Contents

Dell PowerProtect 19.6 Data Manager Administration And User Guide PDF

1 of 203
1 of 203

Summary of Content for Dell PowerProtect 19.6 Data Manager Administration And User Guide PDF

PowerProtect Data Manager Administration and User Guide

Version 19.6

October 2020 Rev. 01

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2016 - 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Preface....................................................................................................................................................................................... 10

Chapter 1: Getting Started...........................................................................................................14 Introducing the PowerProtect Data Manager software...........................................................................................14 References...........................................................................................................................................................................15 Terminology......................................................................................................................................................................... 15 Accessing the PowerProtect Data Manager UI..........................................................................................................16

Getting Started window............................................................................................................................................. 16 UI tools and options .................................................................................................................................................... 17

Chapter 2: Managing Users......................................................................................................... 20 Managing user roles and privileges ..............................................................................................................................20

Managing users............................................................................................................................................................20 Default admin user...................................................................................................................................................... 22 Roles............................................................................................................................................................................... 22 Privileges....................................................................................................................................................................... 24

Chapter 3: Managing Storage...................................................................................................... 29 Add protection storage ...................................................................................................................................................29 Overview of PowerProtect Data Manager cloud tier...............................................................................................30

Chapter 4: Using the PowerProtect Search Engine...................................................................... 31 Introducing the PowerProtect Search Engine............................................................................................................ 31 Setting up and managing indexing................................................................................................................................. 31 Performing a search......................................................................................................................................................... 32 Restoring from search......................................................................................................................................................33 Troubleshooting Search Engine issues.........................................................................................................................33

Chapter 5: Managing Assets........................................................................................................38 About asset sources, assets, and storage...................................................................................................................38

About vCenter Server asset sources and virtual assets....................................................................................38 About Kubernetes cluster asset sources and namespace assets....................................................................38 About application agent asset sources and assets............................................................................................. 40

Prerequisites for discovering asset sources............................................................................................................... 40 Enable an asset source..................................................................................................................................................... 41

Disable an asset source.............................................................................................................................................. 41 Adding a vCenter Server asset source........................................................................................................................ 42

Add a VMware vCenter Server................................................................................................................................ 42 Creating a dedicated vCenter user account......................................................................................................... 43

VM Direct protection engine overview........................................................................................................................ 46 Requirements for an external VM Direct engine................................................................................................. 46 Add a VM Direct Engine.............................................................................................................................................46 Additional VM Direct actions.................................................................................................................................... 48

Adding a Kubernetes cluster asset source..................................................................................................................49 Prerequisites to Kubernetes cluster discovery.................................................................................................... 49

Contents

Contents 3

Add a Kubernetes cluster.......................................................................................................................................... 50

Chapter 6: Managing Protection Policies.....................................................................................52 Protection policies.............................................................................................................................................................52

PowerProtect DD protection considerations........................................................................................................52 Before you create a protection policy..........................................................................................................................53 Add a protection policy for a virtual machine.............................................................................................................56

More options for managing virtual machine backups.........................................................................................60 Add a protection policy for Kubernetes namespace protection............................................................................. 61 Add a Cloud Tier schedule to a protection policy......................................................................................................63

Managing Cloud Tier asset copies...........................................................................................................................64 Manual backups of protected assets........................................................................................................................... 65 On-demand cloud tiering of protected assets........................................................................................................... 65 Editing a protection policy.............................................................................................................................................. 66

Modify a policy name and description, schedule, or options............................................................................ 66 Changing storage targets..........................................................................................................................................67 Add or remove assets in a protection policy.........................................................................................................67

Edit the retention period for backup copies............................................................................................................... 68 Delete backup copies....................................................................................................................................................... 69

Retry a failed backup copy deletion........................................................................................................................ 70 Export data for deleted backup copies.................................................................................................................. 70 Remove backup copies from the PowerProtect Data Manager database..................................................... 71

Removing expired backup copies................................................................................................................................... 71 Export protection ..............................................................................................................................................................71 Delete a protection policy................................................................................................................................................72 Add a Service Level Agreement.....................................................................................................................................72 Export Asset Compliance.................................................................................................................................................74 Protection Rules ............................................................................................................................................................... 75

Creating virtual machine tags in the vSphere Client.......................................................................................... 75 Add a Protection Rule.................................................................................................................................................76 Run a Protection Rule on demand........................................................................................................................... 77 Edit or delete a Protection Rule ..............................................................................................................................77 Change the priority of an existing Protection Rule ............................................................................................ 77 Configure the behavior of Protection Rules......................................................................................................... 78

Chapter 7: Restoring Data and Assets..........................................................................................79 View backup copies available for restore.................................................................................................................... 79 Restore a virtual machine or VMDK............................................................................................................................. 80

Restoring a virtual machine backup with the storage policy association...................................................... 80 Prerequisites to restore a virtual machine............................................................................................................. 81 Restore and Overwrite original virtual machine....................................................................................................81 Restore individual virtual disks................................................................................................................................. 82 Restore to new virtual machine............................................................................................................................... 83 Instant access virtual machine restore.................................................................................................................. 85 File level restore to original virtual machine..........................................................................................................88 File level restore to alternate virtual machine...................................................................................................... 89 Direct restore to ESXi................................................................................................................................................ 90

Restore an application-aware virtual machine backup............................................................................................. 91 Restoring a Kubernetes namespace..............................................................................................................................91

4 Contents

Restore to the original namespace..........................................................................................................................92 Restore to a new namespace................................................................................................................................... 93 Restore to an existing namespace.......................................................................................................................... 94

Self-service restore of Kubernetes namespaces...................................................................................................... 95 Restore the PowerProtect Data Manager server ....................................................................................................95 Restore Cloud Tier backups to the DD system..........................................................................................................96

Recall and restore from Cloud tier.......................................................................................................................... 97

Chapter 8: Preparing for and Recovering From a Disaster........................................................... 98 Managing system backups..............................................................................................................................................98 Manage PowerProtect Data Manager backups for disaster recovery.................................................................98 Overview of PowerProtect Data Manager Cloud Disaster Recovery.................................................................. 99 Prepare the DD system recovery target..................................................................................................................... 99 Configure backups for disaster recovery...................................................................................................................100 Configure PowerProtect Data Manager server disaster recovery backups..................................................... 100 Record settings for disaster recovery.........................................................................................................................101 Restore PowerProtect Data Manager from an external DD system................................................................... 101 Recovering a Search cluster from a DR backup...................................................................................................... 102 Troubleshooting backup configuration issues...........................................................................................................103 Troubleshoot recovery of PowerProtect Data Manager....................................................................................... 103 Quick recovery................................................................................................................................................................. 104

Quick recovery prerequisites.................................................................................................................................. 106 Add a remote system for quick recovery............................................................................................................. 107 Edit a remote system................................................................................................................................................ 107 Quick recovery remote view................................................................................................................................... 108

Recover a failed PowerProtect Data Manager backup.......................................................................................... 108

Chapter 9: Managing Alerts, Jobs, and Tasks.............................................................................109 Configure Alert Notifications........................................................................................................................................ 109 View and manage alerts................................................................................................................................................. 109 View and manage Audit Logs........................................................................................................................................ 110 Monitor and view jobs..................................................................................................................................................... 110 Monitor and view tasks....................................................................................................................................................111 Restart a job or task manually....................................................................................................................................... 112 Restart a job or task automatically...............................................................................................................................112 Resume misfire jobs after a PowerProtect Data Manager upgrade.................................................................... 113 Cancel a job or task......................................................................................................................................................... 115 Export logs for a job or task.......................................................................................................................................... 115

Chapter 10: Modifying the System Settings................................................................................117 System settings.................................................................................................................................................................117

Modify the network settings....................................................................................................................................117 Synchronize time on PowerProtect Data Manager and other systems........................................................ 117 Modify the appliance time zone.............................................................................................................................. 118 Change the system root user password............................................................................................................... 118 Enable replication encryption...................................................................................................................................118 License types............................................................................................................................................................... 119 PowerProtect Data Manager licenses................................................................................................................... 119

System Support............................................................................................................................................................... 120

Contents 5

Register the Secure Remote Services gateway.................................................................................................120 Callhome ...................................................................................................................................................................... 121 Configure PowerProtect Central reporting......................................................................................................... 122 Set up the email server.............................................................................................................................................122 Add Auto Support...................................................................................................................................................... 123 Enable automatic upgrade package downloads..................................................................................................123 Add a log bundle.........................................................................................................................................................123 Monitor system state and system health.............................................................................................................124 Access the open source software package information.................................................................................. 124

Modifying the PowerProtect Data Manager virtual machine disk settings.......................................................125 Modify the virtual machine memory configuration............................................................................................ 125 Modify the data disk size......................................................................................................................................... 125 Modify the system disk size.................................................................................................................................... 126

Configure the DD system...............................................................................................................................................127 Virtual networks (VLANs)..............................................................................................................................................127

Supported scenarios..................................................................................................................................................128 Virtual network prerequisites.................................................................................................................................. 128 Configuring virtual networks...................................................................................................................................129 Virtual network asset assignment...........................................................................................................................131

Chapter 11: PowerProtect Functionality Within the vSphere Client............................................ 134 PowerProtect functionality within the vSphere Client...........................................................................................134 Overview of the PowerProtect plug-in for the vSphere Client........................................................................... 134

Prerequisites for enabling the vSphere Client PowerProtect plug-in...........................................................135 Monitor PowerProtect Data Manager virtual machine protection copies................................................... 136 On-demand PowerProtect policy backup in the vSphere Client....................................................................137 Image-level restore of a PowerProtect backup in the vSphere Client......................................................... 137 File-level restore of a PowerProtect backup in the vSphere Client..............................................................138

Overview of VASA and VMware Storage Policy Based Management .............................................................. 140 Register the VASA provider for policy association............................................................................................ 140 Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy........... 141 Monitor virtual machine protection policy compliance..................................................................................... 142

Chapter 12: Configuring VMware Cloud on Amazon Web Services.............................................. 143 PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS................................ 143 Configure the VMware Cloud on AWS web portal console...................................................................................143 Amazon AWS web portal requirements......................................................................................................................144 Interoperability with VMware Cloud on AWS product features........................................................................... 144 vCenter server inventory requirements..................................................................................................................... 145 VMware Cloud on AWS configuration best practices............................................................................................ 145 Add a VM Direct Engine.................................................................................................................................................145 Protection and recovery operations............................................................................................................................147 Interoperability with VMware Cloud on AWS product features........................................................................... 147 Unsupported operations in VMware Cloud on AWS .............................................................................................. 147 Troubleshooting VMware Cloud on AWS ..................................................................................................................147

Chapter 13: Upgrading the PowerProtect software.................................................................... 148 Upgrading the PowerProtect software......................................................................................................................148 Upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6..................................... 148

6 Contents

Run a manual precheck............................................................................................................................................ 150 Roadmap for upgrading PowerProtect Data Manager to the latest version.....................................................151

Upgrade the software from PowerProtect Data Manager version 19.1........................................................151

Chapter 14: Configuring and Managing the PowerProtect Agent Service ...................................154 About the PowerProtect agent service..................................................................................................................... 154 Start, stop, or obtain the status of the PowerProtect agent service................................................................ 155 Register the PowerProtect agent service to a different server address.......................................................... 155 Recovering the PowerProtect agent service from a disaster.............................................................................. 156

Restore the PowerProtect Data Manager agent service datastore............................................................. 156

Chapter 15: Backup and Recovery of the vCenter Server............................................................158 Backup and recovery of the vCenter server.............................................................................................................158 vCenter deployments overview................................................................................................................................... 158 Protecting an embedded PSC...................................................................................................................................... 158

Direct restore to ESXi...............................................................................................................................................159 Protecting external deployment models.................................................................................................................... 160

vCenter server appliance(s) with one external PSC where PSC fails..........................................................160 vCenter server appliance is lost but the PSC remains...................................................................................... 161 vCenter server appliance with multiple PSCs where one PSC is lost, one remains...................................161 vCenter server appliance remains but all PSCs fail............................................................................................161 vCenter server appliance remains but multiple PSCs fail................................................................................. 161 vCenter server appliance fails................................................................................................................................ 162

vCenter server restore workflow.................................................................................................................................163 Platform Services Controller restore workfow.........................................................................................................164 Additional considerations............................................................................................................................................... 164 Command reference....................................................................................................................................................... 165

Chapter 16: Best Practices and Troubleshooting........................................................................ 166 Scalability limits for vCenter Server, VM Direct engine and DD system............................................................166 Best practices and additional considerations for the VM Direct engine............................................................ 167

Software and hardware requirements.................................................................................................................. 167 PowerProtect Data Manager resource requirements in a VMware environment......................................168 VM Direct Engine performance and scalability...................................................................................................168 Virtual machine data change rate.......................................................................................................................... 169 VM Direct engine data ingestion rate................................................................................................................... 169 Transport mode considerations..............................................................................................................................169 Virtual disk types supported....................................................................................................................................170 Changing the limit of instant access sessions..................................................................................................... 171 Configure a backup to support vSAN datastores............................................................................................... 171 Disable vCenter SSL certificate validation........................................................................................................... 171 Configuration checklist for common issues.........................................................................................................172 VM Direct Engine selection with virtual networks (VLANs)........................................................................... 172

Recommendations and considerations when using a Kubernetes cluster......................................................... 172 Best practices for vCenter Server backup and restore......................................................................................... 174 Viewing the DD Boost storage unit password.......................................................................................................... 174 Change the DD Boost storage unit password...........................................................................................................174 Replacing expired or changed certificate on an external server.......................................................................... 175 Base 10 standard used for size calculations in the PowerProtect Data Manager UI...................................... 177

Contents 7

Monitoring storage capacity thresholds.....................................................................................................................178 Troubleshooting network setup issues....................................................................................................................... 178 Troubleshooting virtual machine backup issues....................................................................................................... 178

VM Direct Engine limitations and unsupported features..................................................................................178 Deleting vCenter asset sources or moving ESXi to another vCenter............................................................181 Managing command execution for VM Direct Agent operations on Linux.................................................. 182 SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in

directory"................................................................................................................................................................. 182 SQL Server application-aware backup displays an error about disk.EnableUUID variable.......................183 Failed to lock Virtual Machine for backup: Another EMC VM Direct operation 'Backup' is active

on VM ...................................................................................................................................................................... 183 Backup fails when names include special characters .......................................................................................183 Lock placed on virtual machine during backup and recovery operations continues for 24 hours if

VM Direct appliance fails..................................................................................................................................... 183 Trailing spaces not supported in SQL database names.................................................................................... 184 SQL databases skipped during virtual machine transaction log backup.......................................................184 Accessing Knowledge Base Articles...................................................................................................................... 184

Support for backup and restore of encrypted virtual machines.......................................................................... 185 Troubleshooting virtual machine restore issues....................................................................................................... 185

Troubleshooting instant access restore failures................................................................................................ 186 FLR Agent for virtual machine file-level restore................................................................................................ 187 Supported platform and OS versions for virtual machine file-level restore................................................ 188 File-level restore and SQL restore limitations.....................................................................................................189

Troubleshooting protection policy for DD storage unit.......................................................................................... 190 Troubleshoot the PowerProtect agent service installation...................................................................................190 Troubleshoot the PowerProtect agent service operations................................................................................... 190 Troubleshooting Kubernetes cluster issues............................................................................................................... 191

Data protection operations for high availability Kubernetes cluster might fail when API server not configured to send ROOT certificate............................................................................................................... 193

Kubernetes cluster on Amazon Elastic Kubernetes Service certificate considerations........................... 193 Removing PowerProtect Data Manager components from a Kubernetes cluster.................................... 194

Troubleshooting a PowerProtect Data Manager software upgrade................................................................... 194 Managing certificates after upgrading from versions earlier than PowerProtect Data Manager

version 19.1.............................................................................................................................................................. 194

Appendix A: Application-Consistent Database Backups in Kubernetes........................................ 196 About application-consistent database backups in Kubernetes...........................................................................196

Supported database applications...........................................................................................................................196 Prerequisites................................................................................................................................................................197

Obtain and deploy the CLI package.............................................................................................................................197 About application templates..........................................................................................................................................197

YAML configuration files..........................................................................................................................................199 Application actions.................................................................................................................................................... 199 Pod actions..................................................................................................................................................................199 Selectors..................................................................................................................................................................... 200

Deploy application templates........................................................................................................................................ 201 Perform application-consistent backups................................................................................................................... 201 Verify application-consistent backups.......................................................................................................................202 Disaster recovery considerations................................................................................................................................203 Granular-level recovery considerations..................................................................................................................... 203

8 Contents

Log truncation considerations..................................................................................................................................... 203

Contents 9

Preface As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in this document, contact a technical support professional.

NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,

go to the Support website https://www.dell.com/support.

Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in

the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many

cases the user interface has not yet been updated to reflect this change.

Purpose This document describes how to configure and administer the PowerProtect Data Manager software.

Audience This document is intended for the host system administrator who is involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager software.

Revision history The following table presents the revision history of this document.

Table 1. Revision history

Revision Date Description

01 October 27, 2020 Initial release of this document for PowerProtect Data Manager version 19.6.

Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided in the eLab Navigator, available at https://elabnavigator.emc.com/eln/modernHomeDataProtection.

Related documentation The following publications are available on Dell EMC Online Support and provide additional information:

PowerProtect Data Manager Administration and User GuideDescribes how to configure the software. PowerProtect Data Manager Deployment GuideDescribes how to deploy the software. PowerProtect Data Manager Release NotesContains information on new features, known limitations, environment, and

system requirements for the software. PowerProtect Data Manager Security Configuration GuideContains security information. PowerProtect Data Manager AWS Deployment GuideDescribes how to deploy the software to Amazon Web Services

(AWS). PowerProtect Data Manager Azure Deployment GuideDescribes how to deploy the software to Microsoft Azure.

10 Preface

PowerProtect Data Manager Cloud Disaster Recovery Administration and User GuideDescribes how to deploy Cloud DR, protect VMs in the AWS or Azure cloud, and run recovery operations.

PowerProtect Data Manager for Cyber Recovery User GuideDescribes how to install, upgrade, patch, and uninstall the Dell EMC PowerProtect Cyber Recovery software.

PowerProtect Data Manager for File System Agent User GuideDescribes how to configure and use the software with the File System agent for file system data protection.

PowerProtect Data Manager for Microsoft Application Agent Exchange Server User GuideDescribes how to configure and use the software in a Microsoft Exchange Server environment.

PowerProtect Data Manager for Microsoft Application Agent SQL Server User GuideDescribes how to configure and use the software in a Microsoft SQL Server environment.

PowerProtect Data Manager for Oracle RMAN Agent User GuideDescribes how to configure and use the software in an Oracle Server environment.

PowerProtect Data Manager for SAP HANA Agent User GuideDescribes how to configure and use the software in an SAP HANA Server environment.

PowerProtect Data Manager for Storage Direct Agent User GuideDescribes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.

PowerProtect Data Manager API documentation: https://developer.dellemc.comContains the PowerProtect Data Manager APIs and includes tutorials to guide to you in their use.

Typographical conventions The following type style conventions are used in this document:

Table 2. Style conventions

Formatting Description

Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Where to find product documentation https://www.dell.com/support https://www.dell.com/community

Preface 11

Where to get support The Support website https://www.dell.com/support provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Support.

To access a product-specific page:

1. Go to https://www.dell.com/support. 2. In the search box, type a product name, and then from the list that appears, select the product.

Knowledgebase The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:

1. Go to https://www.dell.com/support. 2. On the Support tab, click Knowledge Base. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by

typing a product name in the search box, and then selecting the product from the list that appears.

Live chat To participate in a live interactive chat with a support agent:

1. Go to https://www.dell.com/support. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.

Service requests To obtain in-depth help from Licensing, submit a service request. To submit a service request:

1. Go to https://www.dell.com/support. 2. On the Support tab, click Service Requests.

NOTE: To create a service request, you must have a valid support agreement. For details about either an account or

obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the

Service Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to https://www.dell.com/support. 2. On the Support tab, click Service Requests. 3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network https:// www.dell.com/community. Interactively engage with customers, partners, and certified professionals online.

12 Preface

How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPAD.Doc.Feedback@emc.com.

Preface 13

Getting Started

Topics:

Introducing the PowerProtect Data Manager software References Terminology Accessing the PowerProtect Data Manager UI

Introducing the PowerProtect Data Manager software PowerProtect Data Manager software is an enterprise solution that provides software-defined data protection, deduplication, operational agility, self-service, and IT governance.

PowerProtect Data Manager enables the transformation from traditional centralized protection to an IT-as-a-service model based on a self-service design. This design ensures that you can enforce compliance and other business rules, even when backup responsibilities are decentralized to individual database administrators and application administrators.

PowerProtect Data Manager key features include:

Software-defined data protection with integrated deduplication, replication, and reuse Data backup and recovery self-service operations from native applications that are combined with central IT governance Multicloud optimization with integrated cloud tiering SaaS-based monitoring and reporting Modern services-based architecture for ease of deployment, scaling, and upgrading

PowerProtect Data Manager integrates multiple data protection products within the Dell EMC Data Protection portfolio to enable data protection as a service, providing the following benefits:

Enables the data protection team to create data paths with provisioning, automation, and scheduling to embed protection engines into the infrastructure for high-performance backup and recovery.

Enables backup administrators of large-scale environments to schedule backups for the following asset types from a central location on the PowerProtect Data Manager server:

VMware virtual machines File systems VMAX storage groups Kubernetes clusters Microsoft Exchange and SQL databases Oracle databases SAP HANA databases

Uses an agent-based approach to discover the protected and unprotected databases on an application server. Enables governed self-service and centralized protection by:

Monitoring and enforcing Service Level Objectives (SLOs) Identifying violations of Recovery Point Objectives (RPO) Applying retention locks on backups for all asset types.

Supports deploying an external VM Direct appliance to move data with the VM Direct Engine. The PowerProtect Data Manager software comes prebundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backup and restore operations when the added external proxies fail or are disabled. Dell EMC recommends that you always deploy external proxies, because the embedded proxy has limited capacity for performing parallel backups.

Supports the vRealize Automation DP extension, which enables provisioning of virtual machines with PowerProtect Data Manager protection, on-demand backup, and restore to the original or a new location. The vRealize Automation Data Protection Extension for PowerProtect Data Manager Installation and Administration Guide provides more information.

Supports integration of Cloud Disaster Recovery (Cloud DR), including workflows for Cloud DR deployment, protection, and recovery operations in the AWS or Azure cloud.

1

14 Getting Started

Supports PowerProtect Search, which enables backup administrators to quickly search for and restore VM file copies. The Search Service can be enabled by adding a search node to the configurable Search Engine that is autodeployed during the PowerProtect Data Manager installation.

Provides a RESTful interface that allows the user to monitor, configure, and orchestrate PowerProtect Data Manager. Customers can use the APIs to integrate their own automation framework or quickly write new scripts with the help of easy- to-follow tutorials.

References Some procedures in this document reference other publications for further details. Additionally, updates to documentation after initial publication are provided in the release notes.

The following publications, available on Dell EMC Online Support, provide additional product information:

PowerProtect Data Manager Deployment Guide PowerProtect Data Manager Security Configuration Guide PowerProtect Data Manager Release Notes PowerProtect Database Application Agent Installation and Administration Guide PowerProtect Microsoft Application Agent Exchange Server User Guide PowerProtect Microsoft Application Agent Installation Guide PowerProtect Microsoft Application Agent SQL Server User Guide PowerProtect Oracle RMAN Agent Administration Guide PowerProtect Storage Direct Agent Installation and Administration Guide PowerProtect Storage Direct Primary and Protection Storage Configuration Guide PowerProtect Storage Direct Solutions Guide

Terminology Familiarize yourself with the terminology that is used in the PowerProtect Data Manager user interface and documentation.

The following table provides more information about names and terms you should know to use PowerProtect Data Manager:

Table 3. Term list

Term Description

Application Agent Application Agents are installed on application or database host servers to manage protection using PowerProtect Data Manager. These Agents are commonly known as DDBoost Enterprise Agents (DDBEA) for databases and applications.

Application Aware Virtual machine protection policy that includes additional application-aware data protection for Microsoft SQL Servers. An application-aware virtual machine protection policy provides the ability to quiesce the application during virtual machine image backup to perform a full backup of SQL databases. You can also schedule SQL server log backups for the virtual machines in the policy.

Asset Assets are objects in PowerProtect Data Manager for which you want to manage protection, including VMs, databases, and file systems.

Asset Source Assets that PowerProtect Data Manager protects reside within Asset Sources, which include vCenter Servers, application or database hosts, and file servers.

Cloud Tier Storage Cloud Tier storage can be added to an external DD system to expand the DD deduplication storage capacity onto less expensive object storage in public or private object storage clouds, including Dell EMC secure Elastic Cloud Storage appliances.

Copy A PowerProtect Data Manager copy is a point-in-time backup copy of an Asset.

Copy Map The PowerProtect Data Manager Copy Map is a visual representation of backup copy locations on your Protection Storage and is available for all protected Assets that have copies.

Discovery Discovery is an internal process that scans Asset Sources to find new assets to protect and scans infrastructure components to monitor their health and status.

Getting Started 15

Table 3. Term list (continued)

Term Description

Instant Access PowerProtect Data Manager VM backup copies can be accessed, mounted, and booted directly from the Protection Storage targets as running VMs. Copies can also be moved to a production VMware datastore using vMotion. PowerProtect Data Manager VM application-aware backup copies can be mounted directly from the Protection Storage targets as running SQL databases, which includes the ability to roll forward log backups. These SQL database disks can also be moved to a production VMware datastore using vMotion.

Power Protect Data Manager Agent

An agent that is included in PowerProtect Data Manager and installed on each application agent host server so that you can monitor and manage the application agent through PowerProtect Data Manager.

Protection Policy Protection Policies configure and manage the entire life cycle of backup data, which includes backup type, assets, backup start/stop time, backup device, and backup retention.

Service Level Agreement (SLA)

An optional policy that you can layer on top of a Protection Policy. An SLA performs additional checks on protection activities to ensure that protection goals meet the standards that your organization requires. SLAs are made up of one or more Service Level Objectives.

Service Level Objectives (SLOs)

Definable rules that set the criteria for Recovery Point Objectives (RPOs), encryption, and locations of backups according to your company requirements.

Accessing the PowerProtect Data Manager UI PowerProtect Data Manager provides a web-based UI that you can use to manage and monitor system features and settings from any location over a network.

Steps

1. From a host that has network access to the virtual appliance, use Google Chrome to connect to the appliance:

https://<appliance_hostname> NOTE: You can specify the hostname or the IP address of the appliance.

2. Log in with your user name and password.

If this is the first time you are accessing the PowerProtect Data Manager UI, an unsigned certificate warning might appear in the web browser.

If you are logging in as an external authentication authority such as LDAP or AD, use the format username@domain. For example:

administrator@idd-ad.iddlab.com The security certificate that encrypts communication between the PowerProtect Data Manager UI and the web browser is self-signed. A self-signed certificate has been signed by the web server that hosts the secure web page being viewed by a web browser. There is nothing wrong with this certificate. This certificate is sufficient to establish an encrypted channel between the web browser and the server. However, it has not been signed by a trusted authority.

The Getting Started page appears.

The left pane provides links to the available menu items. Expand a menu item for more options. The icons in the PowerProtect Data Manager banner provide additional options.

Getting Started window

The Getting Started window provides configuration options that are required when the system is first deployed.

This window appears upon first deployment of PowerProtect Data Manager and opens to this page by default until you click Skip This.

You can access the Getting Started page at any time by selecting System Settings > Getting Started.

16 Getting Started

Table 4. PowerProtect Data Manager Getting Started menu items

Options Description

Support View and configure Secure Remote Services (SRS), Email Setup, Auto Support, Logs, System Health.

Disaster Recovery Backup Configure and manage backups for disaster recovery.

VMware vCenter Opens the Infrastructure > Asset Sources page where you can add a vCenter instance as an asset source so that it can be added to a protection policy.

Protect Assets Opens the Protection Policies page where you can manage Protection Life Cycle workflows for all asset types.

UI tools and options

Learn about the available tools in the UI.

PowerProtect Data Manager UI tools

Table 5. PowerProtect Data Manager tools

Menu item Description

Dashboard

Provides a high-level view of the overall state the PowerProtect Data Manager system and includes the following information:

AlertsSystem alerts ProtectionDetails about protection policies JobsStatus of all Jobs that are filtered by a selected time period or status type. Select

the status in the Jobs pane to open the Jobs window, where you can manage jobs, search, and view details.

PolicyDetails include number of successes, failures, and excluded assets for each asset type

Protection StorageProtection storage usage statistics RecoveryRecovery statistics HealthDetails about the health of the system, including services, licenses, support,

protection engines, server backups, and uptime

PowerProtect Data Manager refreshes the data hourly unless you run an ad hoc discovery.

Infrastructure

Click Infrastructure to:

View and manage all assets:

VMware virtual machines File systems VMAX storage Groups Kubernetes clusters Microsoft Exchange and SQL databases Oracle databases SAP HANA databases

Add vCenter and application and File System host asset sources. View and manage Integrated Storage. Add a VM Direct appliance with the VM Direct protection engine for virtual machine data

protection. Manage registration of Oracle RMAN agent, Microsoft application agent, SAP HANA agent,

and File System agent. View and manage Cloud Disaster Recovery. Create and manage a Search Cluster.

Getting Started 17

Table 5. PowerProtect Data Manager tools (continued)

Menu item Description

Protection

Click Protection to:

Add protection policies to back up assets. Manage Service Level Agreements (SLAs). Add, edit, and delete protection rules for asset inclusion in policies.

Recovery

Click Recovery to:

View asset copy location details and initiate a Restore operation. Manage Instant Access Sessions. Use the File Search feature to find and restore virtual machine file copies.

Alerts

Click Alerts to:

View and acknowledge alerts and events. View and examine Audit logs. Export audit logs to CSV files. Set audit log boundaries.

