search on specific criteria to locate a specific file system.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When a file system is selected in the map view, the file system name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. Click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the file system backup you want to restore, and then click Restore.

The Restore wizard appears.

5. On the Select Target Location page, choose from one of the following options, and then click Next.

l Restore to original Restore the file system to the original location.

l Restore to a new location on the original host Select the destination file system asset (volume) from the list of available assets on the host.

l Restore to a new host Browse from the available hosts to locate and select a destination host and file system.

Note: If the destination file system asset already contains some data, this data will be overwritten.

6. On the Summary page:

a. Review the information to ensure that the restore details are correct.

b. Click Restore.

7. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

File level restore from File System backups A file level restore enables the administrator to recover individual files from backups of File Systems that were created in PowerProtect Data Manager.

Before you begin

Review the section Supported platform and OS versions for File System file-level restore on page 174 for supported platform and operating system versions.

PowerProtect Data Manager supports file-level restore only if the backup or replica is on a DD system device.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the File Systems tab.

The Recovery window displays the file systems that are available for recovery.

2. Select the check box next to the file system and click View Copies.

You can also use the filter in the Name column to search for the name of the specific file system or click the File Search button to search on specific criteria.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 173

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When a file system is selected in the map view, the file system name appears in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system appear in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the check box next to the file system backup you want to restore, and then click File Level Restore.

The File level restore wizard appears.

5. On the Select target host and mount page, choose from one of the following options, and then click Mount.

l Restore to same or original machine.

l Restore to alternate host.

6. When the mount is complete, click Next.

The Select folder and files to recover page appears.

7. On the Select folder and files to recover page:

a. Expand individual folders to browse the original file system backup, and select the objects that you want to restore to the destination file system.

You can also use the filter in the Name column to search for the name of the specific object.

b. Click Next.

The Select restore location page appears.

8. On the Select restore location page:

a. Select the destination drive.

b. Browse the folder structure of the destination file system to select the folder where you want to restore the objects.

c. Click Next.

9. On the Summary page:

a. Review the information to ensure that the restore details are correct.

b. Click Finish.

10. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Supported platform and OS versions for File System file-level restore File system file-level restore is only supported for the following platforms and operating system versions.

Note: Platforms/operating systems are qualified for file-level restore support using the default File System for these platforms:

l RedHat Enterprise Linux version 6.x, 7.x, 8.x

l SuSE Linux Enterprise Server versions 11 SP1, 11 SP 2, 11 SP3, 11 SP4, 12, 12 SP1, 12 SP2, and 12 SP3

Restoring Data and Assets

174 PowerProtect Data Manager Administration and User Guide

l CentOS versions 6.x, 7.x up to 7.6

l Windows 2012, 2012 R2, 2016, and 2019 for NTFS and ReFS

Linux platforms require an ext3, ext4, or XFS file system type.

Note: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

PowerProtect Data Manager only supports centralized file-level restore from image-level backups that are created using block-based backups (BBB).

When exclusion filters are applied to a protection policy, PowerProtect Data Manager performs backups using file-based backup technology. To perform file-level restore of a file-based backup, you must use the self-service file-level restore feature. Self-service file-level restore of File Systems on page 195 provides more information.

Restoring a Storage Direct VMAX storage group After VMAX storage group assets are backed up as part of a Storage Direct agent protection policy in the PowerProtect Data Manager UI, you can perform recoveries from one or all of the storage groups in the backup.

All types of restores are performed from the Recovery > Assets window. Restore options include the following:

l Restore to Original: Restore to the original storage group in the original VMAX and overwrite the existing contents.

l Restore to Alternate: Restore to an alternate location on the original VMAX, or to a different VMAX.

l Export: Instant access restore of a VMAX storage group backup.

The Restore button, which launches the Restore wizard, does not appear until you select a storage group in the Recovery > Assets window and click View Copies.

Restore a VMAX storage group backup to the original location A Storage Direct host restore to the original location enables you to rollback data from primary or replicated storage group snapshot backups to the same location on the original host by using the PowerProtect Data Manager UI.

Before you begin

Unmount all of the production LUNs in the original storage group.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the VMAX Storage Groups tab.

The Recovery window displays all of the storage groups.

2. Select the checkbox next to the storage group that contains the backup, and click View Copies.

You can also use the Search field, the filter in the Name column to locate a specific storage group.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 175

3. In the left pane, click the first DD icon to display the copies on the primary DD system, or the second DD to display the replica copies on the secondary DD system.

4. In the right pane, select the checkbox next to the storage group snapshot backup or replica that you want to restore, and then click Restore.

The Recovery wizard opens on the Select Copy page.

5. On the Select Copy page, select Restore all the copies linked with Backup Operation if you want to restore all Storage Groups that are part of this backup, and then click Next.

Note: If you leave the check box unselected, the backup of only the storage group that you selected in the Recovery > Assets window will be restored.

6. On the Restore Type page, select Restore to Original and Overwrite Original Storage Group, and then click Next.

Note: The files at the original location will be overwritten. If you saved any additional files to this location after the backup, these files will be lost upon rollback.

7. On the Summary page, click Finish to start the restore.

Once the restore completes successfully, you can mount LUNs in the destination storage group to any host.

8. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Restore a VMAX storage group backup to an alternate location A Storage Direct host restore to an alternate location enables you to recover data from primary or replicated storage group snapshot backups to a different location on the original host, or to a different host, by using the PowerProtect Data Manager UI.

Before you begin

Unmount all of the LUNs in the destination storage group.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the VMAX Storage Groups tab.

The Recovery window displays all of the storage groups.

2. Select the checkbox next to the storage group that contains the backup, and click View Copies.

You can also use the Search field, the filter in the Name column to locate a specific storage group.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. In the left pane, click the first DD icon to display the copies on the primary DD system, or the second DD to display the replica copies on the secondary DD system.

4. In the right pane, select the checkbox next to the storage group snapshot backup or replica that you want to restore, and then click Restore.

The Recovery wizard opens on the Select Copy page.

5. On the Select Copy page, select Restore all the copies linked with Backup Operation if you want to restore all Storage Groups that are part of this backup, and then click Next.

Restoring Data and Assets

176 PowerProtect Data Manager Administration and User Guide

Note: If you leave the check box unselected, the backup of only the storage group that you selected in the Recovery > Assets window will be restored.

6. On the Restore Type page, select Restore to Alternate Storage Group, and then click Next.

7. On the Select Storage System page, select an option for the storage system to which the data from the source storage group will be restored, and then click Next:

l Select Original Storage System if you want to restore data to a different storage group on the original VMAX.

l Select Alternate Storage System if you want to restore data to a storage group on a different VMAX, and then select the destination storage system from the table.

8. On the Restore Location page, select the source storage group, select the target storage group, and then click Add in order to create the mapping. The target storage group indicates the destination storage group for the restore, and will either be the original storage system, or a different storage system, depending on the option you selected in the previous step.

The Mapping Results pane updates with the selected storage groups. Note: The target storage group should have the same size LUN and geometry as the source storage group.

9. If restoring to an alternate storage system, the Options page displays. On this page, select a staging storage group to use for temporarily mounting static images during the restore, and then click Next.

Note: Ensure that this storage group has sufficient space for mounting these images.

10. On the Summary page, click Finish.

Once the restore completes successfully, you can mount LUNs in the destination storage group to any host.

11. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Instant Access Restore of a VMAX storage group backup A Storage Direct host instant access restore enables you to mount the primary or replicated storage group snapshot backup, which is on a DD system, to the FTS devices which are the resource storage groups, in order to mask to the host to view and recover from the backup. This restore type, also known as Export, is primarily useful for granular level restore. You can access the Instant Access restore option in the PowerProtect Data Manager UI.

Before you begin

l For a virtual environment, ensure that you add and discover the vCenter server in the PowerProtect Data Manager server.

l When you select Export, you must specify on which host (virtual or physical) you want to mask the backup. Therefore, the WWPN for this host must be discovered. Otherwise, the host will not appear for selection.

l Ensure that you unmount all of the LUNs in the destination storage group.

Procedure

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the VMAX Storage Groups tab.

The Recovery window displays all of the storage groups.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 177

2. Select the checkbox next to the storage group that contains the backup, and click View Copies.

You can also use the Search field, the filter in the Name column to locate a specific storage group.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. In the left pane, click the first DD icon to display the copies on the primary DD system, or the second DD to display the replica copies on the secondary DD system.

4. In the right pane, select the checkbox next to the storage group snapshot backup or replica that you want to restore, and then click Restore.

The Recovery wizard opens on the Select Copy page.

5. On the Select Copy page, select Restore all the copies linked with Backup Operation if you want to restore all Storage Groups that are part of this backup, and then click Next.

Note: If you leave the check box unselected, the backup of only the storage group that you selected in the Recovery > Assets window will be restored.

6. On the Restore Type page, select Export, and then click Next.

7. On the Export Host page, select the physical or virtual host that you want to mask the backup to, and then click Next.

8. On the Summary page, click Finish.

9. Go to the Jobs window to view the entry for the instant access storage group restore and verify when the mount completes successfully. An instant access job will indicate Instant access for backup ID storage group ID. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Results

To monitor and manage the instant access storage group restores, select Recovery > Running Activities, and then click the Instant Access Sessions tab. When finished with the session, select the session and click Delete in order to unmount the backup from the host.

Note: You cannot extend or migrate an instant access storage group session. Also, there is no default retention period. The session remains mounted until deleted.

Restoring a Kubernetes namespace After namespace contents are backed up as part of a Kubernetes cluster protection policy in the PowerProtect Data Manager UI, you can perform restores from individual namespace backups.

All types of restore are performed from the Recovery > Assets window. Recovery options include the following:

l Restore to Original: Restore to the original namespace.

l Restore to New: Create a namespace, and restore to this location.

l Restore to Existing: Restore to an existing namespace in the cluster.

The Restore button, which launches the Restore wizard, is disabled until you select a namespace in the Recovery > Assets window.

Select a namespace and then click Restore to launch the Restore wizard. Alternatively, you can select a namespace and then click View Copies.

Restoring Data and Assets

178 PowerProtect Data Manager Administration and User Guide

In both instances, you must select a backup in the first page of the Restore wizard before proceeding to the Purpose page, which displays the available recovery options.

Note: Manually replicating backups to DD storage will not create PCS records in PowerProtect Data Manager. It is recommended to perform these backups on the local tier, as a cloud tier backup will require a recall operation.

Recommendations and considerations

Review the following information when performing a Kubernetes namespace restore:

l When restoring a PVC to the original namespace or an existing namespace, if PowerProtect Data Manager detects that the PVC is being used by a Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet or Replication Controller, it scales down any objects using the PVC, and deletes the daemonSet and any Pods using PVCs before performing the restore. Upon completion of the PVC restore, any objects that were scaled down are scaled back up, and any objects that were deleted are recreated. Ensure that you shut down any Kubernetes jobs that are actively using a PVC before running a restore.

Note: If PowerProtect Data Manager is unable to reset the configuration changes due to a controller crash, it is recommended to delete the Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet, or Replication Controller from the namespace, and then perform a Restore to Original again on the same namespace.

l If the restore fails with the error Failed to create Proxy Pods. Creating Pod exceeds safeguard limit of 10 minutes, verify that the CSI driver is functioning properly and is able to dynamically provision volumes.

Restore to the original namespace Perform the following to restore to the original namespace within a Kubernetes cluster:

About this task

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page, select the radio button next to a backup copy and click Next.

Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Purpose page, select from one of the following options:

l Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs).

l Restore Only PVCs to restore PVCs without namespace resources.

5. Click Next.

The Restore Type page displays.

6. On the Restore Type page, select Restore to Original Namespace, and then click Next.

The PVCs page appears, displaying the PVCs in the namespace that you plan to restore, along with the PVC configuration in the original target namespace.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 179

7. On the PVCs page, if the configuration of the namespace you want to restore is different from the configuration in the target namespace:

l Select Overwrite content of existing PVCs to restore selected PVCs and overwrite existing PVCs in the target location if they have the same name.

l Select Skip restore of existing PVCs to restore selected PVCs without overwriting existing PVCs in the target location if they have the same name.

8. Click Next.

The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

9. On the Summary page, click Restore.

An informational dialog box appears indicating that the restore has started.

10. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Restore to a new namespace Perform the following to restore to a new namespace within a Kubernetes cluster:

About this task

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page, select the radio button next to a backup copy and click Next.

Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Purpose page, select Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs), and then click Next.

The Restore Type page displays.

5. On the Restore Type page, select Restore to New Namespace, and then type a name for the new namespace. Click Next.

The PVCs page appears, displaying the PVCs in the namespace that you plan to restore.

6. On the PVCs page, clear the checkbox any PVCs that you do not want to restore, and then click Next.

The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

7. On the Summary page, click Restore.

An informational dialog box appears indicating that the restore has started.

Restoring Data and Assets

180 PowerProtect Data Manager Administration and User Guide

8. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

After you finish

To view the new namespace as an asset within the PowerProtect Data Manager UI, initiate a full discovery of the Kubernetes cluster from the Asset Sources window.

Restore to an existing namespace Perform the following to restore to an existing namespace within a Kubernetes cluster:

About this task

Procedure

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page, select the radio button next to a backup copy and click Next.

Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Purpose page, select from one of the following options:

l Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs).

l Restore Only PVCs to restore PVCs without namespace resources.

5. Click Next.

The Restore Type page displays.

6. On the Restore Type page, select Restore to Existing Namespace, and then select a namespace from the Select Namespace list. Click Next.

The PVCs page appears, displaying the PVCS in the namespace that you plan to restore, along with the PVC configuration in the original target namespace.

7. On the PVCs page, if the configuration of the namespace you want to restore is different from the configuration in the target namespace:

l Select Overwrite content of existing PVCs to restore selected PVCs and overwrite existing PVCs in the target location if they have the same name.

l Select Skip restore of existing PVCs to restore selected PVCs without overwriting existing PVCs in the target location if they have the same name.

8. Click Next.

The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

9. On the Summary page, click Restore.

An informational dialog box appears indicating that the restore has started.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 181

10. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time.

Restore the PowerProtect Data Manager server You can restore PowerProtect Data Manager server persisted data as a new instance using any of the backups. A System Administrator can carry out the restore.

Before you begin

Ensure that:

l The PowerProtect Data Manager version that is deployed on your system and the backups you are using for the restore match.

l The network configuration is the same on the newly deployed PowerProtect Data Manager system as on the failed instance that you are restoring.

Procedure

1. Deploy the PowerProtect Data Manager OVA and power it on.

2. Select Restore Backup.

3. Specify the following storage information:

a. DD system IP where the recovery backups are stored.

b. DD NSF Export Path where the recovery backups are stored.

c. Click Connect.

4. Select the PowerProtect Data Manager instance that you would like to restore, and then click OK.

5. Select the backup file that you would like to use for recovery, and then click Recover.

6. Specify the lockbox passphrase associated with the backup, and start the recovery.

This step initiates the recovery and display the progress status. The recovery process can take approximately eight minutes before the URI is redirected to the PowerProtect Data Manager login.

After you finish

After a successful recovery:

l The time zone of the PowerProtect Data Manager instance is set to the same as that of the backup.

l The operating system user passwords and PowerProtect Data Manager login are set to the lockbox phrase previously provided in step 6.