Administration

Click Administration to:

Configure users and roles. Set password credentials and manage key chains. View certificates. Configure alert notifications. Add LDAP Identity Sources.

Jobs

Click Jobs to manage jobs, view by protection or system, filter, and view details.

Reporting

Click Reporting to log in to PowerProtect Central.

Banner UI options

The following table describes the icons that are located in the PowerProtect Data Manager banner.

Table 6. Banner UI options

Option Description

Click to enter search criteria to find assets, jobs, logs, and alerts.

Click to see recent alerts.

Click to restore assets from replicated copies through quick recovery. This icon only appears when this system receives replicated metadata from a source system.

Click to configure and manage PowerProtect Data Manager system network, time zone, and NTP settings, DR backups, security, licenses, upgrades, authentication, agent downloads, and support, and to access the Getting Started page.

Click to log out, and log in as a different user.

Click to see PowerProtect Data Manager version information.

18 Getting Started

Table 6. Banner UI options (continued)

Option Description

Click to obtain more information about PowerProtect Data Manager, access Dell EMC Support, or view the REST API documentation.

Click to launch Cloud Snapshot Manager.

Getting Started 19

Managing Users

Topics:

Managing user roles and privileges

Managing user roles and privileges Users can be defined as either local or LDAP/Active Directory. Users and LDAP groups can access all protection policies and assets within the PowerProtect Data Manager environment.

The role that is assigned to a user defines the privileges that are associated with the user and determines the tasks that the user can perform.

Managing users

Only the Admin role can manage users.

The following roles can view users, roles, identity sources, and user groups:

Admin User Export and Recovery Admin

NOTE: User authorization grants or denies users access to PowerProtect Data Manager resources. Authorization is the

same for locally authorized users and Microsoft Windows Active Directory/LDAP users.

You can create local users to perform management tasks. When you create a local user account, you must assign a role to the user.

To add and manage LDAP or AD users, refer to the PowerProtect Data Manager Security Configuration Guide.

Add a user

Only the Admin role can add a user.

Steps

1. Select Administration > Users.

The Users window appears.

2. Click Add.

3. In the New User window, provide the following information:

User first name User last name Username Email Address Password Retype to confirm password Force Password ChangeEnabled by default. Requires the user to update the password at first login. Role

4. Click Save.

2

20 Managing Users

Results

The newly added user appears in the Users window.

Edit or delete a user

Only the Admin role can edit or delete a user.

Steps

1. Select Administration > Users.

The Users window displays the following information:

Username User first name User last name User email address User role Date the user was created

2. Select the user you want to edit or delete.

3. Do one of the following:

To delete the user, click Delete. To edit the user, click Edit, modify the user fields, and then click Save.

Results

The changes appear in the Users window.

Reset a password

Local users can reset a forgotten password using this procedure.

Prerequisites

The user must be a local user. A mail server must be configured on PowerProtect Data Manager. LDAP and Windows Active Directory users cannot reset their password using this procedure. Contact the system

administrator to reset your password.

About this task

Local users can receive an email with a link to reset their password. The reset password link in the email expires in 20 minutes, after which time they must request another link.

Steps

1. In the PowerProtect Data Manager login page, click Forgot Password.

2. In the Forgot Password dialog box, type your user name, click Send Link, and click OK to dismiss the informational dialog box. The system sends a message to the email address associated with your user name.

3. Open the email and click the link.

4. In the Reset Password dialog box, type a new password in the New Password and Confirm New Password fields, and click Save. The PowerProtect Data Manager login page appears.

5. Log in with your user name and new password.

Managing Users 21

Default admin user

The default admin user is preassigned the Admin role during PowerProtect Data Manager installation.

The default admin user has super user control over PowerProtect Data Manager and cannot be deleted. However, you can modify the attributes of the default admin user.

Roles

A role defines the privileges and permissions that a user has to perform a group of tasks. When a user is assigned a role, you grant the user all of the privileges that are defined by the role. Only one role can be associated to a user account.

Admin role

Admin

The Admin role is responsible for setup, configuration, and all PowerProtect Data Manager management functions. The Admin role provides systemwide access to all functionality across all organizations. One default Admin role is assigned at PowerProtect Data Manager deployment and installation. You can add and assign additional Admin roles to users in your organization who require full access to the system.

This table outlines the privileges and tasks that are associated with the Admin role.

Table 7. Admin role privileges and tasks

Privileges Tasks

Activity Management Manage Discovery Jobs Manage Tasks Workflow Execution

Asset Management View Data Source Assets Manage Data Source Assets View Protection Storage Targets Manage Protection Storage Targets

Monitoring Monitor Events Manage Events View Historical Data View Tasks and Activities

Recovery and Reuse Management View Host Manage Host Rollback to Production Recovery to New Location Export for Reuse

Service Plan Management View Plans Manage Plans Assign Data Source to Plan

Security and System Audit Monitor Security/System Audit Manage Security/System Audit

Storage Management View Storage Array Manage Storage Array View Inventory Sources Manage Inventory Sources

22 Managing Users

Table 7. Admin role privileges and tasks (continued)

Privileges Tasks

Support Assistance and Log Management

View Diagnostic Logs Manage Diagnostic Logs

System Management View System Settings Manage System Settings

User/Security Management Manage User Security View User Security

User role

User

The User role is responsible for monitoring the PowerProtect Data Manager Dashboard, Activity Monitor, and Notifications. The User role provides read-only access to monitor activities and operations. Assign the User role to users in your organization who monitor Dashboard activities, Activity Monitor, and Notifications but do not require the ability to configure the system.

This table outlines the privileges and tasks that are associated with the User role.

Table 8. User role privileges and tasks

Privileges Tasks

Activity Management Workflow Execution

Asset Management View Data Source Assets View Protection Storage Targets

Monitoring Monitor Events View Historical Data View Tasks and Activities

Recovery and Reuse Management View Host

Service Plan Management View Plans

Security and System Audit Monitor Security/System Audit

Storage Management View Storage Array View Inventory Sources

Support Assistance and Log Management

View Diagnostic Logs

System Management View System Settings

User/Security Management View User Security

Managing Users 23

Export and Recovery Admin role

Export and Recovery Admin

The Export and Recovery Admin role is defined for a dedicated set of users who are solely responsible for PowerProtect Data Manager setup, configuration, and execution of data management tasks such as copy export and recovery operations. The Export and Recovery Admin role provides access only to those functions required for data export and recovery operations. This role and its operations are intended for a limited set of users whose actions are solely focused on data management, export, and recovery; and whose actions are audited routinely for security purposes. Assign the Export and Recovery Admin role to a user in your organization who requires access to data only to make it available to others in the organization and thereby maintain a chain of custody record.

This table outlines the privileges and tasks that are associated with the Export and Recovery Admin role.

Table 9. Export and Recovery Admin role privileges and tasks

Privileges Tasks

Activity Management None

Asset Management View Data Source Assets View Protection Storage Targets

Monitoring Monitor Events View Historical Data View Tasks and Activities

Recovery and Reuse Management View Host Manage Host Rollback to Production Recovery to New Location Export for Reuse

Service Plan Management None

Security and System Audit None

Storage Management View Storage Array

Support Assistance and Log Management

View Diagnostic Logs Add Logs Export Logs

System Management View System Settings

User/Security Management View User Security

Privileges

PowerProtect Data Manager privileges define the tasks that a user can perform and these privileges are assigned to roles.

Activity management privileges

This table defines the activity management privileges.

Table 10. Activity management privileges

Privilege Task

Manage Discovery Jobs Create discovery jobs.

24 Managing Users

Table 10. Activity management privileges (continued)

Privilege Task

View discovery jobs. Edit discovery jobs. Delete discovery jobs.

Manage Task Create task resources. View task resources. Edit task resources.

Workflow Execution Start workflow execution. Cancel workflow execution. View the status of workflow execution.

Asset management privileges

This table defines the asset management privileges.

Table 11. Asset management privileges

Privilege Task

Manage Data Source Assets Create, read, edit, and delete a data source. Create, view, edit, and delete the policy in the protection group resource. Create, view, edit, and delete asset group resources. Create, view, edit, patch, and delete tag category resources.

Manage Protection Storage Targets

Create, view, edit, and delete a data target. Create, view, edit, and delete asset group resources of protection storage targets.

View Data Source Assets View a data source. View asset group resources. View the policy of the protection group resource. View tag category resources.

View Protection Storage Targets

View a data target.

Monitoring privileges

This table defines the monitoring privileges.

Table 12. Monitoring privileges

Privilege Task

View Tasks or Activities View task resources.

View Historical Data View historical data that relates to plans, arrays, data targets, data sources, and capacity data.

Monitor Events View alerts. View external notifications.

Manage Events Acknowledge alerts and add notes. Create, modify, and delete external notifications.

Managing Users 25

Service policy management privileges

This table defines the policy management privileges.

Table 13. Policy management privileges

Privilege Task

Assign Data Source to Policy Assign a data source to a protection policy resource.

Manage Policies Create, view, edit, and delete the policy for a protection policy resource. Create, view, edit, and delete a policy definition resource. Create, view, edit, and delete schedule resources. Create, view, edit, and delete an objective definition resource. Create, read, edit, and delete an action definition.

View Policies View the policy for a protection policy resource. View schedule. View a protection policy definition. View objective definition. View services. View service resources. View assets that are assigned to a protection policy. View action definitions. View asset group resources.

Recovery and reuse management privileges

This table defines the recovery and reuse management privileges.

Table 14. Recovery and reuse management privileges

Privilege Task

Export for Reuse Create, view, edit, and start export and reuse operations.

Roll back to Production Create, view, edit, and start rollback to production operations.

Recovery to Alternate Location

Create, view, edit, and start recovery to alternate location operations.

Manage Host Create, view, edit and delete a host.

View Host View a host.

Storage management privileges

This table defines the storage management privileges.

Table 15. Storage management privileges

Privilege Task

View Inventory Sources View a management interface. Read storage manager resources such as exported, deleted, and restored copies.

View Storage Array View a storage array.

Manage Storage Array Create, view, edit, and delete a storage array.

26 Managing Users

Table 15. Storage management privileges (continued)

Privilege Task

Manage Inventory Sources Create storage manager resources and run creation-related storage array operations. Create exported and restored copies and run restore-related storage array operations. Create expunged copies and run deletion-related storage array operations. Create, view, edit, and delete a management interface.

Security management privileges

This table defines the security management privileges.

Table 16. Security management privileges

Privilege Task

Manage User Security Create, view, edit, and delete users View roles Create, view, edit, and delete identity sources Create, view, edit, and delete user groups Create, view, edit, and delete white lists

View User Security View users and roles View identity sources and user groups View white lists

System management privileges

This table defines the system management privileges.

Table 17. System management privileges

Privilege Task

View System Settings View SRS information View Server Disaster Recovery artifacts View Maintenance Mode View License information View Server Disaster Recovery Status View node, Configuration EULA, OS User, Upgrade Package, Component, Configuration

Status, Configuration Logs, Time Zone, and State resources View NTP information

Manage System Settings Manage Server Disaster Recovery activities Manage SRS Gateway connection and other Telemetry communications View and edit Node State resource Update the license for the appliance View Component, Configuration Status, Configuration Logs, Time Zone, and State

resources View and edit node, Configuration EULA, OS User, and Lockbox resources Create, view, edit, and delete the Upgrade Package resource Update time zone Update NTP information

Support assistance and log management privileges

This table defines the support assistance and log management privileges.

Managing Users 27

Table 18. Support assistance and log management privileges

Privilege Task

View Diagnostic Logs View Log bundle resources. View Log information resources. View the LogSource resource. View logs.

Manage Diagnostic Logs Manage Log bundle resources. Retrieve Log information resources. Retrieve or edit the LogSource resource. Export logs.

Security and system audit privileges

This table defines the security and system audit privileges.

Table 19. Security and system audit privileges

Privilege Task

Monitor Security/System Audit

View Security Auditrelated events and activities.

Manage Security/System Audit

Acknowledge Security Auditrelated events and activities. Export Audit/Change Log of events and activities.

28 Managing Users

Managing Storage

Topics:

Add protection storage Overview of PowerProtect Data Manager cloud tier

Add protection storage

About this task

The PowerProtect Data Manager UI enables users with administrator credentials to add the following storage types:

DD Management Center (DDMC) External DD system

NOTE:

Adding the DDMC is not required for the Storage Direct agent.

The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the eLab

Navigator.

PowerProtect Data Manager does not support DD systems with the High Availability (HA) feature enabled.

When a DD Management Center is added, PowerProtect Data Manager discovers all the supported DD systems that are managed by the DD Management Center. The PowerProtect Data Manager UI displays the discovered DD systems on the Protection Storage tab of the Infrastructure > Storage window. The DD systems that are managed by the DD Management Center are not displayed until discovery is complete. It might take a few minutes for the DD systems to appear in the Storage window.

For each DD system, the DD Management Center that manages the DD system is indicated in the Managed By column in the table.

If a DD system is added directly to PowerProtect Data Manager, the name that was provided for the DD system when it was added to the PowerProtect Data Manager system is displayed in the Managed By column.

NOTE: Data Domain is now PowerProtect DD. References to Data Domain or DD systems in this documentation, in the UI,

and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the UI has

not yet been updated to reflect this change.

Steps

1. Select Infrastructure > Storage.

The Storage window appears.

2. In the Protection Storage tab, click Add.

3. In the Add Storage dialog box, select a storage system (DD System, DD Management Center).

NOTE: If using the Storage Direct agent to move snapshot backups from a VMAX storage array to a DD system, you do

not need to add a DD Management Center.

4. Specify the storage system attributes:

a. In the Name field, specify a storage name. b. In the Address field, specify the hostname, fully qualified domain name (FQDN), or the IP address. c. In the Port field, specify the port for SSL communication. Default is 3009.

5. Under Host Credentials click Add, if you have already configured DD credentials that are common across DD systems, select an existing password. Alternatively, you can add new credentials, and then click Save .

3

Managing Storage 29

6. If a trusted certificate does not exist on the storage system, a dialog box appears requesting certificate approval. Click Verify to review the certificate, and then click Accept.

7. Click Save to exit the Add Storage dialog and initiate the discovery of the storage system.

A dialog box appears to indicate that the request to add storage has been initiated.

8. In the Storage window, click Discover to refresh the window with any newly discovered storage systems. When a discovery completes successfully, the Status column updates to OK.

9. To modify a storage system location, complete the following steps:

A storage system location is a label that is applied to a storage system. If you want to store your copies in a specific location, the label helps you select the correct storage system during policy creation.

a. In the Storage window, select the storage system from the table. b. Click Set Location.

The Set Location window appears. c. Click Add in the Location list.

The Add Location window appears. d. In the Name field, type a location name for the asset, and click Save.

10. To manage MTrees in the Storage window, select the storage system from the table and click View storage units.

NOTE: For information about MTrees, see the DD Operating System Administration Guide.

Results

PowerProtect Data Manager displays External DD systems only in the Storage window Name column. PowerProtect Data Manager displays DD Management Center storage types in the Managed By column.

Overview of PowerProtect Data Manager cloud tier The PowerProtect Data Manager cloud tier feature works in tandem with the Cloud Tier feature of DD systems to move PowerProtect Data Manager backups to the cloud. This provides long-term storage of PowerProtect Data Manager backups by seamlessly and securely tiering data to the cloud.

From the PowerProtect Data Manager UI, you configure cloud tier to move PowerProtect Data Manager backups from DD systems to the cloud, and you can perform seamless recovery of these backups.

DD cloud storage units must be pre-configured on the DD system before they are configured for cloud tier in the PowerProtect Data Manager UI. The DD Operating System Administration Guide provides further information.

30 Managing Storage

Using the PowerProtect Search Engine

Topics:

Introducing the PowerProtect Search Engine Setting up and managing indexing Performing a search Restoring from search Troubleshooting Search Engine issues

Introducing the PowerProtect Search Engine When you install PowerProtect Data Manager version 19.3 or later, the PowerProtect Search Engine is installed by default.

The PowerProtect Search Engine indexes virtual machine file metadata to enable searches based on configurable parameters. To use this feature, add at least one search engine node to the Search Engine to form a search cluster, and then enable the indexing feature.

You can enable the indexing option when creating protection policies so that the assets are indexed while they are backed up. Recovering indexes from a disaster is a manual process. Recovering a Search cluster from a DR backup on page 102 provides instructions. The indexing recovery process will be automated in a future release.

When a DR backup is run, scheduled, or manually triggered, the search cluster backup workflow backs up the cluster index data. A backup task is created, and you can view the individual status of the Search Component backup under Details.

NOTE: Scheduled backups with Search cluster integration appear in the Jobs pane as two identical jobs: an initialization job,

which runs immediately, and the backup job, which runs both ServerDR and Search cluster backups.

Limitations

PowerProtect Search is an optional feature that can be enabled, set up, and configured for virtual machine backups and protection policies. When you enable this feature, a backup of the search Engine is taken as part of the server backup process. As of this release, you cannot disable these backups. Therefore, when Search is enabled, you must white-list the Search Engine virtual machine on the DD system that contains the ServerBackup MTree: Add the search node IP address or hostname to the client list for the NFS export.

Setting up and managing indexing Set up an external search node and configure indexing.

Prerequisites

Ensure that:

A vCenter datastore has been configured. Add a VMware vCenter Server on page 42 provides detailed steps for adding a vCenter Server as an asset source.

PowerProtect Data Manager has discovered the networks for the vCenter Server. The following requirements for the PowerProtect Search Engine are met:

NOTE: Each search engine node must meet the system requirements.

CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket) Memory: 8 GB RAM Disks: 3 disks (50 GB each) and 1 disk (1 TB) Internet Protocol: IPv4 only

4

Using the PowerProtect Search Engine 31

NIC: One vmxnet3 NIC with one port

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Search Engine and click Add Node.

2. In the Add Search Engine Node dialog box, provide the required parameters.

3. Click Save.

4. Click Yes to confirm that you want to deploy the node. The new search node is deployed, and details are displayed in the lower panel.

5. (Optional) Repeat the previous steps to deploy additional search nodes to the search cluster.

NOTE: Ensure that the previous search node has successfully deployed before you add another search node.

6. In the Configure Search Engine dialog box, enable or disable Search Indexing, accept or change the expiration period, and then click OK.

NOTE:

When the index cluster reaches 70 percent, an alert is generated. When it reaches 90 percent, an alert is generated

and indexing is suspended. Specify a global index expiry interval to periodically clean up indexes, which frees up

space.

To turn off or modify indexing, select Infrastructure > Search Engine, select the cluster, and click Configure

Cluster. From the Configure Search Cluster dialog box, you can enable/disable the service or change the number

of expiration days.

Indexes expire according to the global setting or when the associated copies expire, whichever occurs first.

To stop indexing assets that have been added to a protected protection policy, disable the indexing option during

protection policy configuration.

You can add up to a maximum of 5 search engine nodes.

Performing a search When the PowerProtect Search Engine is installed and configured, you can use the Search Engine to find protected folders and files in the environment using key parameters.

Prerequisites

Ensure that:

A Search Engine node is set up. Search Indexing is enabled.

About this task

When asset types are set up for index searching, the File Search button appears in the Infrastructure and Recovery menus for the configured asset types.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets and select the file type.

2. Click File Search.

3. In the File Search Criteria dialog box, enter any information that you know about the file, and then click Search. The files matching your criteria appear in the results window. You can filter further using the Search Criteria fields.

32 Using the PowerProtect Search Engine

Restoring from search You can use the search engine to find backup copies and restore them to the original or alternate virtual machine at the same or a different location on the virtual machine.

About this task

You can search across all indexed data, but you can restore only from a single asset and single copy at a time.

You can restore virtual machine files in this release. More restore options will be available in future releases, including file systems, VMAX storage groups, and Kubernetes.

Steps

1. From the PPDM UI, select Recovery > Assets, select the type of file you want to search for, and then click File Search.

2. In the File Search Criteria dialog box, enter as much information as you know to narrow down the search results, and then click Search.

3. In the File Search results, you can further filter the results using the Search Criteria fields and you can view details by clicking the Details icon to the left of the file/folder name.

4. Select the files that you want to recover, and click Recover.

The rest of the steps are the same as for recovery of the file type you want to recover. See Restoring Data and Assets on page 79 for details.

Troubleshooting Search Engine issues This section lists troubleshooting and Search Engine issues.

Node failed

Not able to deploy search-node.com. Another session " " is already configured with the same hostname. Would you like to redeploy search node or delete the node? Delete the node, and try again. If you choose to edit, delete the node and the new mode modal appears with your previous input. The input that caused the error is marked as critical.

Certificate issues

Issues with indexing backups and/or performing search queries might result when certificates that were deployed on the search node were corrupted.

Perform one of the following tests to determine certificate issues:

Use the log bundle download utility in PowerProtect Data Manager to examine the Backup VM logs in VM Direct, and look for a log entry like the following:

ERROR: Failed to Upload File: /opt/emc/vproxy/runtime/tmp/vproxyd/ plugin/search/e6c356a1-fbaf-4231-9f6f-a0166b74909a/ -e081fdea-3599-4a6c-abc4-1b5487cb9a32-e523a94c-2d01-5234-ab3c- 7771cfab3c58-7f16bcbb72d7b49ea073356f0d7388ac08461827.db.zip to https:// :14251/upload, Error sending data chunk. Post https:// :14251/upload: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "PPDM Root CA ID-d5ec56b8-69ec-4183-9c94-7c0230408765"

Examine the rest-engine logs in the search node (/opt/emc/search/logs/rest-engine/*.log), and look for certificate verification errors.

Run a search either through the UI or through the API /api/v2/file-instances and look for a certification verification error.

Examine the certificate files in the node(s) to investigate further. If necessary, regenerate the certificate files.

Using the PowerProtect Search Engine 33

Accessing the Search Node

Use the following steps to discover the admin and root passwords for all deployed search nodes:

1. SSH into PowerProtect Data Manager: Log in with UI admin credentials, and then su to become root. 2. Change directory to /opt/emc/vmdirect.

3. Source unit/vmdirect.env.

4. Run bin/infranodemgmt get -secret.

Verifying certificates

Use this procedure to verify that certificates are valid and uncorrupted:

1. Verify that the rootca.pem file is the same in all the relevant nodes (search node, PowerProtect Data Manager, and VM Direct node).

NOTE: The rootca.pem file name is different on each node:

PowerProtect Data Manager /etc/ssl/certificates/rootca/rootca.pem Search node /var/lib/dellemc/vmboot/trust/thumbprint VM Direct /var/lib/dellemc/vmboot/trust/thumbprint

2. Run the following openssl command to find out whether the root certificate file is corrupt or invalid: openssl verify

Response:

/var/lib/dellemc/vmboot/trust/thumbprint: C = US, O = DELL Corporation, CN = PPDM Root CA ID-4c9de850-24ab-42ec-a9a7-6080849d0d24

error 18 at 0 depth lookup:self signed certificate

OK

Ensure that the CN values match.

Certificate verification fails

If the troubleshooting verification steps described above fail, you must re-create the certificates on the Search Node or VM Direct node:

1. SSH into PowerProtect Data Manager: Log in with UI admin credentials, and then su to become root. 2. Use the Get command in the infranodemgmt utility to determine the search node FQDN.

3. Run /usr/local/brs/puppet/scripts/generate_certificates.sh -n -c -b A properties file is created in the /root directory called .properties.

4. Open this file to determine the location of the generated certificates. They should be located in /etc/ssl/ certificates/ .

5. From a separate terminal, SSH into the search node using the password that was revealed with the infranodemgmt Get call in step 2.

6. Change directory to /var/lib/dellemc/vmboot/trust and move the key, cert, and thumbprint files over.

7. Copy the certificate files that were generated in PowerProtect Data Manager as follows:

otca.pem to thumbprint key.pem to key .pem to cert

8. Paste the files to /var/lib/dellemc/vmboot/trust.

9. Set the permissions for the key, cert, and thumbprint files to 0644, and then set the ownership of these files to root:app

34 Using the PowerProtect Search Engine

10. Restart the rest-engine daemon or the vproxyd daemon) to pick up the new certificates: systemctl restart search- rest-engine.

11. Check the rest-engine log file (/opt/emc/search/logs/rest-engine/rest-engine-daemon- .log) to verify that the service started successfully.

Ensure that the following message appears:

A valid Root CA certificate of backup server was provided during deployment

Result: Backup with indexing executes successfully and search service is functional.

Search cluster is full

If the search cluster is full, you can deploy additional nodes by following the steps in Setting up and managing indexing on page 31.

If the search cluster runs out of space and you do not want to deploy an additional node, you have the following options:

Disable the service Shorten the expiration time to remove indexes sooner Remove indexes manually

To disable the service, complete the following steps:

1. Select Infrastructure > Search Engine. 2. Select the cluster, and then click Configure Cluster. 3. In the Configure Search Cluster dialog box, switch the Search Indexing button to turn it off, and then click Save.

NOTE: This setting applies to all indexes in all protection policies in the Search Cluster.

To shorten the expiration time to remove indexes sooner, complete the following steps:

1. Select Infrastructure > Search Engine. 2. Select the cluster, and then click Configure Cluster. 3. In the Configure Search Cluster dialog box, modify the Search Index Expiration and click Save. A recommended formula

to determine the expiration time is: Delete Index when Today = Backup-Date + Expiration Days + 1 day. That is, one day after the backup expires.

NOTE: This setting applies to all indexes in all protection policies in the Search Cluster.

To remove indexes manually, complete the following steps:

1. Use SSH to log in to the Search virtual machine. 2. Create a snapshot of the Search cluster using the following format:

{ Command: "APP_SNAPSHOT", Title: "Initiate Index/Search Cluster Snapshot Process", AsyncCmd: false, Properties: { "Name": { Description: "Used to uniquely identify a particular snapshot", Type: STRING }, "Action": { Description: "Action to perform, 'Create', 'Delete', 'Restore' or 'Cancel' a Snapshot", Type: STRING }, "NFSHost": { Description: "NFS Host serving snapshot backup area.", Type: STRING }, "NFSExport": { Description: "NFS Export path to mount too.", Type: STRING }, "NFSDirPath": { Description: "NFS directory path to write too.", Type: STRING }

Using the PowerProtect Search Engine 35

} }

For example:

{ "Command": "APP_SNAPSHOT", "Title": "", "AsyncCmd": false, "Properties": { "Action": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "Create", "Default": null }, "Name": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "PPDM_Catalog_Cluster_snapshot_2019-10-16-12-57-16", "Default": null }, "NFSHost": { "Value": "10.25.87.88" }, "NFSExport": { "Value": "/mnt/shared" }, "NFSDirPath": { "Value": "" } } }

3. You can delete indexes by protection policy or by asset. If the JSON command is stored at /home/admin/remove- plc.json, run the command, ./searchmgmt -I /home/admin/remove-plc.json.

Use the following format to delete indexes by protection policy:

{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "PLCDelete", } "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e-a572-6daf-33689933456d", } } }

Use the following format to delete indexes by asset type:

{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "AssetDelete",

36 Using the PowerProtect Search Engine

}, "AssetID": { "Description": "Optional, Asset ID of item(s) to delete.", "Required": false, "Value": "503dd753-b57e-a572-6daf-44680033755f", }, "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e-a572-6daf-33689933456d", } } }

NOTE:

The time to complete the execution of these procedures depends on the number of backup copy asset indexes being

deleted.

This procedure does not impact regular operation of the cluster.

Using the PowerProtect Search Engine 37

Managing Assets

Topics:

About asset sources, assets, and storage Prerequisites for discovering asset sources Enable an asset source Adding a vCenter Server asset source VM Direct protection engine overview Adding a Kubernetes cluster asset source

About asset sources, assets, and storage In PowerProtect Data Manager, assets are the basic units that PowerProtect Data Manager protects. Asset sources are the mechanism that PowerProtect Data Manager uses to manage assets and communicate with the storage system where backup copies of the assets are stored.

PowerProtect Data Manager supports DD Management Center (DDMC) as the storage and programmatic interface for controlling the DD systems, and external DD systems.

Asset sources can be a vCenter Server, Kubernetes cluster, application host, or SMIS server. Assets can be virtual machines, Exchange databases, SQL databases, Oracle databases, SAP HANA databases, File systems, Kubernetes namespaces, or storage groups.

Before you can add an asset source, you must enable the source within the PowerProtect Data Manager UI. Enable an asset source on page 41 provides instructions.

About vCenter Server asset sources and virtual assets

After you add a vCenter Server as an asset source in PowerProtect Data Manager, an automatic discovery of VMware entity information from the vCenter Server is initiated.

The virtual assets for the vCenter Server appear in the Assets window of the PowerProtect Data Manager UI under the Virtual Machines tab.

The initial vCenter Server discovery identifies all ESXi clusters, hosts, and virtual machines within the vCenter Server. Subsequent discoveries are performed automatically, according to a fixed interval, to identify any additional or changed VMware entities since the last discovery operation. You can also manually initiate a discovery of VMware entities at any time from the vCenter tab of the Asset Sources window by selecting a vCenter Server and clicking Discover.

Upon vCenter Server and virtual asset discovery, the PowerProtect Data Manager VM Direct protection engine facilitates the management of virtual assets as PowerProtect Data Manager resources for the purposes of backup and recovery. Dell EMC recommends that you also add an external VM Direct Engine in the Protection Engines window. You can protect virtual machine assets by manually adding the assets to a virtual machine protection policy, or by creating and applying protection rules to determine which assets are included in a protection policy based on rule definitions.

About Kubernetes cluster asset sources and namespace assets

Kubernetes clusters and containers play an important role in the speed and efficiency of deploying and developing applications, and also in reducing downtime when a change to application scaling is required. PowerProtect Data Manager enables you to protect the Kubernetes environment by adding a Kubernetes cluster as an asset source, and discovering namespaces as assets for data protection operations.