Restore Cloud Tier backups to the DD system Once a Cloud tier backup is recalled, restore operations of these backups are identical to normal restore operations.

The PowerProtect Data Manager software recalls a copy of the backup from the Cloud unit to the local (active) tier of the DD system, which then allows you to perform a restore of the backup from the active tier to the client. The status appears as Cloud, and changes to Local Recalled after cloud recall completes. After the restore, the backup copy is removed from Cloud tier, and is stored on the active tier of the DD system for a minimum of 14 days, after which the backup may be returned to the cloud depending on your protection policy.

Restoring Data and Assets

182 PowerProtect Data Manager Administration and User Guide

Recall and restore from Cloud tier To recall a backup on Cloud tier to the active tier on a DD system and restore this backup, perform the following:

Before you begin

Note: When a backup is recalled from Cloud tier to the active tier, the copy is removed from Cloud tier.

Procedure

1. In the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. On the Assets window, select the tab that contains the asset you want to recall from Cloud Tier, and then click View Copies.

3. Click DD, and then select from one of the available copies that appear in the table.

4. Click Recall.

The Recall from Cloud dialog box appears.

5. In the Retain until box, specify how long you want to keep the copy on the active tier, and then click OK.

6. Go to the Jobs window to monitor the recall operation.

When the copy has been moved successfully, the Location changes from Cloud to Local.

7. Select Recovery > Assets, and then select the tab that contains the recalled asset.

8. Select the recalled asset, and then click Restore.

Note: If you are unsure whether the asset has been recalled, click View Copies and select DD to view the available backup copies. If the asset backup is a recalled copy, the Status column indicates Local Recalled.

9. Select the recalled copy to re-tier the copy to the active tier.

Troubleshooting virtual machine restore issues The following topics provide information on troubleshooting virtual machine restore failures.

Virtual machine protection copy does not display under available copies

If a virtual machine protection copy does not display under the available copies in PowerProtect Data Manager, verify the following:

l Ensure that protection of the virtual machine completed successfully.

l Check that the desired copy has not expired according to the PowerProtect Data Manager protection policy.

l Run a discovery of the DD Management Center (DDMC) and ensure that discovery completed successfully for virtual machine copies.

l Check the discovery logs for any exceptions or errors that might have occurred during discovery.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 183

Virtual machine restore fails with name resolution error

A virtual machine restore might fail with the following error due to network issues between the DD system and PowerProtect Data Manager or the vCenter/ESXi:

com.emc.brs.vmdm.http.HttpsConnector - null: Temporary failure in name resolution java.net.UnknownHostException : null: Temporary failure in name resolution

Ensure that you have proper name resolution between the DD system and PowerProtect Data Manager /vCenter/ESX.

DD NFS share not removed after restore to original

The DD NFS share might not be removed after a successful virtual machine restore to original. When this occurs, the restore hangs and the following DD NFS clients appear enabled in the DD system. Figure 8 DD NFS clients still enabled after restore

If you encounter this issue, you can wait 24 hours for PowerProtect Data Manager to clean up the DD NFS shares, or you can stop the restore and clean up the DD NFS clients manually by performing the following steps:

1. Restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

2. Clean up DD NFS clients by typing nfs del .

3. In the vSphere Client's Configuration tab, manually unmount the EMC-vProxy-vm-qa- xxxxx DDNFS datastore that is mounted on the ESXi host.

Virtual machine restore fails with error due to VM Direct corruption

A virtual machine restore might fail with the following error due to corruption of the VM Direct Engine that is running in PowerProtect Data Manager:

com.emc.dpsg.vproxy.client.VProxyManager - Error(createSession): javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

Ensure that the vproxyd service is running in PowerProtect Data Manager by typing the following command.

ps xa | grep vproxy Ensure that the vproxy rpm is installed as expected in PowerProtect Data Manager by typing the following command.

rpm -qa | grep vProxy When logged in as the root user, restart the vproxyd service on PowerProtect Data Manager by typing the following command.

systemctl restart vproxyd Virtual machine restore fails with error "Unable to create NAS Datastore"

A virtual machine restore might fail with the following error when a change is made to the DD restore user role in the DD system:

Unable to create NAS Datastore: Unable to create NFS export at 'irv-dd9500- skyline1.asl.lab.emc.com:/data/col1/eCDM-SU-1497653922167/vProxy-vm- qa-1084.asl.lab.emc.com-abfd110d-cdfa-4517-9485-27767ef75d35':

Restoring Data and Assets

184 PowerProtect Data Manager Administration and User Guide

Ensure that the DD user performing the restore has the admin role. You can change the user's status in DD by identifying the DD user that starts with ecdmsu-admin and using the following commands:

To check the user's status, type user show list To change the role of the user, type user change role < ecdmsu-admin-xxxxxxxxxxxxx> admin Virtual machine restore fails with error "User UserEARA does not have proper privileges"

A virtual machine restore fails with the error "User UserEARA does not have proper privileges" when the user does not have adequate privileges to perform the restore operation.

Ensure that the PowerProtect Data Manager user performing the restore belongs to System Tenant and has the Export and Recovery Admin role.

Virtual machine restore fails when the previous restore of this virtual machine is in progress or did not complete

A virtual machine restore fails with the following error if the previous restore operation for the same virtual machine is still in progress or did not complete successfully:

Error : There is another running restore operation that conflicts with this request.

If the previous restore operation for this virtual machine is still in progress, monitor the progress in PowerProtect Data Manager until the restore completes. If the virtual machine restore is complete but the task stops responding, then you must manually cancel the restore in PowerProtect Data Manager by restarting the VMDM service. You can restart the VMDM service by typing /usr/ local/brs/lib/vmdm/bin/vmdm restart.

Troubleshooting instant access restore failures An instant access restore consists of two stages. First, a virtual machine is made available in the UI as an instant access virtual machine without moving the virtual machine to permanent storage. Second, storage vMotion is initiated to migrate the virtual machine to permanent storage.

If at any point during the migration a restore failure occurs, the instant access session is not automatically removed until after the expiration period for an instant access virtual machine restore, which is 7 days by default. This behavior is intentional for the following reasons:

l To avoid data loss, since changes might have been made to the virtual machine during that time

l To provide you with the opportunity to fix the issue (for example, to free up space on the restore destination or choose a different datastore) and then take the appropriate action

When the cause of the failure is determined and/or fixed, you can use the Instant Access Sessions window of the UI to retry the migration, or save the data and delete the instant access virtual machine, as required. The section Manage and monitor Instant Access Sessions provides detailed information about these actions.

FLR Agent for virtual machine file-level restore The VM Direct FLR Agent is required for file-level restore operations and is installed automatically on the target virtual machine when you initiate a file-level restore and provide the virtual machine credentials.

The FLR Agent installation on Linux virtual machines requires that you use the root account. If non-root credentials are provided for the target virtual machine, the FLR Agent installation fails, even if this user has privileges similar to a root user. Once the FLR Agent installation is completed by a root user, you can perform file-level restore operations as a non-root user.

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 185

FLR Agent installation on Windows virtual machines requires that you use administrative privileges. If the provided credentials for the target virtual machine do not have administrative privileges, the FLR Agent installation fails.

On Windows, to perform a file-level restore using a non-administrator user, ensure that the FLR Agent is already installed on the target machine using administrative privileges. Otherwise, ensure that an administrative user is specified, and click OK.

On Linux, to perform a file-level restore using a non-root user, ensure that the FLR Agent has already been installed on the target virtual machine using the root user account. Otherwise, ensure that you are using a supported platform and the root user is specified, and click OK. For Linux, file- level restore is only supported on Red Hat Enterprise Linux versions 6.x, 7.x and 8.x, and SuSE Linux Enterprise Server versions 11 and 12.

Note: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

FLR Agent installation on Windows virtual machines with User Account Control enabled

Performing the FLR Agent installation on User Account Control (UAC) enabled Windows virtual machine requires you to either provide the credentials of the administrator user, or to disable UAC during the FLR Agent installation and then re-enable upon completion.

On Windows versions 7, 8, and 10, the administrator account is disabled by default. To enable the account, complete the following steps:

1. To activate the account, open a command prompt in administrative mode, and then type net user administrator /active: yes.

2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.

3. In the User Accounts pane, right-click the user and select Properties, and then clear the Account is disabled option.

To disable UAC during the FLR Agent installation and then re-enable on completion of the installation, complete the following steps:

1. Initiate a file-level restore to launch the FLR Agent installation window. The FLR Agent installation is automatically started during a mount operation if it is not already installed on the destination virtual machine.

2. In the FLR Agent installation window, select the Keep VM Direct FLR on target virtual machine option.

3. Open regedit and change the EnableLUA registry key value at HKLM\SOFTWARE\Microsoft \Windows\CurrentVersion\Policies\System to 0x00000000. By default, this is set to 1.

4. Proceed with the FLR Agent installation.

5. Open regedit and reset the EnableLUA registry key to the previous value to re-enable UAC.

Updating the Microsoft Application Agent and FLR Agent software The Microsoft Application Agent and FLR Agent software required to perform SQL application- aware data protection and file-level restore operations will be automatically updated on the target virtual machine by the VM Direct appliance during the file-level restore operation. The VM Direct appliance detects the available software on the client and updates the Agent software with the new version of software from its repository. If the update does not occur automatically, contact a Dell EMC technical support professional for a procedure to update the VM Direct software repository with the latest version of the Agent software packages.

Restoring Data and Assets

186 PowerProtect Data Manager Administration and User Guide

Supported platform and OS versions for virtual machine file-level restore File-level restore is only supported for the following platforms and operating system versions.

Platforms/operating systems are qualified for file-level restore support using the default file system for these platforms:

Note: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab Navigator, available at https://elabnavigator.emc.com/eln/ modernHomeDataProtection.

l RedHat Enterprise Linux versions 6.x, 7.x, and 8.x

l SuSE Linux Enterprise Server versions 11.x and 12.x

l Debian version 9.1

l Ubuntu version 17.10

l CentOS version 7.2

l Oracle Enterprise Linux version 7.2

l Windows 7, 8, 10, Server 2008, 2012, 2016 (all 64-bit platforms and R2, where applicable) for FAT, and NTFS.

Support for Debian or Ubuntu operating system VM Direct file-level restore is supported on the Debian/Ubuntu operating system. To configure the Debian or Ubuntu guest operating system for file-level restore, perform the following steps.

About this task

Note: File-level restore is not supported on Debian/Ubuntu ext4 file systems.

Procedure

1. Log in to the system console as a non-root user.

2. Run the sudo passwd root command.

Enter the new password twice to set a password for the root account.

3. Run the sudo passwd -u root command to unlock the root account.

4. Specify the root user credentials in the Dell EMC Data Protection Restore Client and proceed to complete the file-level restore operation at least once.

While performing the file-level restore operation for the first time, remember to select Keep FLR agent.

5. After performing the above steps at least once, you can revert the root account to the locked state and use non-root account for future file-level restore requests. Non-root user can lock the root account with the sudo passwd -l root command.

Operating system utilities required for file-level restore On Linux and Windows, the installed operating system must include several standard utilities in order to use file-level restore. Depending on the target operating system for restore and the types of disks or file systems in use, some of these standard utilities, however, may not be included.

The following utilities and programs may be required for performing file-level restore.

On Windows:

l msiexec.exe

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 187

l diskpart.exe

l cmd.exe

On Linux:

l blkid

l udevadm

l readlink

l rpm

l bash

Note: On Linux LVM, LVM2 rpm version 2.02.117 or later is required. Also, additional binaries required on Linux LVM include dmsetup, lvm, and vgimportclone.

File-level restore and SQL restore limitations This section provides a list of limitations that apply to file-level restore and individual SQL database and instance restore.

Consider the following:

l The VM Direct FLR Agent is installed automatically on the target virtual machine for file-level restore when a disk mount operation is initiated. However, if the user does not have sufficient administrator privileges, the mount fails and the FLR Agent is not installed. Ensure that the user performing file-level restore is a system administrator. Note that adding a user to the Administrators group does not grant this user sufficient privileges to perform this operation.

l When performing a file-level restore, VMDKs fail to mount with the following error if the FLR Agent service is not running on the target virtual machine: "Cannot connect to vProxy Agent: dial tcp <127.0.0.1: : connectex: No connection could be made because the target machine actively refused it."

l If you no longer require the VM Direct FLR Agent on the target virtual machine, the agent must be properly uninstalled. If you manually delete VM Direct FLR Agent files instead of uninstalling the agent, and at some point reinstall the agent, subsequent mount attempts to perform restores will fail. To uninstall the VM Direct FLR Agent on Linux:

1. Execute the following command: /opt/emc/vproxyra/bin/preremove.sh.

2. Uninstall FLR agent package by running rpm -e emc-vProxy-FLRAgent.

3. If the uninstall fails due to a broken installation or other issue, you can force removal of the package by running rpm -e --force emc-vProxy-FLRAgent.

To uninstall the VM Direct FLR Agent on Windows:

1. Select Control Panel > Programs > Programs and Features.

2. Locate EMC VM Direct FLR.

3. Right-click the program and select Uninstall.

l When a file-level restore or SQL restore operation is in progress on a virtual machine, no other backup or recovery operation can be performed on this virtual machine. Wait until the file-level restore session completes before starting any other operation on the virtual machine.

l Clean up from a suspended or cancelled mount operation requires a restart of the virtual machine before you can initiate a new mount for the file-level restore.

l When you enable Admin Approval Mode (AAM) on the operating system for a virtual machine (for example, by setting Registry/FilterAdministratorToken to 1), the administrator

Restoring Data and Assets

188 PowerProtect Data Manager Administration and User Guide

user cannot perform a file-level restore to the end user's profile, and an error displays indicating "Unable to browse destination." For any user account control (UAC) interactions, the administrator must wait for the mount operation to complete, and then access the backup folders located at C:\Program Files (x86)\EMC\vProxy FLR Agent\flr \mountpoints by logging into the guest virtual machine using Windows Explorer or a command prompt.

l When you perform file-level restore on Windows 2012 R2 virtual machines, the volumes listed under the virtual machine display as "unknown." File-restore operations are not impacted by this issue.

l When you perform file-level restore on Ubuntu/Debian platforms, you must enable the root account in the operating system. By default, the root account will be in locked state.

l You can only restore files and/or folders from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

l You must install VMware Tools version 10 or later. For best results, ensure that all virtual machines run the latest available version of VMware Tools. Older versions are known to cause failures when you perform browse actions during file-level restore or SQL retore operations.

l You can perform file-level restore across vCenters as long as the vCenters are configured in PowerProtect Data Manager, and the source and target virtual machine have the same guest operating system. For example, Linux to Linux, or Windows to Windows.

l File-level restore does not support the following virtual disk configurations:

n NVM Express (NVMe) disk controller virtual machines

n LVM thin provisioning

n Unformatted disks

n FAT16 file systems

n FAT32 file systems

n Extended partitions (Types: 05h, 0Fh, 85h, C5h, D5h)

n Two or more virtual disks mapped to single partition

n Encrypted partitions

n Compressed partitions

l File-level restore of virtual machines with Windows dynamic disks is supported with the following limitations:

n The restore can only be performed when recovering to a virtual machine different from the original. Also, this virtual machine cannot be a clone of the original.

n The restore can only be performed by virtual machine administrator users.

n If Windows virtual machines were created by cloning or deploying the same template, then all of these Windows virtual machines may end up using the same GUID on their dynamic volumes.

l File-level restore does not restore or browse symbolic links.

l File-level restore of Windows 8, Windows Server 2012 and Windows Server 2016 virtual machines is not supported on the following file systems:

n Deduplicated NTFS

n Resilient File System (ReFS)

n EFI bootloader

Restoring Data and Assets

PowerProtect Data Manager Administration and User Guide 189

Restoring Data and Assets

190 PowerProtect Data Manager Administration and User Guide

CHAPTER 10

Performing Self-Service Backup and Restore of Application and File System Agents

This section includes the following topics:

l Performing self-service backups of File Systems.................................................................192 l Self-service restore of Kubernetes namespaces.................................................................. 193 l Performing self-service restore of a File System host..........................................................194

PowerProtect Data Manager Administration and User Guide 191

Performing self-service backups of File Systems A host with the File System Agent installed requires a PowerProtect Data Manager server to back up file systems. However, an administrator can configure a retention policy only instead of a complete backup.

To back up file systems manually and use PowerProtect Data Manager for compliance purposes, register the host to PowerProtect Data Manager, create a self-service protection policy, and configure only the retention policy.

Note: To enable self-service protection, select Self-Service Protection when you create the File Systems protection policy in the PowerProtect Data Manager UI.

After a host is registered with PowerProtect Data Manager and assets are added to a self-service protection policy, use the ddfssv command to run self-service or manual backups on the host file system assets, as in the following example:

ddfssv -LL -l FULL -a DFA_SI_DD_HOST=IPv4 address -a DFA_SI_DD_USER=username (for example, PLC-Protection) -a DFA_SI_DEVICE_PATH=device path (for example, / PLCProtection/LVMs/2)) Where:

-l {full | incr}

Specifies the type of the backup to perform such as full (full), or incremental (incr). The default value is full.

-a "DFA_SI_DD_HOST= "

Specifies the name of the DD server that contains the storage unit where you want to back up the databases.

-a "DFA_SI_DEVICE_PATH= "

Specifies the name and the path of the storage unit where you want to direct the backup.

-a "DFA_SI_DD_USER= "

Specifies the protection storage username. You must register the hostname and the protection storage username in the lockbox to enable the Microsoft application agent to retrieve the password for the registered user.

These details are provided in the .app.settings file on both Linux and Windows hosts. If the default installation path was used, the .app.settings file is at /opt/dpsfsagent/ settings/.app.settings on a Linux host and C:\Program Files\DPSFSAGENT \settings\.app.settings on a Windows host. More information about how to use the admin utility to query the list of backups for an asset, see Using the ddfsadmin utility for File Systems.

Note: This command uses only the retention period that was specified when the self-service protection policy was created.

To perform a self-service backup, use the storage unit and username that was created on the DD system when the policy was created. PowerProtect Data Manager discovers these backups and enables centralized restore operations. You can also perform a manual restore operation.

Performing Self-Service Backup and Restore of Application and File System Agents

192 PowerProtect Data Manager Administration and User Guide

Self-service restore of Kubernetes namespaces PowerProtect Data Manager supports the self-service restore of namespaces from within the Kubernetes cluster. The following procedure describes how to perform a self-service restore:

Before you begin

Note: A Kubernetes administrator can list all PowerProtect Data Manager backups that have taken place on the cluster in the last 30 days. After 30 days, you can only perform the restore from the PowerProtect Data Manager UI.

Procedure

1. Run the following command to list PowerProtect Data Manager backups performed within the last 30 days on the cluster:

kubectl get backupjob -n powerprotect The command output lists all available BackupJob custom resources of PowerProtect Data Manager, in the form . For example:

admin@method:~> ~/k8s/kubectl get backupjob -n powerprotect NAME AGE testapp1-2019-11-16-14-15-47 3d9h testapp1-2019-11-16-17-00-49 3d7h

2. Select the backup that you want to restore from the list, and then create a RestoreJob yaml file in the following format:

apiVersion: "powerprotect.dell.com/v1beta1" kind: RestoreJob metadata: name: namespace: powerprotect spec:

recoverType: RestoreToNew #Default is RestoreToOriginal backupJobName: # For e.g. testapp1-2019-11-16-14-15-47 namespaces: - name: alternateNamespace: # Name for the recovered namespace. Needed only for RestoreToNew. Should not be specified for RestoreToOriginal persistentVolumeClaims: - "*" #volumes to be recovered. By default all volumes backed up will be recovered

3. Run the following command to apply the yaml:

kubectl apply -f -n powerprotect

4. Run the following command to track the restore progress:

kubectl get restorejob -n powerprotect -o yaml -w

5. Upon successful completion of the restore, run the following command to delete the RestoreJob:

kubectl delete restorejob -n powerprotect

Performing Self-Service Backup and Restore of Application and File System Agents

PowerProtect Data Manager Administration and User Guide 193

Performing self-service restore of a File System host When File Systems are protected within a protection policy in PowerProtect Data Manager, you can recover the File System data using the centralized PowerProtect Data Manager restore functionality, or directly using the self-service restore feature. The following section describes the procedure for self-service restore of File Systems.

Prerequisites for File System restores

Before performing centralized or self-service File System restores:

l Ensure that the target or destination volume is not a system volume.

l Ensure that the File System agent is not installed and running on the target volume.

l Ensure that there is sufficient space on the target volume for the restore.

Using the ddfsadmin utility for File Systems The ddfsadmin utility provides the following command line options for File System recovery.

ddfsadmin backup query

Before running the ddfsrc command to perform a self-service image-level restore of File Systems, you can use the ddfsadmin backup command to query a list of all the local and remote backups taken for a particular host, as shown in the following:

ddfsadmin backup query -local -v=volume name -t=time value [h = hour,d = days,w = weeks,m = months] queries the local record file for listing backups.

ddfsadmin backup query -remote -d=Protection storage system -s=storage unit - u=username -p=DD password -c=hostname -v=volume name -t=time value [h = hour,d = days,w = weeks,m = months] queries the record file on the protection storage system for listing backups.

Example 3 Example usage

ddfsadmin backup query -local -v="C:\\" -t=5 will display a list of local backups in C:\ taken within the last five days.

ddfsadmin sync

The following is the usage for the ddfsadmin sync command:

sync -local options: Sync local record file with record file on DD sync -remote options: Sync remote record file with file in the local options: -d=

: Protection storage system host IP -u=
: Protection storage system username -s=
: Protection storage system device path -p=
: Protection storage system password.[Optional]

Example 4 Example usage

ddfsadmin sync -local -d x.x.x.x -u username -s /dev_path

Performing Self-Service Backup and Restore of Application and File System Agents

194 PowerProtect Data Manager Administration and User Guide

Self-service image-level restore of File Systems You can perform self-service image-level restores of file systems to the original location by using the ddfsrc command. Note that this restore is not supported in the following scenarios:

l When the restore destination is the C:\ volume, which can result in the operating system becoming unavailable.

l When the restore destination is a volume with the File System agent installed.

Note: To perform File System restore to an alternate location, use the centralized restore method in the PowerProtect Data Manager UI, as described in the section Centralized restore of File Systems on page 172

Before running ddfsrc, use the ddfsadmin backup command to list the local backups for a particular host and obtain the ID of the save set you want to restore. Using the ddfsadmin utility for File Systems provides more information about the ddfsadmin backup command.

To restore from a particular backup, specify the ID of the save set as an input to the ddfsrc command, as in the following example:

ddfsrc -h DFA_SI_DEVICE_PATH=device path (for example, /fsa2) -h DFA_SI_DD_HOST=Protection storage system IPv4 address -c BackupClientHostName (for alternate host restore) -h DFA_SI_DD_USER=Protection storage system username (for example, sysadmin) -h DFA_SI_DD_PASSWORD=Protection storage system password -S 1551407738 -r file path (for example, /volume1_ext3) -i y.

Where:

-h "DFA_SI_DEVICE_PATH= "

Specifies the name and the path of the storage unit that contains the backup.

-h "DFA_SI_DD_HOST= "

Specifies the name of the protection storage system server that contains the backup. When you have a remote (secondary) protection storage system server that has replicated databases to restore, type the name of the secondary server. A user on the secondary protection storage system server must be in the same group as the primary protection storage system server.

-h "DFA_SI_DD_USER= "

Specifies the protection storage system username. You must register the hostname and the DD Boost username in the lockbox to enable Microsoft application agent to retrieve the password for the registered user.

-h "DFA_SI_DD_PASSWORD= "

Specifies the password of the protection storage system user. A password is only required in this command if restoring to a new host. If you are a file system administrator and need the password to use for a particular storage system, storage unit and user, contact the backup administrator. If restoring to the original host, the password will be picked up from the lockbox.

Self-service file-level restore of File Systems You can perform self-service file-level restores of File Systems using the ddfsrc command with the -I option.

Before starting the command, create a file that contains the list of files to be restored. Provide the location of this file as an input to the -I option, as shown in the following example.

Performing Self-Service Backup and Restore of Application and File System Agents

PowerProtect Data Manager Administration and User Guide 195

Example 5 ddfsrc command with input file specified

ddfsrc -h DFA_SI_DEVICE_PATH=Protection storage unit -h DFA_SI_DD_HOST=Protection storage system IP address -c BackupClientHostName (for alternate host restore) -h DFA_SI_DD_USER=Protection storage system username -h DFA_SI_DD_PASSWORD=Protection storage system password -S savetime- value -I path-of-file-containing-list-of-files-for-restore -i R -d destination-path-for-restoring-files

The following steps provide more detail:

1. Use the ddfsadmin command to list all the available backups. If you know the save set ID of the backup from which you want to restore, skip this step.

For example, the following command lists all backups taken in the last 55 days.

[root@XXXX ~]# ddfsadmin backup query -local -t=55d 2. Create an input file that contains the list of files to restore.

For example:

[root@XXXX ~]# cat flr.txt /new_ext3/file.txt The flr.txt file specifies a single file to restore (file.txt).

3. Run the ddfsrc command. Ensure that you provide the complete path to the input file that you created.

Note: Do not provide a relative path. If you provide a relative path, the command fails.

For example:

ddfsrc -h DFA_SI_DEVICE_PATH=Protection storage unit -h DFA_SI_DD_HOST=Protection storage system IP address -c BackupClientHostName (for alternate host restore) -h DFA_SI_DD_USER=Protection storage system username -h DFA_SI_DD_PASSWORD=Protection storage system password -S savetime- value -I /root/flr.txt -d destination-path-for-restoring-files Where savetime-value is the save set ID identified in step 1.

Performing Self-Service Backup and Restore of Application and File System Agents

196 PowerProtect Data Manager Administration and User Guide

CHAPTER 11

Preparing for and Recovering from a Disaster

This section includes the following topics:

l Managing system backups................................................................................................... 198 l Manage PowerProtect Data Manager backups for disaster recovery...................................198 l Prepare the DD system recovery target...............................................................................199 l Configure backups for disaster recovery..............................................................................199 l Configure PowerProtect Data Manager server disaster recovery backups..........................200 l Record settings for disaster recovery................................................................................. 200 l Restore PowerProtect Data Manager from an external DD system......................................201 l Recovering a Search cluster from a DR backup................................................................... 201 l Troubleshooting backup configuration issues...................................................................... 203 l Troubleshoot recovery of PowerProtect Data Manager...................................................... 203 l Recover a failed PowerProtect Data Manager backup........................................................ 204

PowerProtect Data Manager Administration and User Guide 197

Managing system backups The PowerProtect Data Manager system protection service enables you to protect the persistent data of a PowerProtect Data Manager system from catastrophic loss by creating a series of system backups.

Each backup is considered a full backup although it is created in an incremental manner. The persistent data that is saved in a backup includes the Lockbox and Elasticsearch databases. The backup operation creates a point-in-time snapshot of the database while the system is in a quiesced state. While the system is quiesced, user functionality is limited. After the snapshot completes and while PowerProtect Data Manager copies the snapshots to the DD storage unit, full user functionality is restored. If the system fails to quiesce, PowerProtect Data Manager still takes a backup, which is marked as crash consistent instead of application consistent.

To store system backups, you must configure and assign a private DD storage unit for the PowerProtect Data Manager system. The system protection service enables you to manage the frequency and start time of an automated system backup, perform on-demand backups, and define the length of time that the system backups are available for recovery.

File Search indexes are backed up for DR recovery along with other component DR backups. For this release, recovery requires manual steps. Contact Customer Support.

Manage PowerProtect Data Manager backups for disaster recovery

View PowerProtect Data Manager backups and perform manual backups.

About this task

You can view the last 5 PowerProtect Data Manager backups.

Procedure

1. From the PowerProtect Data Manager UI, select System Settings > DR Backups > Manage Backups.

2. To perform a manual backup:

You can back up to only one DD host at a time. When you enter new DD information for backup, you overwrite the existing DD host for backup. If there are more than one external DD systems, you can change which DD system has the backup.

a. Click Backup Now.

The Enter a name for your backup dialog appears.

b. [Optional] Type a name for your backup.

You can leave the backup name blank, and PowerProtect Data Manager provides a name for the backup using the naming convention UserDR-. If you provide a name with the convention that PowerProtect Data Manager uses for scheduled backups, which is SystemDR, PowerProtect Data Manager displays an error.

c. Click Start.

3. To delete a backup:

a. Select a backup from the list.

b. Click Delete.

Preparing for and Recovering from a Disaster

198 PowerProtect Data Manager Administration and User Guide

The system displays a warning to confirm you want to delete the backup. Click Yes to proceed.

4. Click Close.

Prepare the DD system recovery target Before you can configure PowerProtect Data Manager for backup and recovery, you must configure the NFS export on the DD target system.

Procedure

1. Use a Web browser to log in to the DD System Manager as the system administrator user.

2. In the Summary tab in the Protocols pane, select NFS Exports > Create Export.

3. In the Create NFS Export window, provide the following information, and then click OK.

l Export Namethe name of the DD MTree

l Directory Paththe full directory path for DD MTree that you created. Ensure that you use the same name for the directory.

Note: For an external DD system, specify a path similar to the following, /data/ col1/ . Where is the MTree used to store the DR backups.

4. When the progress message indicates that the save operation is complete, click Close.

5. In the Summary tab in the Protocols pane, click NFS Exports.

6. Under NFS Protocols > Exports, select the DD MTree from the list of exports and click Add Clients.

7. In the Add Clients window, provide the following information, and then click OK.

l ClientIP address or host name of the PowerProtect Data Manager. Note: To configure DR protection for an existing Search cluster, add the IP address or host name of the Search cluster to the NFS Client list.

l Accept the default settings for the rest of the fields.

l Current SelectionEnsure that the list includes no_root_squash, which is required for permission for your system to change the directory structure on the NFS share.

Configure backups for disaster recovery Configure your system to automatically create backups in the event of a disaster or catastrophic outage.

Before you begin

Ensure that you have configured a DD system as a replication location. See Prepare the DD system recovery target on page 199.

Procedure

1. Log in to PowerProtect Data Manager as administrator.

2. Select System Settings > DR Backups > Configuration.

3. Enter the following information, and then click Save.

l Select Enable backup.

l DD SystemIP address or host name of the DD system where you created the MTree with NFS Export

Preparing for and Recovering from a Disaster

PowerProtect Data Manager Administration and User Guide 199

l NFS Export Paththe path of the NFS Export

Results

The initial backup runs, and then backups are automatically triggered every hour.