In a traditional application, an environment might consist of a web server, application server, and database server, with the web server servicing requests in front of a load balancer. Scaling this application, for example, by increasing the web layer by adding servers, requires the involvement of many resources to manually change the configuration. In a Kubernetes cluster, however,

5

38 Managing Assets

once you develop the code and write a YAML file that indicates the required systems and configuration details, Kubernetes deploys these containers and the application can be started quickly. Also, a change to the scale of the application only requires you to change the YAML file and post the updated file to the cluster.

A typical Kubernetes cluster can contain several physical and virtual systems. Once the clusters are running, the applications, binaries, and a framework are bundled into a container, which is then wrapped in a pod. Before you can run the pod in a Kubernetes cluster, the cluster must be divided into namespaces. A namespace is a pool of resources that are divided logically in the cluster. It is these namespaces that are protected as assets within the PowerProtect Data Manager UI for the purposes of backup and recovery.

However, because pods only last for a short time, to persist state information Kubernetes uses Persistent Volumes. You can create Persistent Volumes on external storage and then attach to a particular pod using PersistentVolumeClaims (PVCs). PVCs can then be included along with other namespaces in PowerProtect Data Manager backup and recovery operations.

NOTE: Kubernetes versions 1.13 to 1.16 support alpha CSI volume snapshots. However, only beta CSI volume snapshots are

supported in Kubernetes versions 1.17 and later. The article "Kubernetes 1.17 Feature: Kubernetes Volume Snapshot Moves

to Beta" at https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-cis-volume-snapshot-beta/provides

instructions on how to deploy support for Beta snapshots in a Kubernetes cluster.

Optimized data path and First Class Disks

When the Kubernetes cluster is running on vSphere and using vSphere CNS storage, backup and recovery operations utilize the optimized data path, where persistent volumes on vSphere-managed storage are backed up by VMDKs called improvised virtual disks, or First Class Disks (FCDs). These FCDs are created on the back-end and assigned a globally unique UUID whenever persistent volumes are dynamically provisioned by vSphere CSI in Kubernetes. Since FCDs are not associated with any particular virtual machine, they can be managed independently.

PowerProtect Data Manager detects whether a persistent volume is backed by an FCD when the storageclass of the persistent volume has the provisioner as csi.vsphere.vmware.com. When this occurs, PowerProtect Data Manager switches to using the optimized data path.

Optimized data path differs from CSI management in primarily two ways:

FCD uses the VMware VADP API to take the snapshot instead of using the CSI driver. Supports both incremental and full backups, making use of changed block tracking (CBT).

The following configuration changes are required prior to running the Kubernetes protection policy in order to make use of optimized data path:

FCD CSI support requires a minimum version of vCenter 6.7 U3. Enable CBT on the Kubernetes worker node virtual machines before the pods (application) start using dynamically

provisioned PVCs.

To enable CBT on the nodes, run the command source /opt/emc/vproxy/unit/vproxy.env on the PowerProtect Data Manager host, and then run the following command for each node:

/opt/emc/vproxy/bin/vmconfig -u vCenter user with administrator privileges -p user password -v vCenter host FQDN or IP -l ip -k Kubernetes node IP -c enable-cbt" If your Kubernetes cluster nodes do not have VMWare Tools installed, you might not be able to use the IP address as one of the inputs to the tool. In this case, use the VM Moref as the identifier of the VMs:

/opt/emc/vproxy/bin/vmconfig -u vCenter user with administrator privileges -p user password -v vCenter host FQDN or IP -l moref -k Kubernetes VM node moref -c enable-cbt"

The PowerProtect Data Manager proxy pods use NBD protocol to read the contents of the FCD-based persistent volumes in order to back up these volumes. Ensure that the NBD default port 902 is open on all of the Kubernetes nodes, and that the worker nodes are able to reach the vCenter Server.

You can verify that a Kubernetes protection policy backup or restore is using optimized data path by viewing the details for the operation in the Jobs window. Additionally, the Recent Tasks pane of the vSphere Client displays the message Create a virtual disk object when a new PVC is added.

Managing Assets 39

About application agent asset sources and assets

In addition to vCenter Server and Kubernetes cluster asset sources, PowerProtect Data Manager provides the option to enable the following asset sources to protect application agent assets.

NOTE: This guide does not provide instructions for each application agent. Refer to the individual application agent user

guides for more information.

File System agent

After the File System agent is approved and registered in the PowerProtect Data Manager UI, PowerProtect Data Manager integrates with the agent to enable an application administrator to protect and recover data on the File System host, and to check and monitor backup compliance against protection policies.

Microsoft Exchange agent

After the Microsoft Exchange agent is approved and registered in the PowerProtect Data Manager UI, PowerProtect Data Manager integrates with the agent to enable an application administrator to protect and recover the Exchange application data on the application host, and to check and monitor backup compliance against protection policies.

Microsoft SQL agent

After the Microsoft SQL agent is approved and registered in the PowerProtect Data Manager UI, PowerProtect Data Manager integrates with the agent to enable an application administrator to protect and recover the SQL application data on the application host, and to check and monitor backup compliance against protection policies.

Oracle RMAN agent

After the Oracle RMAN agent is approved and registered in the PowerProtect Data Manager UI, PowerProtect Data Manager integrates with the agent to enable an application administrator to protect and recover the Oracle application data on the application host, and to check and monitor backup compliance against protection policies.

SAP HANA agent

After the SAP HANA agent is approved and registered in the PowerProtect Data Manager UI, PowerProtect Data Manager integrates with the agent to enable an application administrator to protect and recover the SAP HANA application data on the application host, and to check and monitor backup compliance against protection policies.

Storage Direct agent for Storage Data Management

Storage Data Management uses snapshot backup technology to protect data on VMAX and PowerMax storage arrays by moving storage group data from the array to a DD system. After the Storage Direct agent is approved and registered in the PowerProtect Data Manager UI, and the DD system and the SMIS server are added and discovered, the Storage Direct agent enables you to discover the storage groups in the storage arrays, and assign unprotected storage groups to a protection policy for backup and recovery operations.

Prerequisites for discovering asset sources Perform these tasks before you discover the asset sources.

Ensure that the PowerProtect Data Manager is deployed and configured in the environment. The PowerProtect Data Manager Deployment Guide provides information.

Log in with administrative rights. For a new system, enable one or more asset sources for the types of assets that you want to protect. Enable an asset

source on page 41 provides more information. Configure all asset sources with an NTP server.

40 Managing Assets

Before you register an SQL application, ensure that the DD system has been discovered successfully. For discovery of Application Agent and File System asset sources:

Ensure that all clocks on both the App/File System host and PowerProtect Data Manager are time-synced to the local NTP server to ensure discovery of the backups.

Ensure that the App/File System host and the PowerProtect Data Manager network can see/resolve each other. Ensure that port 7000 is open on the App/File System host.

Enable an asset source An asset source, such as a vCenter Server, must be enabled in PowerProtect Data Manager before you can add and register the asset source for the protection of assets.

About this task

There are some circumstances where enabling an asset source is not required, such as the following:

For application agents and other agents such as File System and Storage Direct, an asset source is enabled automatically when you register and approve the agent host. For example, if you have not enabled an Oracle asset source but have registered the application host though the API or the PowerProtect Data Manager UI, PowerProtect Data Manager automatically enables the Oracle asset source.

When you upgrade to PowerProtect Data Manager 19.6 from an earlier release, any asset sources that were previously enabled appear in the PowerProtect Data Manager UI. On a new installation, however, no asset sources are enabled by default.

Steps

1. In the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then click + to reveal the New Asset Source tab.

2. In the pane for the asset source that you want to add, click Enable Source. The Asset Sources window updates to display a tab for the new asset source.

Results

You can now add or approve the asset source for use in PowerProtect Data Manager. For a vCenter Server, Kubernetes cluster, or SMIS Server, select the appropriate tab in this window and click Add. For an application agent, go to Infrastructure > Application Agents and click Add or Approve as required.

Disable an asset source

If you enabled an asset source that you no longer require, and the host has not been registered in PowerProtect Data Manager, perform the following steps to disable the asset source.

About this task

NOTE: An asset source cannot be disabled when one or more sources are still registered or there are backup copies of the

source assets. For example, if you registered a vCenter Server and created policy backups for the vCenter virtual machines,

then you cannot disable the vCenter asset source. But if you register a vCenter Server and then delete the vCenter without

creating any backups, you can disable the asset source.

Steps

1. In the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab of the asset source that you want to disable. If no host registration is detected, a red Disable button appears.

2. Click Disable.

Results

PowerProtect Data Manager removes the tab for this asset source.

Managing Assets 41

Adding a vCenter Server asset source After you register a vCenter Server with PowerProtect Data Manager, you can use the Asset Sources window in the PowerProtect Data Manager UI to add a vCenter Server asset source to the PowerProtect Data Manager environment.

About this task

Adding a vCenter Server asset source is required if you want to schedule a backup through PowerProtect Data Manager.

Add a VMware vCenter Server

Perform the following steps to add a vCenter Server as an asset source in the PowerProtect Data Manager UI:

Prerequisites

Ensure that the asset source is enabled. Enable an asset source on page 41 provides instructions. You must have Administrator privileges. By default, PowerProtect Data Manager enforces SSL certificates during communication with vCenter Server. If a certificate

appears and you trust the certificate, click Verify.

Note, however, that a requirement of SSL certificate enforcement is that the common name (cn) of the x509 certificate on the vCenter Server must match the hostname of the vCenter URL. The common name of the x509 certificate is typically the vCenter server fully qualified domain name (FQDN), but it could be the vCenter server IP address. You can inspect the vCenter server SSL certificate to determine whether the x509 common name is a FQDN or an IP. When creating an asset source resource, in order to pass SSL certificate enforcement, the asset source resource hostname must match the common name of the x509 certificate on the vCenter server.

NOTE: It is highly recommended that you do not disable certificate enforcement. If disabling the certificate is required,

carefully review the instructions in the section Disable vCenter SSL certificate validation on page 171.

Steps

1. Select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the vCenter tab.

3. Click Add. The Add vCenter dialog displays.

4. Specify the source attributes:

a. In the Name field, specify the vCenter Server name. b. In the Address field, specify the fully qualified domain name (FQDN) or the IP address.

NOTE: For a vCenter Server, it is recommended that you use the FQDN instead of the IP address.

c. In the Port field, specify the port for communication if you are not using the default port, 443.

5. Under Host Credentials, choose an existing entry from the list to use for the vCenter user credentials. Alternatively, you can click Add from this list to add new credentials, and then click Save.

NOTE: Ensure that you specify the credentials for a user whose role is defined at the vCenter level, as opposed to being

restricted to a lower-level container object in the vSphere object hierarchy.

6. If you want to make a subset of the PowerProtect Data Manager UI functionality available within the vSphere Client, move the vSphere Plugin slider to the right.

Available functionality includes:

The monitoring of active virtual machine/VMDK protection policies, and Restore options such as Restore to Original, Restore to New, and Instant Access.

NOTE: You can unregister the vSphere plug-in at any time by moving the slider to the left.

42 Managing Assets

7. By default, the vCenter discovery occurs automatically after adding the vCenter, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, select the Schedule Discovery check box, and then specify a time.

8. If the vCenter server SSL certificate cannot be trusted automatically, a dialog box appears requesting certificate approval. Review the certificate, and then click Verify.

9. Click Save.

The vCenter Server information that you entered now appears as an entry in a table on the Asset Sources window. You can click the magnifying glass icon next to the entry to view more details, such as the next scheduled discovery, the number of assets within the vCenter, and whether the vSphere Plugin is enabled.

NOTE: Although PowerProtect Data Manager automatically synchronizes with the vCenter server under most

circumstances, certain conditions might require you to initiate a manual discovery.

After discovery, PowerProtect Data Manager starts an incremental discovery in the background periodically to keep updating PowerProtect Data Manager with vCenter changes. You can always do an on-demand discovery.

10. Optionally, you can set warning and failure thresholds for the available space on the datastore. Setting these thresholds enables you to check if enough storage space is available in the datastore to save the snapshot of the virtual machine during the backup process. The backup completes with a warning in the logs if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Warning Threshold. The backup fails if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Failure Threshold. To add Datastore Free Space Warning and Failure Thresholds:

a. Click the gear icon to open the vCenter Settings dialog. b. Type a percentage value to indicate when a warning message should display due to low datastore free space. c. Type a percentage value to indicate when a virtual machine backup failure should occur due to low datastore free space. d. Click Save.

NOTE: Datastore free space thresholds are disabled by default.

11. Select Infrastructure > Assets.

The Assets window appears.

12. If not already selected, click the Virtual Machines tab. Upon a successful discovery, the virtual machine assets that are discovered in the vCenter appear. Discovery time is based on networking bandwidth. The resources that are discovered and the resources that are performing the discovery impact performance each time that you initiate a discovery process. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.

Next steps

Upon successful discovery of the vCenter virtual machine assets, you can add a VM Direct appliance to facilitate data movement, and then create virtual machine protection policies to back up these assets. The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that external proxies should always be deployed since the embedded proxy has limited capacity for performing parallel backups. To add a VM Direct Engine, go to Infrastructure > Protection Engines.

Creating a dedicated vCenter user account

Dell EMC strongly recommends that you set up a separate vCenter user account at the root level of the vCenter that is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter as an asset source in the UI. When you add the vCenter, ensure that you specify a user whose role is defined at the vCenter level and not restricted to a lower level container object in the vSphere object hierarchy.

Managing Assets 43

Specify the required privileges for a dedicated vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere. The following table includes the privileges required for this user.

About this task

Table 20. Minimum required vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'Global.Licenses', 'Global.Settings', 'Global.DisableMethods', 'Global.EnableMethods', 'Folder.Create', 'Datastore.Rename', 'Datastore.Move', 'Datastore.Delete', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Network.Config', 'Network.Assign', 'Host.Config.Storage', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa

Datastore Allocate space Browse datastore Configure datastore Low-level file operations Move datastore Remove datastore Remove file Rename datastore

Extension Register extension Unregister extension Update extension

Folder Create folder

Global Cancel task Disable methods Enable methods Licenses Log event Manage custom attributes Settings Set custom attribute

Host Configuration > Storage partition configuration

Network Assign network Configure

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

Tasks Create task Update task

vApp Export Import vApp application configuration

Virtual Machine

Configuration Add existing disk

44 Managing Assets

Table 20. Minimum required vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Add new disk Add or remove device Advanced Change CPU count Change resource Configure managed by Disk change tracking Disk Lease Extend virtual disk Host USB device Memory Modify device settings Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Upgrade virtual machine compatibility

rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.PutVmFiles ', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Alarm.Create', 'Alarm.Edit', 'Task.Create', 'Task.Update', 'Sessions.ValidateSession', 'Extension.Register', 'Extension.Update', 'Extension.Unregister', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import' )

New-VIRole -Name 'PowerProtect' - Privilege (Get-VIPrivilege -Id $privileges)

Cryptographic Permissions

Add disk Direct access Register VM

Guest Operations Guest operation modifications Guest operation program execution Guest operation queries

Interactions Configure CD media Console interaction Device Connection Guest operating system management by

VIX API Power off Power on Reset VMware Tools install

Inventory Create new Register Remove Unregister

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as Template

Snapshot Management

Create snapshot Remove Snapshot Revert to snapshot

Managing Assets 45

VM Direct protection engine overview The VM Direct protection engine is the virtual machine data protection solution within PowerProtect Data Manager, enabling you to deploy a VM Direct Engine in the vSphere environment to perform virtual machine snapshot backups, moving the data to a DD system.