Configure PowerProtect Data Manager server disaster recovery backups

Configure disaster recovery protection for the PowerProtect Data Manager system and the system metadata.

Before you begin

For external DD system backups, ensure that you carry out the procedure described in Configure the DD system on page 223.

Procedure

1. From the PowerProtect Data Manager UI, select System Settings > DR Backups > Configuration.

2. Configure the backup with the following attributes:

a. In the DD System field, type the DD system to back up.

b. In the NFS Export Path field, type the path where backups are stored on the target DD system.

3. Click Save.

Record settings for disaster recovery Plan for disaster recovery by recording vital information.

About this task

In the event of a major outage, you will need certain information to recover your systems.

Procedure

l Ensure that you record the following information on a local drive outside PowerProtect Data Manager:

n PowerProtect Data Manager build numberCustomer Support can provide this information. It is not mandatory.

n Port GroupsLog in to the vSphere Client, right-click the appliance name and select Edit Settings. Record the port group settings that are assigned to PowerProtect Data Manager.

n NFS export detailsClick the System Settings icon and select DR Backups > Configuration. Under Backup, record the host IP address and the NFS Export Path.

n Run the GET /Configurations API (api/v2/configurations) from PowerProtect Data Manager and save the details for network information.

To get the PowerProtect Data Manager token:

curl --request POST 'https:// :8443/api/v2/login' --header 'Content-Type: application/json' --data '{"username": ,"password": }' -k

Preparing for and Recovering from a Disaster

200 PowerProtect Data Manager Administration and User Guide

You can use this bearer token to get the configuration from PowerProtect Data Manager:

curl --request GET 'https:// :8443/api/v2/configurations' --header 'Content-Type: application/json' --header 'Authorization: Bearer ' -k

Restore PowerProtect Data Manager from an external DD system

You can restore PowerProtect Data Manager from an external DD system where the data is replicated.

Before you begin

l Ensure that all the information listed in Record settings for disaster recovery on page 200 is available.

l Ensure that the FQDN of the PowerProtect Data Manager is the same as the host name.

l Ensure that the VM for PowerProtect Data Manager is powered on.

l Ensure that you have set up the recovery target system. See Prepare the DD system recovery target on page 199.

About this task

When your primary PowerProtect Data Manager system fails because of a major event, deploy a new PowerProtect Data Manager system and recover the backup from the external DD system.

Note: If your recovery system is on a different FQDN, see Troubleshoot recovery of PowerProtect Data Manager on page 203.

Procedure

1. Use the .ova file to deploy a new PowerProtect Data Manager system.

2. On the Install window under Welcome, select Restore Backup and click Next.

3. Under Select File, enter the DD System and NFS Export Path where the backup is located, and then click Connect.

A list of the available recovery backups on the DD system appears.

4. Select the backup from which to recover the system, and click OK.

5. Provide the Lockbox Passphrase and click Start.

When the Passphrase is verified, the recovery starts. Recovery can take a few minutes.

Results

When recovery is complete, the PowerProtect Data Manager login page appears.

Recovering a Search cluster from a DR backup Recovery of a Search cluster is a manual process to be completed by the administrator.

Before you begin

l Complete the steps to perform disaster recovery of PowerProtect Data Manager. On the Restore PPDM page:

Preparing for and Recovering from a Disaster

PowerProtect Data Manager Administration and User Guide 201

n Record the Selected Host information ( and ) PowerProtect Data Manager.

n Record the of the selected backup.

About this task

Use this procedure to set the cluster to the selected point in time.

Procedure

1. Login to PowerProtect Data Manager with the same administrator credentials you used before the PowerProtect Data Manager was restored.

2. Complete the steps to deploy a Search Cluster.

3. Locate the backup manifest file:

a. Use SSH to log in to PowerProtect Data Manager with administrator credentials.

b. Navigate to the directory path /data01/server_backups/ Hostname>_ .

c. Run grep -Rnwa -e ' ' --include=*.manifest 4. Open the backup Manifest file.

5. Locate the Components section, which contains Search Cluster.

The values for the following fields listed in the Search Cluster section are needed for the POST Call in the next step.

l Name=id l BackupPath, which contains :/data/col1/ /

/SearchCluster For example:

"Components": [ { "name": "SearchCluster", {{ "id": "c25290d9-a88c-4a15-9e7c-656f186209ae", }} {{ "version": "v2", }} {{ "backupPath": "10.25.12.74:/data/col1/serverdr_backup/vm- qa-0091_6ce36793-3379-45d2-84bd-d8bde69e52d4/SearchCluster", }} {{ "backupStatus": "SUCCESSFUL", }} {{ "backupsEnabled": true }} {

{ } }} {{ ]}}

where:

n NFSHost = "10.25.12.74" n NFSExport = "/data/col1/serverdr_backup" n NFSDirPath = "vm-qa-0091_6ce36793-3379-45d2-84bd-d8bde69e52d4/

SearchCluster" n Name = "c25290d9-a88c-4a15-9e7c-656f186209ae"

6. Run the following POST call:

https:// :8443/api/v2/search-clusters/component-backups/ /restore

Preparing for and Recovering from a Disaster

202 PowerProtect Data Manager Administration and User Guide

{

"ddDirectoryPath" : " ",

"ddHost" : " ",

"ddNfsExportName" : " "

}

7. To monitor the status of the restore process, in the PowerProtect Data Manager UI, select Jobs > Running and look for a job with the description, Restoring backup Search Node.

Troubleshooting backup configuration issues The following section provides a list of error messages that might appear when you configure an appliance backup configuration.

DD storage unit mount command failed with error: 'Cannot mount full path: Access is denied'

This error message appears when an NFS export does not exist on the DD system for the full path to the DD Boost Storage Unit.

To resolve this issue, ensure that you have configured an NFS export for the full path of the DD Boost storage unit and that the appliance is an Export client.

DD storage unit mount command failed with error: 'Cannot resolve FQDN: The name or service not known'

This error message appears when the appliance cannot contact the DD system by using the specified FQDN. To resolve this issue, ensure that you can resolve the FQDN and IP address of the DD system.

Troubleshoot recovery of PowerProtect Data Manager When the FQDN of the recovery site is different from the FQDN of the primary site, a mount error might occur and the recovery process requires a few extra steps.

About this task

If a mount error occurs during recovery, follow this work-around procedure.

Procedure

1. On the DD system where the backup is located, delete the replication pair and mount it for PowerProtect Data Manager.

2. When recovery is complete, on PowerProtect Data Manager, regenerate the certificates using the following command.

sudo -H -u admin /usr/local/brs/puppet/scripts/ generate_certificates.sh -c

3. Restart the system and select the URL of the primary PowerProtect Data Manager system.

The https://PPDM IP/#/progress page appears and recovery resumes.

4. Log in to the primary PowerProtect Data Manager.

The PowerProtect Data Manager VM vCenter console shows an error, which you can ignore.

Preparing for and Recovering from a Disaster

PowerProtect Data Manager Administration and User Guide 203

5. Open the primary PowerProtect Data Manager using the original IP address and log in.

Results

Recovery is complete.

Recover a failed PowerProtect Data Manager backup Procedure

1. Redeploy the PowerProtect Data Manager OVA.

2. Call Dell EMC Technical support.

Preparing for and Recovering from a Disaster

204 PowerProtect Data Manager Administration and User Guide

CHAPTER 12

Managing Alerts, Jobs, and Tasks

This section includes the following topics:

l Configure Alert Notifications...............................................................................................206 l View and manage System Alerts......................................................................................... 206 l View and manage Audit Logs............................................................................................... 207 l Monitor and view jobs..........................................................................................................207 l Monitor and view tasks....................................................................................................... 208 l Restart a job or task............................................................................................................ 208 l Cancel a job or task............................................................................................................. 209 l Export logs for a job or task................................................................................................. 210

PowerProtect Data Manager Administration and User Guide 205

Configure Alert Notifications The Alert Notifications window of the UI enables you to configure email notifications for PowerProtect Data Manager alerts.

Procedure

1. Select Administration > Alert Notifications

The Alert Notifications window appears with a table that displays the details for existing notifications.

2. Click Add.

The Add Alert Notification dialog appears.

3. In the Name field, type name of the individual or group who will receive the notification email.

4. In the Email field:

a. Specify the email address or alias to receive notifications. This field is required in order to create an alert notification. Separate multiple entries with a comma.

b. Click Test Email to ensure that a valid SMTP configuration exists.

5. From the Category list, select the notification category.

6. From the Severity list, select the notification severity.

7. In the Duration field, specify the amount of time that the notification will display.

8. In the Subject field, optionally type the subject that you would like to attach to the notification email.

9. Click Save to save your changes and exit the dialog.

Results

The Alert Notifications window updates with the new alert notification. At any time, you can Edit, Delete, or Disable the notification by selecting the entry in the table and using the buttons in this window.

View and manage System Alerts Alerts enable you to track the performance of data protection operations in PowerProtect Data Manager so that you can determine whether there is compliance to service level objectives. You can access the system alerts from the Alerts window.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Alerts.

The Alerts window displays alert information in a table. You can filter the alerts by Severity, Date, Category, or Acknowledge.

2. Select the System tab.

3. To view more details about a specific entry, click next to the entry in the table.

4. For the following steps, connect to the PowerProtect Data Manager console with an account that has the Admin role.

5. To acknowledge the system alert, select the alerts and then click Acknowledge.

Managing Alerts, Jobs, and Tasks

206 PowerProtect Data Manager Administration and User Guide

6. To add or edit a note for the system alert, click Add/Edit Note, and when finished, click Save.

View and manage Audit Logs Audit logs enable you to view specific information about jobs that are initiated in PowerProtect Data Manager so that you can determine compliance to service level objectives. You can access the audit logs from the Alerts window.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Alerts.

The Alerts window displays alert information in a table. You can filter the alerts by Severity, Date, Category, or Acknowledge.

2. Select the Audit Logs tab.

3. To view more details about a specific entry, click next to the entry in the table.

4. To export an audit log report to a .csv file which you can download as an Excel file, select an entry in the table and click Export.

Note: If you apply any filters in the table, exported audit logs include only those logs that satisfy the filter conditions.

5. To change the retention period for audit logs, click Set Boundaries, select the number of days from the Days of Retention menu, and then click Save.

Monitor and view jobs The Jobs window in the PowerProtect Data Manager UI enables you to monitor the status of certain data protection, system, and maintenance jobs and to view details. To perform analysis or troubleshooting, you can view a detailed log of a failed job.

To access the Jobs window, open the PowerProtect Data Manager UI left navigation pane, and select Jobs. The Jobs window appears, displaying successfully completed jobs by default.

The Jobs window provides you with options to filter and sort the information that appears:

l Filter jobs by Completed or RunningBy default, the Jobs window opens on the Completed tab. To display only jobs in progress, select the Running tab at the top of the window.

l Filter jobs by time rangeBy default, the Jobs window displays all jobs regardless of time range. To display jobs for a set time range, select from one of the available options.

l Filter jobs by Description, Policy Name, Job Type, Asset Type, Start Time, Status, or

Events, by clicking in their respective column.

l Sort jobs by Description, Policy Name, Job Type, Asset Type, and Start Time by clicking the column heading.

You can use the Search field to filter jobs based on a search string. When you type a keyword in the Search field, the PowerProtect Data Manager UI filters the results as you type. To clear the search filter, remove all keywords from the Search field.

To view details for a job, click the magnifying glass icon in the Details column next to the job name.

You can also monitor the status of individual tasks, view task details, and perform certain operations on tasks.

Managing Alerts, Jobs, and Tasks

PowerProtect Data Manager Administration and User Guide 207

Note: Job duration includes the sum of all tasks plus the job processing time.

Monitor and view tasks Within a job, you can view the status of specific tasks. This information can be helpful when troubleshooting to determine whether one or more tasks caused a job to fail.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears.

2. Click the magnifying glass icon in the Details column next to the job name.

The Details pane appears on the right, with a Task Summary at the bottom.

3. Next to Task Summary, click the link that indicates the total number of tasks.

A new window opens to display a list of all tasks for the job and details for each task. The success or failure of individual tasks is indicated in the Status column. If a failed task requires action, a status of Critical appears.

4. (Optional) Sort and filter the information that appears:

l To sort tasks by Task Name, Status, or Asset Name, click a column heading.

l To filter tasks by Task Name, Status, or Asset Name, click in their respective column.

l To filter tasks based on a search string, type the string in the Search field.

5. To view task details and summary information, click the magnifying glass icon in the Details column next to the individual task, and then complete the following steps:

a. On the Steps tab, review the summary information, which describes the task activity.

Click to expand the step and view additional information, such as a description, summary, and recommended actions if applicable.

b. On the Details tab, review the details for the task.

Restart a job or task You can restart a failed virtual machine backup in the Jobs window of the PowerProtect Data Manager UI.

About this task

When you click Restart, the job or task restarts immediately, regardless of the scheduled activity window.

Note: If a policy with both protection and Cloud Data Recovery (CDR) stages fails, the CDR job is canceled and cannot be restarted.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying only completed jobs by default. You can filter the information that appears in the window. Monitor and view jobs on page 207 provides more information.

Managing Alerts, Jobs, and Tasks

208 PowerProtect Data Manager Administration and User Guide

2. Select the Running tab.

3. To restart a failed job, select the failed job from the list, and then click Restart.

4. To restart a failed task:

a. Click the magnifying glass icon in the Details column next to the job name

The Details pane appears on the right, with a Task Summary at the bottom.

b. Next to Task Summary, click the link that indicates the total number of tasks.

c. Select a failed task, and then click Restart.

d. Click Close.

Results

To view the status of the restarted job or task, select the Running tab at the top of the Jobs window. The status indicates Running or Queued.

Cancel a job or task From the PowerProtect Data Manager UI, you can cancel a backup that is still in progress, or any asset protection and replication activities when the tasks are queued.

About this task

Note: The Cancel operation is only available for supported jobs and tasks.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying only completed jobs by default. You can filter the information that appears in the Jobs window. Monitor and view jobs on page 207 provides more information.

2. To cancel a job, select Running, select a job that is in-progress, and then click Cancel.

Note: If a job is almost complete, the cancellation might fail. If the cancellation fails, a message displays indicating that the job cannot be canceled.

3. To cancel an individual task:

a. Click the magnifying glass icon next to the job name.

The Details pane appears on the right, with a Task Summary at the bottom.

b. Next to Task Summary, click the link that indicates the total number of tasks.

c. Select a task that is in-progress or queued, and then click Cancel.

Note: If a task is almost complete, the cancellation might fail. If the cancellation fails, a message displays indicating that the task cannot be canceled.

d. Click Close.

Results

The Jobs window displays the status of the canceled job or task. If the cancellation is successful, then the status eventually changes to Canceled. If the cancellation is not successful, then the status might indicate either Success or Critical.

Managing Alerts, Jobs, and Tasks

PowerProtect Data Manager Administration and User Guide 209

Export logs for a job or task The PowerProtect Data Manager UI enables you to export and view a detailed log of a job or task. You can view logs to perform analysis or troubleshooting.

About this task

Note: You can only export logs for failed jobs and tasks that have a log available to download. If a log is available to download, the Export Log button is enabled.

Procedure

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying only completed jobs by default. You can filter the information that appears in the Jobs window. Monitor and view jobs on page 207 provides more information.

2. To export a log for a completed job, select a job from the list, and then click Export Log.

3. To export a log for a completed task:

a. Click the magnifying glass icon next to the job name.

The Details pane appears on the right.

b. In the Task Summary section, click the link that indicates the total number of tasks.

c. Select a completed task, and then click Export Log.

Managing Alerts, Jobs, and Tasks

210 PowerProtect Data Manager Administration and User Guide

CHAPTER 13

Modifying the System Settings

This section includes the following topics:

l System settings................................................................................................................... 212 l System Support................................................................................................................... 215 l Modifying the PowerProtect Data Manager virtual machine disk settings...........................220 l Configure the DD system.................................................................................................... 223

PowerProtect Data Manager Administration and User Guide 211

System settings You can use the PowerProtect Data Manager UI to modify system settings that are typically configured during PowerProtect Data Manager installation.

To access System Settings, click the icon in the top-right.

Modify the network settings You can modify the IP address, subnet mask, gateway, and DNS servers that are defined for the appliance.

Procedure

1. Select System Settings > System > Network.

2. Update the fields as necessary:

l Domain Name

l IP Address Note: When you change the domain name or IP address, the system becomes unavailable until all components are restarted.

l Subnet Mask

l Gateway

l Primary DNS

l Secondary DNS

3. Click Save.

Synchronize time on PowerProtect Data Manager and other systems The PowerProtect Data Manager system time is synchronized with the ESXi host system.

The PowerProtect Data Manager system time must match the systems with which it interfaces or compliance check will fail. Dell EMC recommends that all systems be configured to use an NTP server.

Note: Times in the UI are always displayed as local to the users time zone based on their browser or system settings. The PowerProtect Data Manager system might be in a different time zone but when viewing the UI it will always show the times local to the user.

Modify the appliance time zone Use this procedure to modify the time zone for the PowerProtect Data Manager appliance.

Procedure

1. Select System Settings > System > Timezone.

2. From the Timezone list, select the applicable time zone.

3. Click Save.

Modifying the System Settings

212 PowerProtect Data Manager Administration and User Guide

Change the system root user password Perform the following steps if you want to change the password for the root user.

Before you begin

Note: Changing the password only changes the password for the UI login, not for the appliance. Make note of your original appliance password in case you require this password for appliance operations.

Procedure

1. Select System Settings > Authentication.

The System Users window appears.

2. Select the User name for the password to edit and click Edit.

The Change the password for the root user dialog box appears.

3. In the Old Password box, enter the existing password.

4. In the New Password and Confirm Password boxes, enter the new password.

5. Click Save.

Enable replication encryption You can ensure that replicated content is encrypted while in-flight to the destination storage, and then decrypted before it is saved on the destination storage.

About this task

The encryption settings on both the source and destination systems must match to ensure successful replication.

For example, if you enable in-flight encryption in PowerProtect Data Manager, the setting must be enabled on each source and destination server before defining the PowerProtect Data Manager replication objective. If encryption is enabled after the initial definition of replication objectives, any replication jobs that were initiated during the period when the source and destination server encryption settings did not match will fail.

Procedure

1. Select System Settings > Security.

The Security dialog box appears.

2. Click the Replication Encryption switch so it is enabled, and then click Save.

After you finish

The Infrastructure > Storage window of the PowerProtect Data Manager UI displays the status of the in-flight encryption setting for all attached storage systems.

Note: For systems with DD OS version 6.2 and earlier installed, the status might display as Unknown. DD OS version 6.3 and later supports authentication mode. DD OS versions earlier than version 6.3 support only anonymous authentication mode. PowerProtect Data Manager supports only anonymous and two-way authentication modes. Ensure that both source and destination system servers use the same authentication mode.

You can take additional steps on your PowerProtect Data Manager server to enable in-flight encryption on connected DD systems by using DD System Manager, as described in the DD Operating System Administration Guide.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 213

License types

The available license types are:

l TrialApplied automatically on installation of PowerProtect Data Manager and enables full use of the product without applying a license key for up to 90 days. When the trial period ends, PowerProtect Data Manager continues to operate with full functionality so that you can apply a permanent license.

l Front-end protected capacity by terabyte (FETB)The primary model of eLicensing, which is based on the capacity that you want to protect. For example, you can purchase a 100-TB license, which enables you to protect up to 100 TB of data.

l Socket-basedLicensed per CPU socket on virtual machine hosts that are being backed up or replicated.

Note: When you upgrade from a previous release, for example, eCDM 3.0.0-18, to PowerProtect Data Manager, any existing license and its associated Secure Remote Services connection are removed from the system and replaced with the 90-day trial license. If you have a valid FETB or socket license for PowerProtect Data Manager, upload this license and set up the associated Secure Remote Services connection.

Perpetual and term-based (subscription) licensing

Licensed software is offered in perpetual and term-based licenses. Your quote identifies whether your license rights are perpetual or term-based.

A perpetual license enables you to use the software for as long as you are in compliance with the terms of the license agreement.

A term-based license enables you to use the software for a specified time, as long as you are in compliance with the terms of the license agreement. At the end of the license term, you must either stop using the software, extend the license term, or purchase new licenses through an agreement with Dell EMC.

PowerProtect Data Manager licenses You can add a license file to PowerProtect Data Manager and view license details, such as capacity usage and software ID number.

Before you begin

To obtain the XML license file from the Dell EMC license management website, you must have the License Authorization Code (LAC), which is emailed from Dell EMC. If you have not received the LAC, contact your technical support professional.

About this task

To review existing license information, go to Settings > License.

To add a license, perform the following steps:

Procedure

1. Click the System Settings icon along the top-right: .

2. Go to Settings > License > Upload file.

3. Do one of the following:

l Copy and paste license file text into the License window.

l Browse to the location where a license file is located, select the license file and click Open.

Modifying the System Settings

214 PowerProtect Data Manager Administration and User Guide

The license file content appears in the License window.

4. Click Save.

Results

A message appears in the License window to confirm that the license is successfully added.

System Support You can use the PowerProtect Data Manager UI to manage and modify support settings, such as the mail server setup and Secure Remote Services registration, that are typically configured during installation.

To access the Support window, click the icon in the top-right, and then select System Settings > Support.

Register the Secure Remote Services gateway Secure Remote Services (SRS) enables you to register PowerProtect Data Manager with a gateway host IP address for remote access. You can register only one SRS gateway for PowerProtect Data Manager. After PowerProtect Data Manager is registered, Technical Support Engineers can remotely connect to PowerProtect Data Manager to troubleshoot issues, and you can receive critical updates PowerProtect Data Manager by using SRS version 3.36.20.10 or later.

Before you begin

l You must apply a valid PowerProtect Data Manager license.

l You must have an SRS gateway ServiceLink account open and deployed. Your Dell EMC Sales representative can assist you.

About this task

If you update a license file with a different SWID, the SRS gateway requires the new SWID. Reregister the license file with the SRS gateway to ensure the SRS gateway has the new SWID.

Procedure

1. From the PowerProtect Data Manager UI, select System Settings > Support > Secure Remote Services

2. Enter the following information:

l The hostname or IP address of the virtual machine that is deployed for SRS.

l The username and password for the SRS gateway account. The SRS gateway account credentials are provided by the ServiceLink team.

3. Click Save to complete registration of the SRS gateway.

Note: Currently, you can use only an IPv4 address for the gateway. IPv6 is not supported.

Remove the Secure Remote Services gateway

Before you begin

You must disable Auto Support to delete Secure Remote Services. If you have Auto Support enabled, you will receive an error message when you attempt to delete Secure Remote Services.

About this task

Use the following procedure to remove the Secure Remote Services gateway.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 215

Procedure

1. From the PowerProtect Data Manager UI, select System Settings > Support > Auto Support.

2. Move the Enable Auto Support slider to Disabled, and then click Save.

3. Select System Settings > Support > Secure Remote Services

The Secure Remote Services Configuration dialog box appears.

4. Click Delete to remove the Secure Remote Services gateway.

Callhome When you register an Secure Remote Services gateway, you also enable the Callhome feature, which allows Technical Support Engineers to collect data that is related to troubleshooting device and PowerProtect Data Manager software issues. Callhome does not collect any personal information.

Callhome populates three reportsa telemetry report, an alert summary report, and a PowerProtect Central report. The following table lists the information that Callhome collects for the telemetry report.

Table 27 Telemetry report information

Category Type of information collected

Asset Sources l DDMC instances

l vCenter instances

l SMIS instances

l SQL groups instances

l Kubernetes cluster

Hosts information l ESXi hosts

l ESXi cluster hosts

l Application hosts

DD inventory l Number of DD systems

l DD operating system version and system ID

l MTree inventory

l Asset source ID

l Serial number

l Model

l DD system capacity

PowerProtect Data Manager operational inventory

l Asset information (number of assets, asset groups, assets protected, unprotected)

l Protection policies (number of policies)

l Tags (number of tags and tag categories)

l Active protection policy details (assets and their types, objectives for each stage)

Modifying the System Settings

216 PowerProtect Data Manager Administration and User Guide

Table 27 Telemetry report information (continued)

Category Type of information collected

l Failed jobs

l Application agents

l SLA violations

l External proxies

Usage l Amount of data that is protected

Licensing l Status of the applied license

Compliance in last 24 hours

l FETB in compliance

l FETB out of compliance

Traffic Metrics l API Gateway call metrics

Callhome collects details about the following objects for the PowerProtect Central report:

l Protection Policies

l Alerts

l Cloud Disaster Recovery metrics

l Service Level Agreement

l Assets

l Storage Systems

l Data targets

l Protection Details

l Compliance Details

l Audit logs

Configure PowerProtect Central reporting You can enable or disable PowerProtect Central data collection for Dell EMC storage systems.

Before you begin

l Add a valid license in System Settings > License.

l Set up SRS in System Settings > Support > SRS.

About this task

PowerProtect Central is a no-cost SaaS/cloud-based management application that proactively monitors and measures the overall health of Dell EMC systems through intelligent, comprehensive, and predictive analytics. The data reported to PowerProtect Central includes configuration data, historical metrics and health score data.

Procedure

1. Select System Settings > Support > Auto Support.

2. Click Enable Auto Support or Disable Auto Support.

3. Scroll to the end and click Accept to accept the Telemetry software terms.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 217

4. Select Secure Remote Services and click Save.

Results

When Auto Support is enabled, PowerProtect Central reports are sent automatically. To log in to PowerProtect Central, click the Reporting menu item, or go to https:// powerprotectcentral.emc.com

For more information on PowerProtect Central, refer to the PowerProtect Central Online Support site.

Set up the email server The Email Setup area on the PowerProtect Data Manager System Settings area enables you to set SMTP email server information to send emails for resetting local user passwords and customized alert notifications.

Procedure

1. Select System Settings > Support > Email Setup.

2. Populate the following fields:

a. Mail Server

The SMTP mail server.

b. Email from:

The email address at which you would like to receive the PowerProtect Data Manager autosupport email.

c. [Optional] Recipient for Test Email:

The email address to which you would like to send the PowerProtect Data Manager test email.

d. [Optional] Port:

The default port is 25. PowerProtect Data Manager supports using nondefault ports.

If the email setup is deleted, you must manually choose any nondefault port that is not in use anywhere else.

e. User Name:

The user name associated with the PowerProtect Data Manager SMTP email server.

f. Password:

The password associated with the PowerProtect Data Manager SMTP email server.

3. Click Send Test Email.

PowerProtect Data Manager sends a test email.

4. Click Save.

Add Auto Support When auto support is enabled, auto support information, telemetry reports, alert summary, and PowerProtect Central reports will be sent.

About this task

If Secure Remote Services and SMTP are both configured, this information will be sent via Secure Remote Services.

Modifying the System Settings

218 PowerProtect Data Manager Administration and User Guide

Procedure

1. Select System Settings > Support > Auto Support.

The Auto Support window appears.

2. Change the Enable Auto Support option to Disabled or Enabled, and click Save.

When you enable Auto Support, select whether to receive the Auto Support communications via SRS or email server.

When you enable Auto Support, the Telemetry Software Terms page displays. Review and scroll down to the bottom of the page to accept the terms, and then click Save to save your changes.

When you disable Auto Support, PowerProtect Data Manager stops sending error and telemetry data to SRS or the SMTP server. PowerProtect Data Manager continues to send information for upgrades and other information.

Note: You must disable Auto Support to delete SRS.

Enable automatic upgrade package downloads Enable upgrade packages to be downloaded automatically through SRS.

About this task

If this feature is disabled, the system alerts you when a new package is available through SRS. When the feature is enabled, the system automatically downloads available packages, and then alerts you when the package is downloaded.

Procedure

1. Select System Settings > Support > Secure Remote Services.

2. Select Automatically download upgrade packages, and then click Save.

Add a log bundle Use the following procedure to add a log bundle.

About this task

Note: You can add a maximum of 10 log bundles.

Procedure

1. Select System Settings > Support > Logs.

2. Click Add to add a log bundle.

The Add Log Bundle window appears.

3. Select the systems for the log bundle (Data Manager, VM Direct Engines, or, if Cloud DR is deployed, CDRS), set the log bundle duration, and click Save.

The Jobs window displays the progress of the log bundle creation. Also, a green banner in the UI indicates that the log bundle has successfully been created. If you want to dismiss the banner, click X.

4. To delete the log bundle, select the box to the left of log bundle and click Delete.

The Log Capacity indicates how much space (in GB) remains on the disk for logs and the percentage of the disk in use for log storage.

5. To download the log bundle, click the bundle name in the Bundle Name column.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 219

Monitor system state and system health In addition to the summary system health view provided in the PowerProtect Data Manager UI's Dashboard window, the System Settings > Support window provides a further breakdown of PowerProtect Data Manager system health information.

Monitor system component health Through the Settings window, you can monitor the state of the appliance and the health of each system component. .

To view the health of system components, click the icon in the top-right, select System Settings > Support, and then select System Health.

The following table provides a summary of each component state:

Table 28 Component status

Status Description

Running This state appears when the associated service or component is running with full functionality. When all components are in running state, the state of the appliance is operational.

Initializing This state appears when the component is starting. When the component successfully starts, the state changes to Running.

Maintenance This state appears when the associated service is in maintenance. In the maintenance state, components have limited functionality. Infrastructure services do not go into maintenance state. When other components are in maintenance, the appliance state is also maintenance.

Quiesce This state appears when the service that is associated with the component is stopping.

Shut down This state appears when the service has stopped.

No response This state appears when the service that is associated with the component is running, but the service is not responding.

Access the open source software package information All open source software (OSS) package information used by PowerProtect Data Manager is stored in a common directory.

To access this information, SSH login to PowerProtect Data Manager and retrieve the OSS reports from the /usr/local/brs/puppet/licenses directory.

Modifying the PowerProtect Data Manager virtual machine disk settings

Follow the steps in this section, under the guidance and recommendations of Dell EMC Support, to expand the size of the data disk and system disk, and modify the memory configuration.

Modifying the System Settings

220 PowerProtect Data Manager Administration and User Guide

Modify the virtual machine memory configuration Adjust the PowerProtect Data Manager virtual machine memory configuration to support changes in the protection environment.