The VM Direct protection engine is enabled after you add a vCenter Server in the Asset Sources window, and allows you to collect VMware entity information from the vCenter Server and save VMware virtual machines as PowerProtect Data Manager resources for the purposes of backup and recovery.

To view statistics for the VM Direct engine, manage and monitor VM Direct appliances, and add an external VM Direct appliance to facilitate data movement, go to Infrastructure > Protection Engines. Add a VM Direct Engine on page 46 provides more information.

NOTE: In the VM Direct Engines pane, VMs Protected refers to the number of assets protected by PowerProtect Data

Manager. This count does not indicate that all of the virtual machines have been protected successfully. To determine the

success or failure of asset protection, use the Jobs window.

When you add an external VM Direct appliance, the VM Direct Engines pane provides the following information:

The VM Direct appliance IP address, name, gateway, DNS, network, and build version. This information is useful for troubleshooting network issues.

The vCenter and ESXi hostname. The VM Direct appliance status (green check mark if the VM Direct appliance is ready, red x if the appliance is not fully

operational). The status includes a short explanation to help you troubleshoot the VM Direct Engine if the VM Direct appliance is not in a fully operational state.

The transport mode that you selected when adding the VM Direct appliance (Hot Add, Network Block Device, or the default setting Hot Add, Failback to Network Block Device).

Requirements for an external VM Direct engine

When adding an external VM Direct engine, note the following system requirements:

CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket) Memory: 8 GB RAM Disks: 2 disks (59 GB and 98 GB) Internet Protocol: IPv4 only SCSI controller: maximum of 4 NIC: One vmxnet3 NIC with one port

Add a VM Direct Engine

In the Protection Engines window, perform the following steps to deploy an external VM Direct Engine, also referred to as a VM proxy, to facilitate data movement for virtual machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct engine on page 46 and Transport mode considerations on page 169.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. Dell EMC recommends that you deploy external proxies by adding a VM Direct Engine because the embedded proxy has limited capacity for performing parallel backups. An external VM Direct Engine for VM proxy backup and recovery can also provide improved performance and reduce network bandwidth utilization by using source-side deduplication.

Steps

1. In the VM Direct Engines pane of the Protection Engines window, click Add.

46 Managing Assets

The Add VM Direct Engines wizard displays.

2. On the Add VM Direct Engines page, complete the required fields, which are marked with an asterisk.

Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter Server instances, select the vCenter on which to deploy the

VM Direct Engine.

NOTE: Ensure that you do not select the internal vCenter Server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the additional VM Direct Engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared, local, or NFS), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the VM Direct Engine will reside, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the VM Direct Engine.

Transport ModeSelect from Hot Add or Network Block Device (NBD) transport modes, or select Hot Add, Failback to Network Block Device to default to Hot Add mode and fail back to NBD only if Hot Add cannot be used.

NOTE: When configuring the VM Direct Engine in a VMware Cloud on AWS environment, ensure that you select Hot

Add transport mode. VMware Cloud on AWS does not support NBD transport mode.

3. Click Next. The Networks Configuration page displays.

4. On the Networks Configuration page:

The Networks Configuration page configures the virtual network (VLAN) to use for backup data. To continue without virtual network configuration, leave the Preferred Network Portgroup selection blank and then click Next.

a. From the Preferred Network Portgroup list, select a VST (Virtual Switch Tagging) or VGT (Virtual Guest Tagging) network. If you select a VGT portgroup, the list displays all virtual networks within the trunk range. If you select a VST portgroup, the list displays only the virtual network for the current VLAN ID.

b. Select one or more virtual networks from the list.

A VM Direct Engine requires an IP address from the static IP pool for each selected virtual network. If there are not enough IP addresses in a pool, the wizard prompts you to supply additional addresses for that network.

c. If required, type an available static IP address or IP address range in the Additional IP Addresses column for the indicated virtual network.

For convenience when working with multiple virtual networks, you can also use one of the Auto Expand options:

Expand Last IPThe wizard increments the host portion of the last IP address in the static IP pool. Click Apply. Same Last DigitThe wizard adds the network portion of the IP address to the specified value. Type the host

portion of the IP address and then click Apply.

The wizard updates the value in the Additional IP addresses column for each selected network. Verify the proposed IP addresses.

d. Click Next.

5. On the Summary page, review the information and then click Save. The VM Direct Engine is added to the VM Direct Engines pane. Note that it can take several minutes before the new VM Direct Engine is registered in PowerProtect Data Manager. The VM Direct Engine will also appear in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, it is used by PowerProtect Data Manager instead of the embedded VM Direct for any data protection operations involving virtual machine protection policies. If all external VM Direct Engines are unavailable, the embedded VM Direct Engine is used as a fallback to perform limited scale backups and restores. If you do not want to use an external VM Direct Engine that you have added, you can disable this engine. Additional VM Direct actions on page 48 provides more information.

Managing Assets 47

Next steps

If the VM Direct Engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, you must delete the failed VM Direct Engine and then add the VM Direct Engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if the VM Direct Engine is deployed to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute- ResourcePool.

Additional VM Direct actions

For additional VM Direct actions, such as enabling, disabling, redeploying, or deleting the VM Direct Engine, or changing the network configuration, use the Protection Engines window.

Disable a VM Direct Engine

You can disable an added VM Direct Engine that you do not currently require for virtual machine backup and recovery. To disable a VM Direct Engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to disable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable.

NOTE: A disabled VM Direct Engine is not used for any new protection activities, and is not automatically upgraded during a

PowerProtect Data Manager upgrade.

Delete a VM Direct Engine

When you disable a VM Direct Engine, the Delete button is enabled. If you no longer require the VM Direct Engine, perform the following steps to delete the engine:

1. Select the VM Direct Engine that you want to remove from the table in the VM Direct Engines pane. 2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable. 4. Click Delete.

Enable a disabled VM Direct Engine

When you want to make a disabled VM Direct Engine available again for running new protection activities, perform the following steps to re-enable the VM Direct Engine.

1. Select the VM Direct Engine that you want to re-enable from the table in the VM Direct Engines pane. 2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Enable.

NOTE: If a PowerProtect Data Manager version upgrade occurred while the VM Direct Engine was disabled, a manual

redeployment of the VM Direct Engine is also required.

Redeploy a VM Direct Engine

If a PowerProtect Data Manager software update occurred while a VM Direct Engine was disabled, or an automatic upgrade of the VM Direct Engine did not occur due to network inaccessibility or an environment error, the Redeploy option enables you to manually update the VM Direct Engine to the version currently in use with the PowerProtect Data Manager software. Perform the following steps to manually redeploy the VM Direct Engine.

1. Select the VM Direct Engine that you want to redeploy from the table in the VM Direct Engines pane. 2. In the far right of the VM Direct Engines pane, click the three vertical dots.

48 Managing Assets

3. If the VM Direct Engine is not yet enabled, select Enable from the menu. 4. When the VM Direct Engine is enabled, select Redeploy from the menu.

The VM Direct Engine is redeployed with its previous configuration details.

Edit the network configuration for a VM Direct Engine

If VM Direct Engine deployment failed because of a virtual network configuration problem, you can update the configuration to add additional IP addresses to the static IP pool. You can also add the VM Direct Engine to a virtual network in the same VGT port group.

Perform the following steps to change the network configuration:

1. Select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. 3. Select the row that corresponds to the virtual network with the configuration error, or the virtual network to which you

want to add the VM Direct Engine. 4. Type an available static IP address or IP address range in the Additional IP Addresses column. 5. Click Next. 6. On the Summary page, verify the network settings, and then click Next.

To change other network configuration settings, delete the VM Direct Engine and then deploy a new VM Direct Engine.

Adding a Kubernetes cluster asset source Adding a Kubernetes cluster as an asset source in PowerProtect Data Manager enables you to protect namespaces and Persistent Volume Claims (PVCs) within the cluster. You can use the Asset Sources window in the PowerProtect Data Manager UI to add a Kubernetes cluster asset source to the PowerProtect Data Manager environment.

Prerequisites to Kubernetes cluster discovery

After a successful discovery of the Kubernetes cluster asset source, PowerProtect Data Manager deploys the following images on the Kubernetes cluster:

dellemc/powerprotect-k8s-controller dellemc/powerprotect-cproxy, which is pulled during the first backup

dellemc/powerprotect-velero-dd velero/velero vsphereveleroplugin/velero-plugin-for-vsphere (for Kubernetes clusters on vSphere that use VMware CSI)

By default, these images are pulled from Docker Hub at https://hub.docker.com/. However, if a Kubernetes cluster cannot access Docker Hub due to firewall or other restrictions, you can pull images to a local registry that the cluster can access. Ensure that you keep the image names and version tags the same in the local registry as they appear in Docker Hub.

After pulling the images to a local registry, perform the following steps before a Kubernetes cluster discovery to configure PowerProtect Data Manager to use the local registry when creating deployment resources:

1. Create an application.properties file /usr/local/brs/lib/cndm/config/application.properties on the PowerProtect Data Manager appliance with the following contents:

k8s.docker.registry=registry fqdn:port. For example, artifacts.example.com:8446 k8s.image.pullsecrets=secret resource name. Specify this entry only if you require an image pull secret.

2. Run cndm restart to apply the properties.

You can now add the Kubernetes asset source in the PowerProtect Data Manager UI. If you already added the Kubernetes cluster as an asset source, perform these steps and then initiate a manual discovery of the Kubernetes cluster asset source to update the cluster. The configmap and deployment resources in the powerprotect namespace, and the deployment resource in the velero-ppdm namespace, automatically update to use the new images upon successful discovery.

Managing Assets 49

Add a Kubernetes cluster

You can use the PowerProtect Data Manager UI to add a Kubernetes cluster as an asset source. When added, PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.

Prerequisites

You must have Administrator privileges. If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub,

review the procedure in the section Prerequisites to Kubernetes cluster discovery on page 49. If adding a Kubernetes guest cluster for vSphere CSI-based persistent volumes, add a VM Direct protection engine.

About this task

NOTE: Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage

interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage.

Also, only Persistent Volumes with the VolumeMode Filesystem are supported.

Steps

1. Select Infrastructure > Asset Sources.

2. In the Asset Sources window, select the Kubernetes cluster tab.

3. Click Add.

4. In the Add Kubernetes cluster dialog box, specify the source attributes:

a. Namethe cluster name b. Addressthe fully qualified domain name (FQDN) or the IP address.

NOTE: It is recommended that you use the FQDN instead of the IP address.

c. Port specify the port to use for communication when not using the default port, 443.

NOTE: The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager

first to enable outgoing communication. The procedure that is described in Recommendations and considerations

when using a Kubernetes cluster on page 172 provides more information.

5. Under Host Credentials, click Add to add the service account token for the Kubernetes cluster, and then click Save.

The service account must have the following privileges:

Get/Create/Update/List CustomResourceDefinitions Get/Create/Update ClusterRoleBinding for 'cluster-admin' role Create/Update 'powerprotect' namespace Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace Get/List/Watch all namespaces in the cluster as well as PV, PVC and pods in all these

namespaces NOTE: The admin-user service account in the kube-system namespace contains all these privileges. You can

provide the token of this account, or an existing similar service account. Alternatively, create a service account that is

bound to a cluster role that contains these privileges, and then provide the token of this service account.

6. Click Verify to review the certificate and token information, and then click Accept. Upon successful validation, the status for the new credentials updates to indicate Accepted.

7. Click Save.

The Kubernetes cluster information that you entered now appears as an entry on the Asset Sources window, with a Discovery status of Unknown.

NOTE: Although PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the

initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.

8. (Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click Discover. Incremental discovery for a Kubernetes cluster in PowerProtect Data Manager is not supported. You can perform an on- demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.

50 Managing Assets

NOTE: Discovery time is based on networking bandwidth. The resources that are involved in the discovery process

impact performance each time you initiate a discovery. It might appear that PowerProtect Data Manager is not updating

the Asset Sources data while the discovery is in progress.

9. Verify that the Discovery Status column indicates OK, and then go to the Assets window.

Results

Upon adding the Kubernetes cluser as an asset source, a PowerProtect controller is installed on the cluster, which is also used to install Velero with the Data Domain Object store plug-in. The namespaces in the Kubernetes cluster will appear in the Kubernetes tab of the Assets window. To view more details within this window, click the magnifying glass icon next to an entry. Also, if a namespace has associated PVCs that you want to exclude from a policy, you can click the link in the PVCs Exclusion column.

NOTE: If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer

token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in

step 5.

Next steps

Create Kubernetes protection policies to back up namespaces and PVCs.

Managing Assets 51

Managing Protection Policies

Topics:

Protection policies Before you create a protection policy Add a protection policy for a virtual machine Add a protection policy for Kubernetes namespace protection Add a Cloud Tier schedule to a protection policy Manual backups of protected assets On-demand cloud tiering of protected assets Editing a protection policy Edit the retention period for backup copies Delete backup copies Removing expired backup copies Export protection Delete a protection policy Add a Service Level Agreement Export Asset Compliance Protection Rules

Protection policies Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each plan type has its own set of user objectives.

Users with the System Admin role can create protection policies.

You can create protection policies for:

VMware virtual machines Microsoft Exchange and SQL databases Oracle databases SAP HANA databases File systems Kubernetes clusters Storage groups

This guide provides steps only for virtual machine and Kubernetes protection policies. For other policy types, refer to the user guide for the specific application agent.

PowerProtect DD protection considerations

PowerProtect DD protection policies in PowerProtect Data Manager have certain restrictions and best practices.

Be aware of the following considerations:

The Storage Units that were created in PowerProtect Data Manager must not be changed by the DD administrator to set up Storage Units replication.

The Storage Units that were created in PowerProtect Data Manager must not be configured for cloud tiering. When you create a protection policy, PowerProtect Data Manager creates a DD Boost storage unit and assigns a DD Boost

user to it. The following limitations apply to the number of supported PowerProtect Data Manager protection policies on the supported DD model to the number of active DD Storage Units.

6

52 Managing Protection Policies

Table 21. Supported PowerProtect Data Manager protection policies and Storage Units for DD OS versions

PowerProtect DD System

DD OS Version Storage Units Supported

Supported configurable concurrently active Storage Units /supported number of PowerProtect Data Manager protection policies

DD9800 6.0 and later 256 256

DD9500 5.7 and later 256 256

DD6800, DD9300 6.0 and later 128 128

DD6300 6.0 and later 100 32

DD990, DD4200, DD4500, DD7200

5.7 and later 128 128

All other DD systems 5.7 and later 100 Up to 32 based on the model

DD9500 5.6 100 64

DD990, DD890 5.3 and later 100 Up to 32 based on the model

DD7200, DD4500, DD4200

5.4 and later 100 Up to 32 based on the model

All other DD systems 5.2 and later 100 Up to 14 based on the model

Table 22. Supported Storage Units in DDVE by TB

Number TBs in DDVE Maximum Number of Storage Units

Supported configurable concurrently active Storage Units / supported number of PowerProtect Data Manager protection policies

4 100 6

6

8

32 100 14

48

64 100 32

96

Before you create a protection policy Consider the following best practices before creating a protection policy.