Before you begin

Shut down PowerProtect Data Manager and the VM Direct appliance.

Procedure

1. Log in to the vSphere Web Client.

2. Right-click the appliance and select Edit Settings.

The Edit Settings window appears with the Virtual Hardware button selected.

3. In the Memory field, specify the new memory value.

Ensure that the value you specify does not exceed 16 times the amount of memory the virtual machine has when powered on and is a multiple of 4 MB.

4. Click OK.

Modify the data disk size Follow these steps to expand the size of a data disk that is single partitioned and has the log partition is on the system disk.

Procedure

1. Perform the following steps from the vSphere Web Client:

a. Right-click the VM Direct appliance and select Shut Down Guest OS.

b. After the power off completes, right-click the appliance and select Edit Settings.

The Edit Settings window appears with the Virtual Hardware button selected.

c. Increase the provisioned size of Hard disk 2 to the desired size, and then click OK.

Note: You cannot decrease the provisioned size of the disk.

d. Right-click the VM Direct appliance and select Power On.

2. Perform the following steps from the appliance console, as the root user.

Note: If you use ssh to connect to the appliance, log in with the admin account, and then use the su command to change to the root account.

a. Reboot the appliance by typing reboot.

b. On the GNU GRUB menu, press Esc to edit the GNU GRUB menu.

c. In the edit screen, search for the line that starts with Linux, and then add word single before the entry splash=0

The following figure provides an example of the edit screen with the updated text.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 221

Figure 9 Editing the GNU GRUB menu

d. Press Ctrl-x to reboot into single-user mode.

e. When prompted, type the password for the root account.

f. Unmount the data disk, by typing umount /data01.

g. Start the partition utility, by typing parted, and then perform the following tasks:

a. Type select /dev/sdb.

b. Type print. If you are prompted to fix issues, type fix at each prompt. The output displays the new disk size in the Size field and the current size in the table.

c. Type resize 1 new_size. Where new_size is the value that appears in the Size field in the output of the print command.

For example, to resize the disk to 700 GB, type: resize 1 752GB d. Type quit.

3. Reboot the VM Direct appliance by typing systemctl reboot.

4. Log in to the console as the root user.

Note: If you use ssh protocol to connect to the VM Direct appliance, log in with the admin account, and then use the su command to change to the root account.

5. Grow the xfs file system by typing xfs_growfs -d /data01.

6. Confirm the new partition size by typing df -h.

Modify the system disk size Follow these steps to expand the size of a data disk when the log partition is the last partition on the system disk.

Procedure

1. Perform the following steps from the vSphere Web Client:

a. Right-click the VM Direct appliance and select Shut Down Guest OS.

b. After the power off completes, right-click the appliance and select Edit Settings.

The Edit Settings window appears with the Virtual Hardware button selected.

c. Increase the provisioned size of Hard disk 1 to the desired size, and then click OK.

Modifying the System Settings

222 PowerProtect Data Manager Administration and User Guide

Note: You cannot decrease the provisioned size of the disk.

d. Right-click the VM Direct appliance and select Power On.

2. Boot from a SuSE Linux Enterprise Server (SLES) version 12 CD.

3. Start the partition utility, by typing parted, and then perform the following tasks.

a. Type select /dev/sdx.

b. Type print. If you are prompted to fix issues, type fix at each prompt. The output displays the new disk size in the Size field and the current size in the table.

c. Type quit.

4. Reboot the VM Direct appliance by typing systemctl reboot.

5. Log in to the console as the root user.

Note: If you use ssh protocol to connect to the VM Direct appliance, log in with the admin account, and then use the su command to change to the root account.

6. Grow the xfs file system by typing xfs_growfs -d /data01.

7. Confirm the new partition size by typing df -h.

Configure the DD system Before you begin

Before you can use DD to protect the system, use NFS to export the MTree that PowerProtect Data Manager uses on the DD system. The setup on the DD system requires that you add the PowerProtect Data Manager client with no_root_squash.

Procedure

1. Use a web browser to log in to the DD System Manager as the system administrator.

2. In the Summary tab, Protocols pane, select NFS export > create export.

The Create NFS Exports window appears.

3. In the Create NFS Exports window:

a. In the Export Name field, specify the name of the DD MTree.

b. If you have not yet created the DD MTree, follow the prompts to create the MTree and click Close.

c. In the Directory path field, specify the full directory path for DD MTree that you created. Ensure that you use the same name for the directory.

d. Click OK.

A message appears to indicate that the NFS export configuration save is in progress and then complete.

e. Click Close.

Modifying the System Settings

PowerProtect Data Manager Administration and User Guide 223

Modifying the System Settings

224 PowerProtect Data Manager Administration and User Guide

CHAPTER 14

Configuring the vSphere Client PowerProtect plug-in

This chapter includes the following topics:

l Introducing the PowerProtect plug-in for the vSphere Client............................................. 226 l Prerequisites for the vSphere Client PowerProtect plug-in................................................. 227 l Monitor PowerProtect Data Manager virtual machine protection copies.............................228 l On-demand PowerProtect policy backup in the vSphere Client.......................................... 228 l Image-level restore of a PowerProtect backup in the vSphere Client..................................229 l File-level restore of a PowerProtect backup in the vSphere Client......................................230

PowerProtect Data Manager Administration and User Guide 225

Introducing the PowerProtect plug-in for the vSphere Client When adding a vCenter Server in the PowerProtect Data Manager UI, if you enable the vSphere Plugin option, a subset of the UI functionality becomes available within the vSphere Client.

The PowerProtect Data Manager portlet appears when you select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter. Figure 10 PowerProtect portlet in the vSphere Client

Note: If you were already logged into the vSphere Client when the vCenter discovery was started in PowerProtect Data Manager, you must log out and log back in to see the PowerProtect Data Manager UI.

If the virtual assets in the vCenter have not yet been assigned to a PowerProtect Data Manager protection policy, only the PowerProtect name displays in the portlet. Adding the virtual machine to a protection policy provides additional information, as shown in the following figure. Figure 11 PowerProtect portlet with protected virtual machine

After you set up a virtual machine protection policy, you can perform the following PowerProtect Data Manager functionality within the vSphere Client:

Configuring the vSphere Client PowerProtect plug-in

226 PowerProtect Data Manager Administration and User Guide

l View information about protection policies and information about available protection copies. l Monitor in-progress backup and restore operations for the virtual machine protection policy.

You can also view information for successfully completed protection copies that are available for restore.

l Perform a manual backup. l Perform an image-level restore (Restore to Original, Restore to New, or Instant Access). l Perform a file-level restore.

Prerequisites for the vSphere Client PowerProtect plug-in To use the vSphere Client PowerProtect plug-in for backup and restore operations, complete the following tasks in the vSphere Client and the PowerProtect Data Manager UI.

l Add and discover the vCenter ServerIn the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and move the vSphere Plugin slider to the right to enable the plug-in. Add a VMware vCenter Server on page 88 provides information.

l Verify that the virtual machine assets for the vCenter have been discoveredIn the PowerProtect Data Manager UI, go to the Infrastructure > Assets window and select the Virtual Machines tab. About vCenter Server asset sources and virtual assets on page 87 provides more information.

l Add privileges for the Virtual machine power user groupIn the vSphere Client, go to Administration > Users and Groups to open the Edit Role window , select PowerProtect Restore, and then add the following PowerProtect Data Manager privileges:

n All PowerProtect restore privileges n File Level Restore to Original n Instant Access n Restore to New n Restore to Original

Figure 12 PowerProtect privileges added for the Virtual machine power user

Note: If you edit the vCenter Server in the PowerProtect Data Manager UI to unregister the vSphere Plugin for PowerProtect Data Manager, these PowerProtect Data Manager privileges are not removed from the user group.

l For the virtual asset (virtual machine, cluster, host) and all its child elements, add permissions to the Virtual machine power user group that you enabled with PowerProtect Data Manager

Configuring the vSphere Client PowerProtect plug-in

PowerProtect Data Manager Administration and User Guide 227

privileges. To add these permissions, select the asset in the left pane of the vSphere Client, and then click the Permissions tab.

l Add a virtual machine protection policy in the PowerProtect Data Manager UI Protection > Protection Policies window to schedule a backup of the virtual machines. Add a protection policy for a virtual machine on page 118 provides information.

Monitor PowerProtect Data Manager virtual machine protection copies

You can use the Monitor window in the vSphere Client to view PowerProtect Data Manager protection copies that are available for restore, and monitor in-progress backup and restore operations for the PowerProtect Data Manager virtual machine protection policy.

In the Monitor window's navigation pane, select PowerProtect > Protection Copies to view information about completed PowerProtect Data Manager protection policy backups. This view is the same as the view in the PowerProtect Data Manager UI Infrastructure window. A copy map enables you to view the available protection copies when you click on the storage icon, as described in More options for managing virtual machine backups on page 122.

To view the status of active backup and restore operations initiated from the PowerProtect Data Manager UI or the vSphere Client, click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane. You can also view this pane from the Summary window.

On-demand PowerProtect policy backup in the vSphere Client You can back up one or more PowerProtect Data Manager virtual machine protection policies at any time by performing a manual (on-demand) backup in the vSphere Client.

Before you begin

l Ensure that you are logged in to the vSphere Client as an administrator.

l Add the Backup privilege to the Administrator group in the vSphere Client. To add the Backup privilege, complete the following steps:

1. Select Administration > Roles.

2. Select Administrator, and then click Privileges in the right pane.

3. In the PowerProtect Backup section, select Backup.

l Ensure that virtual machine assets have been added to a virtual machine protection policy. You cannot perform manual backups of unprotected virtual machines.

Procedure

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

The Summary window displays.

2. Perform a manual backup of a virtual machine protection policy by using one of the following methods:

l In the left pane, right-click the virtual machine, and then select PowerProtect > Backup.

l Within the PowerProtect portlet, click Backup Now.

The vSphere Client starts the backup operation. A message appears indicating whether the request was processed successfully.

Configuring the vSphere Client PowerProtect plug-in

228 PowerProtect Data Manager Administration and User Guide

Results

An entry for the backup job appears in the Jobs > Running window of the PowerProtect Data Manager UI. To view the status of operations, you can also click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane.

Image-level restore of a PowerProtect backup in the vSphere Client

You can use the vSphere Client PowerProtect plug-in to perform an image-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

About this task

Available image-level restore options in the vSphere Client include:

l Restore to OriginalRestore the virtual machine to the original location on the same vCenter.

l Restore Individual Virtual DisksRestore selected VMDKs to the original location on the same vCenter.

l Restore to NewRestore the virtual machine to a new location on the original vCenter or a different vCenter.

l Instant AccessRestore the backup as a live virtual machine to view the backup and then determine whether you want to do a full restore. Instant Access sessions are made available for a default period of 7 days, which can be extended.

Procedure

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

The Summary window displays.

2. Access the backup copy by using one of the following methods:

l In the left pane, right-click the virtual machine, and then select PowerProtect > Restore.

l Within the PowerProtect portlet, click Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies.

b. Choose from one of the available copies that appears in the table.

c. Click OK to close the dialog and return to the Select Copy page.

d. Click Next.

5. On the Purpose page, select from one of the following options:

l Restore Entire VMsSelect this option if you want to restore the entire virtual machine.

l Restore Individual Virtual DIsksSelect this option if you want to restore only specific virtual machine disks (VMDKs).

Configuring the vSphere Client PowerProtect plug-in

PowerProtect Data Manager Administration and User Guide 229

Note: Individual VMDKs can only be restored to the original location.

6. Click Next.

If restoring entire virtual machines, the Restore Type page displays. If restoring individual VMDKs, the Select Disks page displays.

7. On the Restore Type page, select from one of the available restore options. The wizard updates to display the options specific to the restore type that you selected.

Note: Options such as vCenter, resource pool, and datastore are limited to the logged-in vSphere user's permissions, and are not necessarily the same as a PowerProtect Data Manager administrator.

l For Instant Access restore, review the section Instant access virtual machine restore on page 163.

l For Restore to New, review the section Restore to a new virtual machine on page 162.

l For Restore to Original, review the section Restore and Overwrite original virtual machine on page 159.

l For Restore Individual Virtual Disks, review the section Restore individual virtual disks on page 161.

8. On the Summary page, review your selections and then click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Recovery > Running Activities window of the PowerProtect Data Manager UI.

After you finish

For Instant Access restores, when the virtual machine is powered on and you select the virtual machine in the left pane of the Summary window, the session information appears within the PowerProtect portlet. If you need extra time for this session, you can click Extend Session and increase session availability by up to 7 days.

File-level restore of a PowerProtect backup in the vSphere Client

You can use the vSphere Client PowerProtect plug-in to perform a file-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

Before you begin

l Review the section Supported platform versions for file-level restore for supported platform and operating system versions.

l Review the section File-level restore and SQL restore limitations on page 188.

l Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that the agent package is installed and the agent process is running. If the FLR Agent is not installed, the installation is initiated automatically when you start the mount. When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 185 provides more information.

Configuring the vSphere Client PowerProtect plug-in

230 PowerProtect Data Manager Administration and User Guide

Note: For file-level restores, you can only restore files:

l From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

l To virtual machines within the same vCenter.

About this task

Available file-level restore options in the vSphere Client include:

l Restore single or multiple files to the original folder and overwrite the original files within the same virtual machine, or

l Restore single or multiple files to a new folder with a new name within the same virtual machine.

Procedure

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

The Summary window displays.

2. Access the backup copy by using one of the following methods:

l In the left pane, right-click the virtual machine, and then select PowerProtect > File Level Restore.

l Within the PowerProtect portlet, click File Level Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog appears. Note: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies.

b. Choose from one of the available copies that appears in the table.

c. Click OK to close the dialog and return to the Select Copy page.

d. Click Next.

5. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

l If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

l If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount.

If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

Note: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual machine completes successfully.

Configuring the vSphere Client PowerProtect plug-in

PowerProtect Data Manager Administration and User Guide 231

d. Upon successful mount, click Next.

6. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

Note: In the browse view, each directory or hard drive appears twice. Selecting an object from one location selects the object in the duplicate location as well.

7. On the Options page, select from one of the following options:

l Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original location on the original virtual machine.

l Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original virtual machine.

8. Click Next.

If performing the restore to the original virtual machine, the Summary page displays. You can go to the final step. If performing the restore to an alternate location on the original virtual machine, the Restore Location page displays.

9. On the Restore Location page:

a. Browse the folder structure of the virtual machine to select the new folder where you want to restore the objects.

b. Click Next.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to the Restore Location or Files Selected rows to change the information.

b. Click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Recovery > Running Activities window of the PowerProtect Data Manager UI.

Configuring the vSphere Client PowerProtect plug-in

232 PowerProtect Data Manager Administration and User Guide

CHAPTER 15

Configuring VMware Cloud on Amazon Web Services

This chapter includes the following topics:

l PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS........ 234 l Configure the VMware Cloud on AWS web portal console.................................................. 234 l Amazon AWS web portal requirements............................................................................... 235 l Interoperability with VMware Cloud on AWS product features............................................235 l vCenter server inventory requirements............................................................................... 236 l VMware Cloud on AWS configuration best practices.......................................................... 236 l Add a VM Direct Engine...................................................................................................... 236 l Protection and recovery operations.....................................................................................237 l Interoperability with VMware Cloud on AWS product features............................................238 l Unsupported operations in VMware Cloud on AWS ............................................................ 238 l Troubleshooting VMware Cloud on AWS ............................................................................ 238

PowerProtect Data Manager Administration and User Guide 233

PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS

PowerProtect Data Manager provides image backup and restore support for VMware Cloud on Amazon Web Services (AWS).

Using PowerProtect Data Manager to protect virtual machines that are running in VMware Cloud on AWS is similar to how you protect the virtual machines in an on-premises data center. This section provides information on network configuration requirements, PowerProtect Data Manager best practices for VMware Cloud on AWS, and unsupported PowerProtect Data Manager operations for VMware Cloud on AWS.

To perform data protection and disaster recovery tasks in VMware Cloud on AWS, consider the following recommendations and requirements for the backup infrastructure deployment:

l Deploy PowerProtect Data Manager in a VMware Cloud on AWS environment.

l Deploy the VM Direct Appliance in VMware Cloud on AWS environment. Deploy at least one VM Direct Appliance for each SDDC cluster in the VMware Cloud on AWS.

l Clone backups to another DD system running either in the same AWS geographical location or in a different AWS geographical location. This type of deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

l Store backups outside of the VMware Cloud on AWS environment. For example, store backups on the Amazon AWS VPC. This type of deployment enables efficient data transfer over the fast ENI connection that is used by VMware to communicate with Amazon AWS.

l Clone your backups to another DD system that is running either in the same AWS geographical location or in a different AWS geographical location. This type of deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

Configure the VMware Cloud on AWS web portal console Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and the DD appliance. All infrastructure components should be resolvable through a Fully Qualified Domain Name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

In the VMware Cloud on AWS web portal console, ensure that the following requirements are met:

l By default, there is no external access to the vCenter Server system in the Software Defined Data Center (SDDC). You can open access to the vCenter Server system by configuring a firewall rule. To enable communication to the vCenter public IP address from the SDDC logical network, set the firewall rule in the compute gateway of VMware Cloud on AWS. If the firewall rule is not configured in the SDDC, PowerProtect Data Manager does not allow you to add the vCenter Server.

l The default compute gateway firewall rules prevent all virtual machine traffic from reaching the internet. To enable the PowerProtect Data Manager virtual machine to connect to the internet, create a compute gateway firewall rule. This action enables outbound traffic on the logical network to which the PowerProtect Data Manager server virtual machine is connected.

l Configure DNS to allow machines in the SDDC to resolve Fully Qualified Domain Names (FQDNs) to IP addresses belonging to the internet. If the DNS server is not configured in the

Configuring VMware Cloud on Amazon Web Services

234 PowerProtect Data Manager Administration and User Guide

SDDC, the PowerProtect Data Manager server does not allow you to add the vCenter Server by using the server's public FQDN or IP address.

l It is recommended that you deploy the DD system as a virtual appliance in the Amazon Virtual Private Cloud (VPC). During the SDDC creation, connect the SDDC to an AWS account, and then select a VPC and subnet within that account.

l The DD system running in the Amazon VPC must be connected to the VMware SDDC through the VMware Cloud Elastic Network Interfaces (ENIs). This action allows the SDDC, the services in the AWS VPC, and subnet in the AWS account to communicate without having to route traffic through the internet gateway.

l The same ENI channel is recommended for access to DD systems. For more information about configuring ENIs, see https://vmc.vmware.com/console/aws-link.

l If DDVE is running in the Amazon VPC, configure the inbound and outbound firewall rules of the compute gateway for DD connectivity. For detailed information on what incoming on outgoing ports need to be opened for PowerProtect-VM proxy solution, refer to the PowerProtect Data Manager Security Configuration Guide.

l If using NSX-T, configure the DNS to resolve to the internal IP address of the vCenter server. Navigate to SDDC Management > Settings > vCenter FQDN and select the Private vCenter IP address so that you can directly access the management network over the built-in firewall. Additionally, ensure that you open TCP port 443 of the vCenter server in both the management gateway and the compute gateway.

Amazon AWS web portal requirements In the Amazon AWS web portal, ensure that the following requirements are met:

l If a DD system is running in your Amazon VPC, configure the inbound and outbound firewall rules of your Amazon VPC security group to provide connectivity between the VMware SDDC compute gateway and DD connectivity.

l If you are replicating from one DD system to another, configure the inbound rule for the security group in AWS to allow all traffic from the respective private IPs of the DD Virtual Editions running in your Amazon VPC.

l If you have more than one DD instance running in AWS to perform replication, both DD systems must have the ability to ping each other using the FQDNs.

Interoperability with VMware Cloud on AWS product features VMware Cloud on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload an Compute sections in AWS.

Do not use the following non-accessible areas:

l vSANdatastore datastore

l Management VMs folder in VMs and Templates view

l Mgmt-ResourcePool resource pool in Hosts and Clusters view

Configuring VMware Cloud on Amazon Web Services

PowerProtect Data Manager Administration and User Guide 235

vCenter server inventory requirements In the vCenter server inventory of your SDDC, ensure that the following requirements are met:

l An internal DNS name lookup server must be running inside the vCenter inventory. This will be referenced by all the workloads running in the VMware SDDC.

l The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter Server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server cannot resolve.

VMware Cloud on AWS configuration best practices For VMware Cloud on AWS support, ensure that the following requirements are met:

l When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that correct DNS server IP points to the internal DNS server that is running in the vCenter inventory.

l Ensure that both forward and reverse lookup entries in the internal DNS server are in place for all of the required components, such as PowerProtect Data Manager, VM Direct appliance, and the DDVE appliance.

l If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN.

l If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server.

l When adding the vCenter server to PowerProtect Data Manager, specify the login credentials for the cloudadmin@vmc.local user.

l When configuring the VM Direct appliance in a VMware Cloud on AWS environment, ensure that you select the transport mode as Hot Add only. VMware Cloud on AWS does not support the NBD transport mode.

Add a VM Direct Engine In the Protection Engines window, perform the following steps to deploy a VM Direct Engine to facilitate data movement with the VM Direct protection engine.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. Dell EMC recommends that you deploy external proxies because the embedded proxy has limited capacity for performing parallel backups.

Procedure

1. In the VM Direct Engines pane of the Protection Engines window, click Add.

2. In the Add VM Direct Engines dialog box, complete the required fields, which are marked with an asterisk.

Consider the following:

l Only IPv4 addresses are supported for the Gateway, IP Address, Netmask, and Primary DNS.

l If you have added multiple vCenter Server instances, the vCenter to Deploy list enables you to select the vCenter on which to deploy the VM Direct Engine.

Configuring VMware Cloud on Amazon Web Services

236 PowerProtect Data Manager Administration and User Guide

Note: Do NOT select the internal vCenter in this step.

l The ESX Host/Cluster list enables you to select on which cluster or ESXi host you want to deploy the additional VM Direct Engine.

l The Network list shows all the networks that are available under the selected ESXi Host/Cluster.

l The Data Store list shows all datastores that are accessible to the selected ESXi Host/ Cluster based on ranking (whether the datastores are shared, local, or NFS), and available capacity (the datastore with the most capacity appearing at the top of the list).

l You can choose the specific datastore on which the VM Direct Engine will reside or leave the default selection of to enable PowerProtect Data Manager to determine the best location to host the VM Direct Engine.

l The Transport Mode list enables you to select either Hot Add or Network Block Device (NBD) transport mode or to default to Hot Add mode and fail back to NBD only if Hot Add cannot be used.

Note: When configuring the VM Direct Engine in a VMware Cloud on AWS environment, ensure that you select the transport mode as Hot Add. VMware Cloud on AWS does not support the NBD transport mode.

3. Click Save.

The VM Direct Engine is added to the VM Direct Engines pane. Note that it can take several minutes before the new VM Direct Engine is registered in PowerProtect Data Manager. The VM Direct Engine appears in the vSphere Client window.

Results

When an extra VM Direct Engine is deployed and registered, this asset is used by PowerProtect Data Manager instead of the embedded VM Direct for any data protection operations involving virtual machine protection policies, unless all added VM Direct Engines are unavailable. If no added VM Direct Engine is available, the embedded VM Direct Engine is used as a fallback to perform limited scale backups and restores. If you do not want to use an added VM Direct Engine, you can disable that proxy. Additional VM Direct actions on page 95 provides more information.

After you finish

If the VM Direct Engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, you must delete the failed VM Direct Engine and then add the VM Direct Engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if the VM Direct Engine is deployed to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Protection and recovery operations Using PowerProtect Data Manager to protect virtual machines that are running in VMware Cloud on AWS is similar to how you protect the virtual machines in an on-premises data center.

Once you complete the tasks to set up and run a virtual machine protection policy in PowerProtect Data Manager, you can perform the following PowerProtect Data Manager functionality:

l In the Summary window, view information about protection policies and, if policies have been run in PowerProtect Data Manager, information about available protection copies.

Configuring VMware Cloud on Amazon Web Services

PowerProtect Data Manager Administration and User Guide 237

l In the Monitor window, actively monitor in-progress backup and restore operations for the virtual machine protection policy, and view information for successfully completed protection copies that are available for restore.

l Perform a Restore to Original, Restore to New, or Instant Access restore. You can initiate a restore from the Monitor window, or by right-clicking a virtual machine and selecting PowerProtect > Restore.

Interoperability with VMware Cloud on AWS product features VMware Cloud on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload an Compute sections in AWS.

Do not use the following non-accessible areas:

l vSANdatastore datastore

l Management VMs folder in VMs and Templates view

l Mgmt-ResourcePool resource pool in Hosts and Clusters view

Unsupported operations in VMware Cloud on AWS PowerProtect Data Manager image backup and restore in VMware Cloud on AWS does not currently support the following operations:

l Application-consistent data protection for MS-SQL with the VM Direct appliance.

l File-level restore from an image-level backup if using NSX-V. Note that this operation is supported if using NSX-T.

l Instant access recovery of an image-level backup.

l Emergency restore (image-level restore directly to an ESXi host, bypassing the vCenter).

l Image-level backups and restores that use NBD or the NBDSSL transport mode.

l VM Direct appliance that is configured with dual-stack or IPv6.

l If a datacenter is placed inside a folder in the SDDC, image backup and restore is not supported.

l VM Backup and Recovery plugin (HTML5) for vSphere is not supported.

Troubleshooting VMware Cloud on AWS When restoring as new VM, the reconnect NIC option might not work correctly.

Workaround

1. Edit the settings of the restored new VM and change the network to "VM Network" and then click Apply.

2. Reopen the Edit Setting Configuration pane of the VM and then change the network to the correct NSX-T network logical switch.

3. Click Connect.

Configuring VMware Cloud on Amazon Web Services

238 PowerProtect Data Manager Administration and User Guide

CHAPTER 16

Upgrading the PowerProtect Data Manager Software

This topic presents the following topics:

l Upgrade PowerProtect Data Manager from version 19.4 and later......................................240 l Upgrade PowerProtect Data Manager from version 19.2 and 19.3....................................... 241 l Upgrade the software from PowerProtect Data Manager version 19.1................................ 243 l Managing certificates after upgrading from versions earlier than PowerProtect Data Manager

version 19.1..........................................................................................................................244

PowerProtect Data Manager Administration and User Guide 239

Upgrade PowerProtect Data Manager from version 19.4 and later

Use this procedure to upgrade PowerProtect Data Manager from version 19.4 or later or to apply critical updates.

Before you begin

l Download the upgrade package from Dell EMC Support Downloads and Drivers.

l Ensure that you have administrator credentials. Only a PowerProtect Data Manager administrator can initiate the upgrade.

l To enable automatic snapshots, ensure that the vCenter hosting PowerProtect Data Manager is added as an asset source.

l Check for running tasks and cancel them or allow them to complete.

l Disable any Protection Policies that are scheduled to run in the next few hours.

About this task

Note: If SRS is configured and a critical update is available in the SRS gateway, a notification appears in the UI. You can also download available critical updates that appear in the Support Site section of the Upgrade page.

An upgrade package can upgrade one or more of the following:

l The PowerProtect Data Manager, including application agent installers stored on the PowerProtect Data Manager virtual machine

l External VM DIrect appliance

l Kubernetes support and PowerProtect Search software.

The upgrade process automatically stops all running jobs, puts the system into maintenance mode, and creates a snapshot of the system. If the upgrade fails or is aborted, the system uses the snapshot to roll back to the previous state. Once the system is rolled back or upgraded successfully, the snapshot is automatically deleted.

Procedure

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

Click the down arrow next to the package name to view details about the contents.

3. Click Upload Package, browse to the path that contains the upgrade package, select the package, and then click Open.

4. Wait until the package status is Available, and then click OK.

5. Click Upgrade.

The upgrade manager runs a precheck.

l If a critical issue is found, the upgrade is cancelled. Fix any issues and run the precheck to ensure that the issue is fixed.

l If non-critical issues are found, Dell EMC recommends that you fix any issues and run the precheck before proceeding with the upgrade.

6. Click Continue, enter the lockbox passphrase, if required and click Yes to proceed.

Upgrading the PowerProtect Data Manager Software

240 PowerProtect Data Manager Administration and User Guide

The upgrade begins. The browser is redirected to the Upgrade Manager UI on port 14443. This enables you to monitor upgrade progress while the PowerProtect Data Manager components are shutdown for the upgrade.

Note: To monitor the update status if the connection to the appliance closes, connect to https://IP_address_appliance:14443.

The Upgrade Manager status bar enables you to abort the upgrade, if necessary. When the upgrade completes successfully, the browser is redirected back to the main PowerProtect Data Manager UI logon page.

Results

The Upgrade page indicates the status of the upgrade.

l If the upgrade fails, but PowerProtect Data Manager is still running:

1. Wait for the Upgrade Manager to finish processing.

2. Click Return to Dashboard and log in to view the issue.

3. Select System Settings > Upgrade to view the issue that caused the failure.

4. Fix the issue that caused the failure, and then retry the upgrade.

l If the upgrade fails and PowerProtect Data Manager is not running:

1. Click Export Logs to download the log files for troubleshooting.

2. Click Rollback to snapshot to restore the core PowerProtect Data Manager system to its state before the upgrade.

3. On the Upgrade page, click Delete to delete the failed upgrade package.

4. Review the log files to determine the cause of the failure.

n If you can resolve the issues manually, try the upgrade again.

n If you cannot resolve the issues, contact Dell EMC Support.

Upgrade PowerProtect Data Manager from version 19.2 and 19.3

Use this procedure to upgrade PowerProtect Data Manager from version 19.2 or 19.3 or to apply critical updates.

Before you begin

The upgrade process automatically stops all running jobs, puts the system into maintenance mode, and creates a snapshot of the system. If the upgrade fails or is aborted, the system uses the snapshot to roll back to the previous state. Once the system is rolled back or upgraded successfully, the snapshot is automatically deleted.

l Download the upgrade package from Dell EMC Support Downloads and Drivers.

l Ensure that you have administrator credentials. Only a PowerProtect Data Manager administrator can initiate the upgrade.

l To enable automatic snapshots, ensure that the vCenter hosting PowerProtect Data Manager is added as an asset source.

l Check for running tasks and cancel them or allow them to complete.

l Disable any Protection Policies that are scheduled to run in the next few hours.