An asset can be protected by only one policy at a time. Assets can be moved from one policy to another policy based on the priority of protection rules. In cases where protection rules result in assets moving from one policy to another, any assets that were manually selected for inclusion in the policy, however, will not be moved to a different policy.

NOTE: If a SQL Server is hosted on a virtual machine, you can protect the SQL database with an application-consistent

backup without interfering with the SQL agent-based backup.

When creating a policy, limit the number of database assets within the policy to under 500 and stagger the start time of replication policies to avoid potential replication failures.

Before adding replication to a protection policy, ensure that you add a remote DD system as the replication location. Add Protection Storage provides detailed instructions about adding a remote DD system.

Understanding backup terminology and managing backup frequency

When scheduling backups in a protection policy, be aware of the following:

Managing Protection Policies 53

Different backup policy types can use different terminology to describe available backup levels. This terminology can differ not only between policy types, but also from traditional terminology.

To avoid high CPU usage that can lead to failure issues, do not schedule backups more often than recommended.

Refer to the following table to understand the different backup levels provided by each protection policy and to manage backup frequencies.

Table 23. Backup terminology and frequency

Protection-policy backup types

Available backup levels

Description Equivalent traditional terminology

Minimum frequency recommendation

VMware application-aware

Full Backs up all the blocks. Full Weekly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

VMware crash- consistent

Full Backs up all the blocks. Full Weekly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

Log Backs up the transaction logs. 30 minutes

Kubernetes crash- consistent

Full Backs up the namespace metadata and persistent volumes.

Full Daily

Synthetic Full Backs up the namespace metadata, the blocks that have changed for persistent volumes on VMware first- class disks since the last synthetic-full or full backup, and all other persistent volumes in full. Although not all data has actually been copied over the network, the result is still a full backup in storage.

A combination of full and differential backups are performed, followed by a merge operation that produces a full backup in storage.

12 Hours

File System centralized

Full Backs up all the data. Full Weekly

Synthetic Full Backs up only the data that has changed since the last

A differential backup is performed, followed by

12 hours

54 Managing Protection Policies

Table 23. Backup terminology and frequency (continued)

Protection-policy backup types

Available backup levels

Description Equivalent traditional terminology

Minimum frequency recommendation

synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

a merge operation that produces a full backup in storage.

Exchange centralized

Full Backs up all the data. Full Weekly

Synthetic Full Backs up only the data that has changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

SQL centralized Full Backs up all the data. Full Daily

Differential Backs up only the data that has changed since the last differential backup, or the last full backup if there are no other differential backups.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

Log Backs up the transaction logs. 30 minutes

Oracle centralized Full Backs up all the data. Full Daily

Incremental Cumulative

Backs up only the data that has changed since the last full backup.

Differential 12 hours

Incremental Differential

Backs up only the data that has changed since the last incremental differential backup, or the last full backup if there are no other incremental differential backups.

Incremental 6 hours

Log Backs up the archived logs. 30 minutes

SAP HANA centralized

Full Backs up all the data. Full Daily

Differential Backs up only the data that has changed since the last full backup.

Differential 12 hours

Incremental Backs up only the data that has changed since the last incremental backup, or the

Incremental 6 hours

Managing Protection Policies 55

Table 23. Backup terminology and frequency (continued)

Protection-policy backup types

Available backup levels

Description Equivalent traditional terminology

Minimum frequency recommendation

last full backup if there are no other incremental backups.

VMAX storage group centralized

Full Backs up all the blocks. Full Daily

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

NOTE: In some situations, a full backup might be performed even though a synthetic-full backup was scheduled. Possible

reasons for this include, but are not limited to, the following:

There is no existing full backup.

The size of a volume has changed.

There has been a file path change.

The asset host has been rebooted.

Add a protection policy for a virtual machine A protection policy enables you to select a specific group of assets that you want to back up. Use the PowerProtect Data Manager UI to create a virtual machine protection policy.

Prerequisites

It is recommended that you distribute virtual machine asset protection workloads over multiple ESXi hosts so that you do not exceed the ESXi NBD session limit. If the limit is reached, you can manage the workload by deploying an external VM Direct Engine on the host/cluster using Hot Add transport mode. Additionally, Dell EMC recommends during policy configuration that you assign virtual machines to a protection policy based on logical grouping to allow for better scheduling of backups. Grouping helps avoid resource contention and creates more organized logs for review.

To create application-aware protection policies for virtual machines, ensure that:

You manually update the vmx configuration parameter disk.EnableUUID to True by using the vSphere Web Client. The vSphere version that you are running uses a supported version of VMware Tools. Software compatibility information for

the PowerProtect Data Manager software is provided in the eLab Navigator, available at https:// elabnavigator.emc.com/eln/modernHomeDataProtection.

The virtual machine has direct access to the DD client. The virtual machine uses SCSI disks only, and the number of available SCSI slots matches at least the number of disks. The Windows account that is used for the protection policy is limited to the local system Administrator or the domain

Administrator. This user requires both Microsoft Windows administrative rights and Microsoft SQL Server login and sysadmin rights.

SQL configuration support is limited to Microsoft SQL Server stand-alone instances and a Microsoft SQL Server Always On availability group (AAG) configured with file share witness. Unsupported configurations include Microsoft SQL Server failover cluster instances that are configured with shared drives, and Microsoft SQL Server cluster-less AAG configurations.

For Microsoft SQL Server AAG configurations, the database administrator specifies the AAG backup preferences for backup in the Microsoft SQL Server Management Studio (SSMS). These preferences control which AAG node is selected as the preferred node when you perform a transaction log backup of AAG databases.

56 Managing Protection Policies

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy.

Steps

1. Select Protection > Protection Policies.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

NameType a descriptive name for the protection policy. DescriptionType a description for the policy. TypeSelect Virtual Machine, which includes protection for SQL application-aware virtual machines.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

Crash ConsistentSelect this type for point-in-time backup of virtual machines.

By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is suitable for backups. If the file system cannot be quiesced on the first attempt, then the snapshot and backup are performed without quiescing.

VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.

Application AwareFor virtual machines with a SQL application installed, select this type to quiesce the application to perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection policy level and/or the virtual machine asset level. When you provide the credentials at both levels, the virtual machine asset credentials override the policy credentials.

ExclusionSelect this type if there are virtual machine assets within the protection policy that you plan to exclude from data protection operations.

5. On the Assets page, select the assets for inclusion in this policy by choosing one of the following options from the list:

View by HostThis option enables you to view all assets within a specific host, and then select individual assets or a group of assets at a host or container level for policy inclusion. For example:

Select a standalone host to include all assets under this host. NOTE: If you select a host in a cluster, no assets will be selected. For a host in a cluster, ensure that you select

the cluster or other containers (for example, a resource pool or vApp) under the cluster host.

Expand the tree and select a container level in the vCenter hierarchy (for example, the datacenter, cluster, host, or resource pool) to include all assets under that level. If assets at any level are already protected by another policy, a label with the name of that policy appears next to the level.

When you select a container level in the View by Host view, a protection rule is automatically created to ensure that these container level selections will be retained, even if changes occur from movements within the vSphere environment or the names of resource pools or folders change. This rule is managed by the PowerProtect Data Manager system, and cannot be modified. The rule will also be updated automatically if you make changes to container selections when editing the policy, or when assets are moved into or out of a selected container.

To view this rule after policy creation, go to Protection > Protection Rules. The name in the Protection Rule Name column for this new rule will match the policy name.

If this new rule results in an overlap of protection with an existing rule, you can resolve these conflicts by changing the policy protection rule priority in the Selection Overlap page. Step 7 on page 58 provides more information.

NOTE: The behavior of automatic rule creation that allows assets to move into or out of policies can only be

modified in the REST API. After upgrading from a previous release, if View by Host is not visible you can enable

this view by manually changing the /api/v2/common-settings/DYNAMIC_FILTER_SETTING. The API

documentation at https://developer.dellemc.com provides instructions.

Expand the tree and select individual assets within containers.

When you select individual assets within this view, these selections are considered static, and no protection rule is automatically created. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

Managing Protection Policies 57

View Asset TableThis option enables you to view all unprotected assets in the vCenter within a table, and then select individual unprotected assets that you want to back up as part of this protection policy. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

When you select a virtual machine asset in this view, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of these assets. To dismiss the dialog for other selections, select the check box and click OK.

Both views provide additional information about the virtual machines, such as any currently associated tags, protection rules, and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add. If the virtual machines that you want to protect are not listed, use the Search box to search by asset name.

NOTE: When you configure a virtual machine application-aware protection policy to protect a Microsoft SQL Server

Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure

proper protection. Failure to do so might result in missed transaction log backups.

For the virtual machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.

6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded.

NOTE: For PowerProtect Data Manager version 19.3, a virtual machine with disk exclusion and Cloud Disaster

Recovery (DR) cannot coexist in the same protection policy. If you exclude disks from a virtual machine protection

policy, Cloud DR is not supported.

c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from the protection policy.

7. Click Next.

If any virtual objects or assets selected in the previous page overlap with assets that are already protected by another policy, the Selection Overlap page appears. Overlap can occur, for example, when two policies (the new policy and an existing policy) use the View by Host view for asset selection by container level.

a. To switch protection of any virtual objects listed in the Protection Priority Overlap table from an existing policy, update the Policy Priority field to a level equal to or higher than the other policy currently protecting these objects. The lower the value, the higher the priority. For example, 1 is the highest priority. When you change this value, the priority of the rule associated with this policy will also be changed.

b. To switch protection of any assets listed in the Asset Protection Overlap table to this policy, select the checkbox next to the asset(s). Note that selecting these assets for inclusion in this policy will remove the assets from the other policy.

When you make changes to the priority or the selected assets, the protection rule is updated automatically.

8. Click Next. The Schedule page appears.

9. On the Schedule page, click + Backup to create a schedule. The Add Primary Backup dialog appears.

10. On the Add Primary Backup dialog, specify the backup schedule fields, and then click OK:

RecurrenceSpecify how often backups occur. Create CopySpecify how often to create a synthetic full backup. A synthetic full backs up only the changed blocks

since the last backup to create a new full backup. Transaction Log EveryFor application-aware protection policies, specify the interval in minutes for log generation.

NOTE: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences for

a transaction log backup in the Microsoft SQL Server Management Studio.

Keep ForSpecify the retention period for the backup.

You can extend the retention period for the latest primary backup copy by adding a promotion backup. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can apply promotion backups to keep the full backups taken on Mondays for 10 weeks. Step 11 on page 59 provides instructions.

NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For example,

the synthetic full or transaction log backups are chained to their base full backup. The backups do not expire until the

58 Managing Protection Policies

last backup in the chain expires. This ensures that all synthetic full and transaction log backups are recoverable until

they have all expired.

Start TimeSpecify the time of day to start initiating backups. End TimeSpecify the time of day to stop initiating backups.

NOTE: Any backups started before the End Time occurs continue until completion.

Create FullSelect this option if you want to periodically force a full (level 0) backup, and then specify how often to create these backups. When you select this option, the backup chain is reset.

The Schedule page updates with the added backup schedule. NOTE: After completing a backup schedule, you can change any schedule details by selecting the check box next to the

added schedule and clicking Edit.

11. To extend the retention period for the latest primary backup copy, add a promotion backup:

a. Select the checkbox next to the added schedule and click + Backup. b. In the Add Promotion Backup dialog box, specify a weekly or monthly recurrence for the promotion backup schedule, a

retention period for the backup, and then click OK.

12. To replicate these backups to a remote DD system:

a. Select the checkbox next to the primary backup schedule and click Replicate.

NOTE: You cannot replicate a promotion backup. When you select a promotion backup schedule, the Replicate

button is disabled.

b. Complete the schedule details in the Add Primary Replication dialog box, and then click OK.

NOTE: To enable replication, ensure that you add a remote DD system as the replication location.

13. Optionally, to add a Cloud stage for the purpose of moving backups from DD storage to Cloud Tier, select the check box next to the primary, replication, or promotion schedule, and then select Cloud Tier. Add a Cloud Tier schedule to a protection policy on page 63 provides more information.

NOTE: In order to move a backup or replica to Cloud Tier, schedules must have a weekly or monthly recurrence and a

retention time of 14 days or more. Also, discovery of a DD system configured with a Cloud unit is required.

14. From the SLA list, select an existing service level agreement that you want to apply to this schedule, or select Add to create an SLA within the Add Backup Service Level Agreement window.

Add a Service Level Agreement on page 72 provides instructions.

15. From the Storage Name list:

Select the backup destination from the list of existing DD systems. To add a system, select Add, and complete the details in the Storage Target window.

When you select the destination storage, the Space field updates with the available capacity on the system.

16. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

NOTE: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD

system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection

operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more

information about MTree quota configuration.

a. Capacity QuotaControls the total size of precompression data that is written to the DD system. b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a

Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation is consuming too many system resources.

17. Select the Retention Lock check box to enable retention locking for these backups on the selected system. PowerProtect Data Manager uses Governance mode for retention locking, which means that the lock can be reverted at any time if necessary. Toggling the Retention Lock check box on or off applies the current backup copy only, and does not impact the retention lock setting for existing backup copies.

NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not

assigned a default retention lock period. If you select this check box for a replicated backup, ensure that you set the

Managing Protection Policies 59

Keep For field in the Add Primary Replicate backup schedule dialog to a minimum number of 14 days so that the

replicated backup does not expire before the primary backup.

18. From the Network interface list, select a network interface, if applicable.

19. Click Next. The Options page appears.

20. On the Options page:

a. Select from one of the following backup optimization modes:

Performance Optimize for backup and replication speed. Selecting this mode will result in more storage consumption. Previous versions of PowerProtect Data Manager used this option by default.

Capacity Optimize for backup size. Selecting this mode will result in less storage consumption, but backups will take longer to complete.

NOTE: Changing the optimization mode after the first backup of the protection policy will force the next backup to

be a full backup, and result in increased storage capacity usage due to differences in how each mode uses data

deduplication. This increase will continue until all backups performed using the previous optimization mode expire and

have been deleted.

b. Exclude swap files from backupSelect to exclude the C:\swapfile.sys, C:\pagefile.sys, and C:\hiberfil.sys swap and memory files of Microsoft Windows virtual machines, in the virtual machine backup. Default is unselected.

NOTE: Including swap and memory files in a backup unnecessarily increases the size of the backup and the time to

RTO during recovery. These files are not required for recovery, as they are rebuilt by the Microsoft Windows

operating system upon restart.

c. Enable indexing for file search and restoreSelect to enable indexing. This option is visible only upon activating the search cluster node.

d. Enable guest file system quiescingSelect to enable VMware Tools to quiesce the file system during crash- consistent virtual machine backups.

21. Click Next. The Summary page appears.

22. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.