Upgrading the PowerProtect Data Manager Software

PowerProtect Data Manager Administration and User Guide 241

Note: Before starting an upgrade from version 19.3 to 19.4, ensure that you run an ad hoc DR backup operation to back up the Search Service, which is not included in the automatic DR backup that runs before the upgrade.

About this task

An upgrade package can upgrade one or more of the following:

l The PowerProtect Data Manager, including application agent installers stored on the PowerProtect Data Manager virtual machine

l External VM DIrect appliance

l Kubernetes support and PowerProtect Search software.

Procedure

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

3. Click Upload Upgrade File, browse to the path that contains the upgrade package, select the package, and then click Open.

The package downloads and appears in the list of packages. Click the down arrow next to the package name to view details about the contents.

4. When the package status is Available, click Upgrade.

5. Enter the Lockbox passphrase, if required, and then click Continue.

A dialog box lists any areas that require attention, such as an indication that the upgrade is disruptive or requires a reboot, and warnings about running tasks or active sessions that should be addressed before the upgrade. Click the links that are provided to go to the management page for the active events, where you can cancel them or allow them to complete before continuing.

Note: Although the upgrade can proceed even if jobs or IA sessions are active, it is not recommended.

The dialog box also lists any required certificates. Continuing indicates acceptance of the certificate.

6. Click Yes to proceed.

The upgrade begins. The browser is redirected to the Upgrade Manager UI on port 14443. This enables you to monitor upgrade progress while the PowerProtect Data Manager components are shutdown for the upgrade.

Note: To monitor the update status if the connection to the Upgrade Manager closes, connect to https://IP_address_upgrade_manager:14443.

The Upgrade Manager status bar enables you to abort the upgrade, if necessary. When the upgrade completes successfully, the browser is redirected back to the main PowerProtect Data Manager UI logon page.

Results

The Upgrade page indicates the status of the upgrade. If the upgrade fails:

1. Click Export Logs to download the log files for troubleshooting.

2. Click Rollback to snapshot to restore the core PowerProtect Data Manager system to its state before the upgrade.

3. On the Upgrade page, click Delete to delete the failed upgrade package.

4. Review the log files to determine the cause of the failure.

Upgrading the PowerProtect Data Manager Software

242 PowerProtect Data Manager Administration and User Guide

l If you can resolve the issues, try the upgrade again.

l If you cannot resolve the issues, contact Dell EMC Support.

Upgrade the software from PowerProtect Data Manager version 19.1

You cannot upgrade PowerProtect Data Manager version 19.1 directly to a version later than 19.3. Use this procedure to upgrade from PowerProtect Data Manager version 19.1 to version 19.2 or 19.3. You can then upgrade to version 19.4 or later.

Before you begin

l Download the upgrade package from Dell EMC Support Downloads and Drivers.

l Ensure that you have administrator credentials. Only an administrator can initiate the upgrade.

l Check for running tasks and cancel them or allow them to complete.

l Disable any Protection Policies that are scheduled to run in the next few hours.

l Take a snapshot of the system: Select the PowerProtect VM in the vSphere Client, right click, and then select Snapshot > Take snapshot.

About this task

An upgrade package can upgrade one or more of the following:

l The PowerProtect Data Manager, including application agent installers stored on the PowerProtect Data Manager virtual machine

l External VM DIrect appliance

Procedure

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

3. Click Upload Upgrade File, browse to the path that contains the upgrade package, select the package, and then click Open.

4. Wait until the package status is Available, and then click OK.

5. (Optional) Click Perform upgrade.

A dialog box lists any areas that require attention, such as an indication that the upgrade is disruptive or requires a reboot and warnings about running tasks or active sessions that should be addressed before the upgrade. Click the links that are provided to go to the management page for the active events, where you can cancel them or allow them to complete before continuing.

Note: Although the upgrade can proceed even if jobs or IA sessions are active, it is not recommended.

The dialog box also lists any required certificates. Continuing indicates acceptance of the certificate.

6. Enter the Lockbox Passphrase, if required.

The upgrade begins. The browser is redirected to the Upgrade Manager UI on port 14443, which enables you to monitor upgrade progress while the PowerProtect Data Manager components are shut down for the upgrade.

Note: To monitor the update status if the connection to the appliance closes, connect to https://IP_address_appliance:14443.

Upgrading the PowerProtect Data Manager Software

PowerProtect Data Manager Administration and User Guide 243

When the upgrade is successful, the browser is redirected back to the main PowerProtect Data Manager UI login page.

7. Log in toPowerProtect Data Manager and return to the Upgrade page to verify that the state of the upgrade is Installed.

Results

The overall package status covers critical upgrades for the PowerProtect Data Manager. Other subcomponents, such as Agents and vProxies, might still be processing or even fail, but the upgrade continues. You can view the state of each subcomponent by expanding the package that was installed.

Note: If the upgrade fails, you must delete the failed package before uploading a new package (or the same package) to try again.

After you finish

If you created a manual snapshot, use the vSphere Client to delete the snapshot:

1. Right-click the appliance, and then select Manage Snapshots.

2. In the Manage Snapshots window, select the snapshot and click Delete.

Note: If you are planning to use Cloud DR, contact the Dell EMC Support team for assistance to enable Cloud DR failback flow.

Managing certificates after upgrading from versions earlier than PowerProtect Data Manager version 19.1

Use this procedure to ensure that certificates existing on the pre-upgrade system also exist on the post-upgrade system.

Before you begin

Ensure that you update any expired certificates on external systems to valid certificates.

Procedure

1. Log in to the PowerProtect Data Manager operating system with administrator credentials.

2. Run the upgrade command:

/usr/local/brs/lib/secretsmgr/bin/secretsmgr-tls-upgrade

The system displays the external system certificates.

3. Verify each certificate as trusted or untrusted: At the prompt for each certificate, type Y to accept.

Any other character rejects the certificate. Expired certificates are automatically rejected.

Upgrading the PowerProtect Data Manager Software

244 PowerProtect Data Manager Administration and User Guide

CHAPTER 17

Configuring and Managing the PowerProtect Agent Service

This chapter includes the following topics:

l About the PowerProtect agent service............................................................................... 246 l Start, stop, or obtain the status of the PowerProtect agent service................................... 247 l Troubleshoot the PowerProtect agent service operations...................................................248 l Register the PowerProtect agent service to a different server address.............................. 248 l Recovering the PowerProtect agent service from a disaster...............................................249

PowerProtect Data Manager Administration and User Guide 245

About the PowerProtect agent service The PowerProtect agent service is a REST API based service that is installed by the application agent on the application host. The agent service provides services and APIs for discovery, protection, restore, instant access, and other related operations. The PowerProtect Data Manager uses the agent service to provide integrated data protection for the application assets.

This section uses to represent the PowerProtect agent service installation directory. By default, the agent service installation location is C:\Program Files\DPSAPPS\AgentService on Windows and /opt/dpsapps/ agentsvc on Linux. All files that are referenced in this section are the relative paths to the agent service installation location.

The PowerProtect agent service performs the following operations:

l Addon detectionAn addon integrates the application agent into the agent service. The agent service automatically detects the addons on the system for each application asset type and notifies the PowerProtect Data Manager. While multiple addons can operate with different asset types, only one agent service runs on the application host. Specific asset types can coexist on the same application host.

l DiscoveryThe agent service discovers both stand-alone and clustered database servers (application systems), databases and file systems (assets), and their backup copies on the application agent host. After the initial discovery, when the agent service discovers any new application systems, assets, or copies, the agent service notifies the PowerProtect Data Manager.

l Self-service configurationThe agent service can configure the application agent for self- service operations by using information that is provided by the PowerProtect Data Manager. When you add an asset to a protection policy for self-service or centralized protection, or modify the protection policy, including changing the DD Boost credentials, the PowerProtect Data Manager automatically pushes the protection configuration to the agents.

l Centralized backupsThe agent service performs the centralized backups as requested by the PowerProtect Data Manager.

l Centralized restoresThe agent service performs the centralized restores as requested by the PowerProtect Data Manager.

Note: In the current release, the centralized restores are only available for the File System agent and Storage Direct agent.

l Backup deletion and catalog cleanupThe PowerProtect Data Manager deletes the backup files directly from the protection storage when a backup expires or an explicit delete request is received and no dependent (incremental or log) backups exist. The PowerProtect Data Manager goes through the agent service to perform the following operations during deletion:

n Deletion of the catalog entries from the database vendor's catalog and the agent's local datastore.

n Deletion of the older backups that the stand-alone application agent created, before the asset was added to PowerProtect Data Manager.

The agent service is started during the agent installation by the installer. The agent service runs in the background as a service and you do not interact with it directly.

The config.yml file contains the configuration information for the agent service, including several parameter settings that you can change within the file. The config.yml file is located in the directory.

Configuring and Managing the PowerProtect Agent Service

246 PowerProtect Data Manager Administration and User Guide

The agent service periodically starts subprocesses to perform the discovery jobs. You can see the type and frequency of these jobs in the jobs: section of the config.yml file. The job interval unit is minutes.

The agent service maintains a datastore in the /dbs/v1 directory, which contains information about the application system, assets, and backups discovered on the system. The size of the datastore files depends on the number of applications and copies on the host. The agent service periodically creates a backup of its datastore in the /dbs/v1/backups directory, as used to recover the datastore if this datastore is lost.

Note: The size of each datastore backup is the same as the datastore itself. By default, a backup is created every hour. To save space on the file system, you can reduce this datastore backup frequency for large datastores. By default, the datastore backup is retained for one week. You can change the datastore backup frequency, retention period, and backup location in the config.yml file.

Start, stop, or obtain the status of the PowerProtect agent service

The PowerProtect agent service is started during the agent installation by the installer. If needed, you can use the appropriate procedure to start, stop, or obtain the status of the agent service.

On Linux, you can start, stop, or obtain the status of the agent service by running the register.sh script that is found in the directory.

l To start the agent service:

# register.sh --start

Started agent service with PID - 1234

l To stop the agent service:

# register.sh --stop

Successfully stopped agent-service.

l To obtain the status when the agent service is running:

# register.sh --status

Agent-service is running with PID - 1234

l To obtain the status when the agent service is not running:

# register.sh --status

Agent-service is not running.

On Windows, you can start, stop, or obtain the status of the PowerProtect agent service from the Services Manager, similar to other Windows services. The name of the service in Services Manager is PowerProtect Agent Service.

Configuring and Managing the PowerProtect Agent Service

PowerProtect Data Manager Administration and User Guide 247

Troubleshoot the PowerProtect agent service operations To troubleshoot the agent service operations, you can check the agent service log file agentsvc.log, which is created in the agent service home directory. To modify the log level and retention of temporary files, you can modify specific parameter settings in the config.yml file.

About this task

To modify the log level and retention of temporary files, you can perform the following steps.

Procedure

1. Stop the agent service by using the appropriate procedure from the preceding topic.

2. Open the config.yml file in an editor.

3. Modify the log-level settings in the following parameters, as required:

Note: These parameters are listed in order of decreasing number of messages in the debug information output. The default log-level is INFO.

l DEBUG l INFO l WARNING l ERROR l CRITICAL

4. To retain the temporary files, set the keepTempFiles parameter to True in the config.yml file.

Note: The agent service and application agent communicate through the temporary files, which are typically deleted after use but can be useful for troubleshooting purposes. Do not leave the keepTempFiles parameter set to True permanently, or the temporary files can use excessive space on the file system.

5. Start the agent service by using the appropriate procedure from the preceding topic.

Register the PowerProtect agent service to a different server address

The PowerProtect agent service is registered to a particular PowerProtect Data Manager server during the agent installation by the installer. If needed, you can register the agent service to a different PowerProtect Data Manager server address.

The agent service can only be registered to a single PowerProtect Data Manager server. When you register the agent service to a new server, the agent service will automatically unregister from the previous server address.

On Linux, you can register the agent service to a different server address by running the register.sh script that is found in the directory.

Note: The register.sh script stops the currently running agent service.

Configuring and Managing the PowerProtect Agent Service

248 PowerProtect Data Manager Administration and User Guide

l The following command prompts for the new IP address or hostname:

# register.sh

Enter the PowerProtect Data Manager IP address or hostname: 10.0.01

Warning: Changing IP of PowerProtect Server from 192.168.0.1 to 10.0.0.1

Started agent service with PID - 1234

l The following command includes the new IP address on the command line:

# register.sh --ppdmServer=10.0.0.1

Warning: Changing IP of PowerProtect Server from 192.168.0.1 to 10.0.0.1

Started agent service with PID - 1234

On Windows, you can change the PowerProtect Data Manager server address by launching the agent installer and selecting the change option. Change the PowerProtect Data Manager service address from the Configuration Install Options page.

Recovering the PowerProtect agent service from a disaster You can perform self-service restores of application assets by using a file system or application agent, regardless of the state of the agent service or PowerProtect Data Manager. The information in the this section describes how to bring the agent service to an operational state to continue if a disaster occurs and the agent service datastore is lost.

The agent service periodically creates a backup of its datastore in the /dbs/v1/backups repository. If all these backups are lost, the agent service can still start. The agent service discovers all the application systems, assets, and backup copies on the system again, and notifies PowerProtect Data Manager. Depending on when the failure occurred, the agent service might not be able to find older backup copies for some asset types. As a result, the centralized deletion operations might fail when cleaning up the database vendor catalog or removing older backups that are taken before the asset is added to PowerProtect Data Manager.

By default, the agent service backs up consistent copies of its datastore files to the local disk every hour and keeps the copies for 7 days. Each time the agent service backs up the contents of the datastore, it creates a subdirectory under the /dbs/v1/backups repository. The subdirectories are named after the time the operation occurred, in the format YYYY-MM-DD_HH- MM-SS_epochTime.

By default, the datastore repository is on the local disk. To ensure that the agent service datastore and its local backups are not lost, it is recommended that you back up the datastore through file system backups. You can also change the datastore backup location to a different location that is not local to the system. To change the datastore backup location, update the values in the config.yml file.

Restore the PowerProtect Data Manager agent service datastore Before you begin

Note: Ensure that the agent service is powered off. Do not start the agent service until disaster recovery is complete.

Configuring and Managing the PowerProtect Agent Service

PowerProtect Data Manager Administration and User Guide 249

About this task

You can restore the datastore from the datastore backup repository. If the repository is no longer on the local disk, restore the datastore from file system backups first.

To restore the datastore from a backup in the datastore backup repository, complete the following steps:

Procedure

1. Move the files in the /dbs/v1 directory to a location for safe keeping.

Note: Do not move or delete any /dbs/v1 subdirectories.

2. Select the most recent datastore backup.

The directories in the datastore backup repository are named after the time the backup was created.

3. Copy the contents of the datastore backup directory to the /dbs/v1 directory.

After the copy operation is complete, the /dbs/v1

Manualsnet FAQs

If you want to find out how the 19.4 Dell works, you can view and download the Dell PowerProtect 19.4 Data Manager Administration And User Guide on the Manualsnet website.

Yes, we have the Administration And User Guide for Dell 19.4 as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Administration And User Guide should include all the details that are needed to use a Dell 19.4. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell PowerProtect 19.4 Data Manager Administration And User Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell PowerProtect 19.4 Data Manager Administration And User Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell PowerProtect 19.4 Data Manager Administration And User Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell PowerProtect 19.4 Data Manager Administration And User Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.4 Data Manager Administration And User Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.