For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine. Subsequent backups are performed according to the schedule specified.

NOTE: If the target virtual machine datastore for backup is running low on free space and the datastore free space

threshold is configured in vCenter Settings, a warning message or backup failure will occur. When the Datastore Free

Space Warning Threshold is reached, the backup proceeds with a warning message in the logs. When the Datastore

Free Space Failure Threshold is reached, the backup fails.

To check the warning and failure threshold values, go to Infrastructure > Asset Sources and click the vCenter tab.

Click the gear icon to open the vCenter Settings dialog.

23. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

More options for managing virtual machine backups

After you create a virtual machine protection policy, additional options become available for virtual machine assets that are backed up as part of the policy.

To access these options:

1. Select Infrastructure > Assets. 2. From the Assets window, select the Virtual Machines tab. If a policy has been assigned, the table lists the virtual machine

assets that have been discovered in the vCenter, along with the associated protection policy.

60 Managing Protection Policies

NOTE: You can click the link in the Disk Excluded column next to a virtual machine asset to view VMDKs that have

been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion from this window. To

change the disks that are excluded for a protected asset, select the policy from the Protection Policies window and

click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the VM icon, for example, DD. The table in the right pane lists the backup copies.

Depending on whether the asset is retention locked, you can perform the following functions from this window:

Edit the retention period of backup copies to extend or shorten the amount of time that backups are retainedSelect one or more backup copies from the table and click Edit Retention.

To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, or months after the backup is performed, select Retention Value. For

example, you could specify that backups expire after 6 months. Delete a backup copyIf you no longer require a copy and the retention lock is not enabled, select the copy from the table

and click Delete.

Add a protection policy for Kubernetes namespace protection A Kubernetes protection policy enables you to select a namespace that you want to back up. Use the PowerProtect Data Manager UI to create a Kubernetes namespace protection policy.

Prerequisites

NOTE: Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage

interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. If

you select a namespace from non-CSI storage, the backup fails.

Optionally, if you want to protect a namespace that contains non-CSI storage, you can exclude the non-CSI PVC from the

backup. If excluding the PVC, ensure that such a policy still meets your protection requirements.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy.

Steps

1. Select Protection > Protection Policies.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

NameType a descriptive name for the protection policy. DescriptionType a description for the policy. TypeFor the policy type, select Kubernetes.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

Crash ConsistentSelect this type for point-in-time backup of namespaces. ExclusionSelect this type if there are assets within the protection policy that you plan to exclude from data protection

operations.

5. In the Assets page, select one or more unprotected namespaces that you want to back up as part of this protection policy.

NOTE: Cluster resources, such as cluster roles, cluster role bindings, and custom resource definitions (CRDs) that are

associated with namespace-scoped resources, will be backed up automatically as part of the Kubernetes protection

policy.

Managing Protection Policies 61

If the namespace that you want to protect is not listed, perform one of the following:

Click Find More Assets to perform an updated discovery of the Kubernetes cluster. Use the Search box to search by asset name.

6. (Optional) For the selected namespaces, click the link in the PVCs Excluded column, if available, to clear any PVCs that you want to exclude from the backup. By default, all PVCs are selected for inclusion.

7. Click Next. The Schedule page appears.

8. On the Schedule page, click + Backup to create a schedule.

9. On the Add Primary Backup page, specify the backup schedule fields, and then click OK:

RecurrenceSpecify how often backups occur. Create EverySpecify how often to create a synthetic full backup. For persistent volumes on VMware first class disks

(FCDs), a synthetic full backs up only the changed blocks since last backup to create a new full backup. Also, namespace metadata is backed up in full upon every backup.

Keep ForSpecify the retention period for the backup. NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For example,

the synthetic full or transaction log backups are chained to their base full backup. The backups do not expire until the

last backup in the chain expires. This ensures that all synthetic full and transaction log backups are recoverable until

they have all expired.

Start TimeSpecify the time of day to start initiating backups. End TimeSpecify the time of day to stop initiating backups.

The Schedule page updates with the added backup schedule. NOTE: After completing a backup schedule, you can change any schedule details by selecting the check box next to the

added schedule and clicking Edit.

10. To replicate these backups to a remote DD system:

a. Select the checkbox next to the primary backup schedule and click Replicate. b. Complete the schedule details in the Add Primary Replication dialog box, and then click OK.

NOTE: To enable replication, ensure that you add a remote DD system as the replication location. Add Protection

Storage provides detailed instructions about adding a remote DD system.

11. Optionally, to add a Cloud stage for the purpose of moving backups from DD storage to Cloud Tier, select the check box next to the primary or replication schedule, and then select Cloud Tier. Add a Cloud Tier schedule to a protection policy on page 63 provides more information.

NOTE: In order to move a backup or replica to Cloud Tier, schedules must have a weekly or monthly recurrence and a

retention time of 14 days or more. Also, discovery of a DD system configured with a Cloud unit is required.

12. From the SLA list, select an existing service level agreement that you want to apply to this schedule, or select Add to create an SLA within the Add Backup Service Level Agreement window.

Add a new SLA provides instructions.

NOTE: The Promotion SLA type is not supported for Kubernetes protection policies.

13. From the Storage Name list in the schedule entry:

Select the backup destination from the list of existing DD systems. To add a system, select Add, and complete the details in the Storage Target window.

When you select the destination storage, the Space field updates with the available capacity on the system.

14. Click Set Storage Quotas to set storage space restrictions for a DD MTree or Storage Unit to prevent the consumption of excess space. There are two kinds of quota limitshard limits and soft limits. You can set either a soft or hard limit or both a soft and hard limit. Both values must be integers, and the soft value must be less than the hard value.

NOTE: When you set a soft limit and the limit is reached, an alert is generated but data can still be written to the DD

system. When you set a hard limit and the limit is reached, data cannot be written to the MTree. All data protection

operations fail until data is deleted from the MTree. The DD Operating System Administration Guide provides more

information about MTree quota configuration.

a. Capacity QuotaControls the total size of pre-compression data that is written to the DD system.

62 Managing Protection Policies

b. Stream QuotaThe number of concurrent streams allowed on the system during data protection operations. Setting a Stream Quota limit can help ensure that system performance is not impacted negatively when a data protection operation is consuming too many system resources.

15. Select the Retention Lock check box to enable retention locking for these backups on the selected system. PowerProtect Data Manager uses Governance mode for retention locking, which means that the lock can be reverted at any time if necessary. Toggling the Retention Lock check box on or off applies the current backup copy only, and does not impact the retention lock setting for existing backup copies.

NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not

assigned a default retention lock period. If you select this check box for a replicated backup, ensure that you set the

Keep For field in the Add Primary Replicate backup schedule dialog to a minimum number of 14 days so that the

replicated backup does not expire before the primary backup.

NOTE: Retention lock is not supported for the Cloud Tier schedule. The cloud copies will remain retention locked if the

associated protection or replication stage supports retention lock.

16. From the Network interface list, select a network interface, if applicable.

17. Click Next. The Summary page appears.

18. Review the protection policy group configuration details, and then click Finish. Except for the protection policy type, you can click Edit next to any details to change the policy information.

An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.

19. Click OK to exit the window, or click Go to Jobs to open the Jobs window.

From the Jobs window, you can monitor the progress of the new Kubernetes cluster protection policy backup and associated tasks. You can also cancel any in-progress or queued job or task.

NOTE: If a Kubernetes cluster is running on vSphere and using vSphere CSI storage, the job details will indicate that the

optimized data path is being used for the backup.

Next steps

If the backup fails with the error Failed to create Proxy Pods. Creating Pod exceeds safeguard limit of 10 minutes, verify that the CSI driver is functioning properly, such that the driver can create snapshots and a PVC from the VolumeSnapshot datasource. Also, ensure that you clean up any orphan VolumeSnapshot resources that still exist in the namespace.

Add a Cloud Tier schedule to a protection policy For some protection policy types, you can add a cloud tier schedule to a protection policy in order to perform backups to cloud tier.

Prerequisites

Ensure that a DD system is set up for cloud tiering.

About this task

You can create the cloud tier schedule from primary, replication, and promotion stages. Schedules must have a weekly or monthly recurrence and a retention time of 14 days or more.

Steps

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select Protection > Protection Policies > Add.

3. On the Type page, enter a name and description, select the type of system to back up, and click Next.

The following protection policy types support cloud tiering:

Managing Protection Policies 63

Virtual machine SQL Exchange Oracle SAP HANA File System Kubernetes

4. On the Purpose page, select from the available options to indicate the purpose of the new protection policy, and then click Next.

5. On the Assets page, select the assets that you want to protect with this policy, and then click Next.

6. On the Schedule page, select + Backup.

7. On the Add Primary page, set the following parameters, and then click OK:

RecurrenceSelect Weekly or Monthly. Keep forCloud Tier backup requires a minimum of 2 weeks.

8. Select the protection policy that you created, and then select Cloud Tier.

9. In the Add Cloud Tier dialog box, set the following parameters and then click OK:

Select the appropriate unit from the Cloud Target list. For Tier After, set a time of at least 2 weeks.

The new protection policy is now enabled with cloud tiering.

10. Click Next, verify the information, and then click Finish. A new job is created, which you can view under the Jobs tab after the job completes.

Results

Once an asset is protected with a Cloud Tier stage, you can also perform a manual backup of the asset. On-demand cloud tiering of protected assets on page 65 provides more information.

Managing Cloud Tier asset copies

You can manage Cloud Tier copies of assets by changing copy retention time, deleting copies, and recalling copies.

Steps

1. In the PowerProtect Data Manager dashboard, go to Infrastructure > Assets.

2. Select an asset and click View Copies.

3. Click an asset copy icon. Cloud Tier backups are listed by cloud storage in the Location column.

4. To change how long copies remain in cloud storage, complete the following steps:

a. Select a Cloud Tier backup and click Edit Retention. b. Choose one of the following options:

To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, months, or years after the backup is performed, select Retention

Value. For example, you could specify that backups expire after 6 months.

c. When satisfied with the changes, click Save. The asset is displayed in the list with the changes. The Retention column displays both the original and new retention period, and indicates whether the retention period has been extended or shortened.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

5. To delete the copy in cloud storage, select a Cloud Tier backup and click Delete. To delete the copy records from the PowerProtect Data Manager database while the copy remains in the DD system, select Remove from PowerProtect.

Delete backup copies on page 69 and Remove backup copies from the PowerProtect Data Manager database on page 71 provides more information.

64 Managing Protection Policies

6. Select a Cloud Tier backup and click Recall from Cloud to return the cloud backup to your local DD system for recovery or backup.

NOTE: If you use Amazon's network to copy data from AWS storage, Amazon charges you for the data transfer.

7. To extend the date to retier the copy back to the cloud, select Edit Recall Retention.

8. To manually move a copy back to cloud storage, select Retier.

Manual backups of protected assets Once assets have been added to a protection policy, you can perform manual backups by using the Back Up Now functionality in the PowerProtect Data Manager UI.

You can use a single manual backup from the Protection > Protection Policy window to back up multiple assets that are protected in the designated protection policy. To perform this manual backup:

1. Select Protection > Protection Policy 2. Select the protection policy that protects the assets for which you want to perform the manual backup.

NOTE: The protection policy must be enabled, and its purpose must not be Exclusion or Self-Service Protection.

3. On the Assets Selection page, choose whether you want to back up All assets... or if you will Choose some of the assets... that are defined in the protection policy.

If you want to choose some of the assets for manual backup, choose those assets on the Assets page.

4. On the Configuration page, edit the backup type and retention period if you want to change the default settings.

The default settings are inherited from the primary backup stage of the parent protection policy.

5. Click Back Up Now. A notification appears indicating whether the request was processed successfully.

When you perform a manual backup from the Infrastructure > Assets window, you can back up only one asset at a time. To perform this manual backup:

1. Select Infrastructure > Assets. 2. Select the tab for the asset type you want to back up. A list of assets appears. 3. Select an asset from the table that has an associated protection policy.

NOTE: You can select only one asset at a time for manual backup. The protection policy must be enabled, and its

purpose must not be Exclusion or Self-Service Protection. A full backup is created for the selected asset.

4. Click Back Up Now. A notification appears indicating whether the request was processed successfully.

When a virtual machine is part of an application-aware protection policy, the manual backup is a full application-aware backup.

NOTE: The backup generated by a manual backup is managed by other configured stages (promotion backup, replication,

cloud tier, cloud DR) of the parent protection policy.

On-demand cloud tiering of protected assets Once you add assets to a protection policy that contains a cloud tier stage, you can perform on-demand tiering of these assets by using the PowerProtect Data Manager UI.

NOTE: On-demand cloud tiering of a copy set requires the related protection policy to have a cloud tier stage.

To perform on-demand cloud tiering:

1. Select Infrastructure > Assets. 2. On the Assets window, select the tab for the asset type you want to back up. A list of assets appears. 3. Select an asset from the table that has an associated protection policy, and then click View Copies.

NOTE: You can only select one asset at a time, and the protection policy that is associated with the asset cannot be an

exclusion policy.

4. Click the DD icon to display the available backup copies in the right pane. 5. Select a backup copy, and then click Tier. A notification appears indicating whether the request was processed successfully.

Go to the Jobs window to monitor the progress of the tiering operation.

Managing Protection Policies 65

Editing a protection policy You can use the PowerProtect Data Manager UI to make any of the following changes to an existing policy:

Policy name and description Backup schedule Backup optimization mode Settings for network interface, storage quotas, and retention lock Adding or removing assets from the policy.

NOTE: You cannot modify a protection policy type or purpose.

Modify a policy name and description, schedule, or options

The following procedure describes how to make changes to an existing policy's name and description, backup schedule, or additional backup options in the PowerProtect Data Manager UI.

Prerequisites

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy.

About this task

NOTE: You can also edit a protection policy to add or remove assets. Detailed instructions for adding assets to a policy or

removing assets from a policy are provided in the section Add or remove assets in a protection policy on page 67.

Steps

1. Select Protection > Protection Policy.

The Protection Policy window opens.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page. From this page, you can click edit next to any available row to change specific policy details.

3. In the Name or Description rows, click Edit. The Type page displays.

NOTE: You cannot change the type or purpose of an existing policy.

4. In the Schedule row, click Edit. The Schedule page displays. From this page, you can make changes to the backup schedule, modify the settings for the network interface, enable or disable the retention lock, and change storage quotas.

NOTE: Dell EMC recommends that you do not edit the network interface for Application Agent assets such as File

System, SQL, ORACLE, and SAP HANA, because it will cause subsequent backup failure. The workaround is to set the

lockbox, which will trigger a new asset configuration.

You can also change the storage targets by selecting a new Storage Name in the Primary Backup and Replicate rows. For more information about changing storage targets, see the section Changing storage targets on page 67.

5. In the Options row, click Edit. The Options page displays. From this page, you can change the backup optimization mode (for example, from Performance to Capacity), select whether to include or exclude swap files from the backup, and select whether to quiesce the guest file system during the backup.

6. After making your changes, click Next to save the changes and return to the Summary page.

7. On the Summary page, click Finish. An informational dialog displays.

8. Click OK to exit the dialog, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

66 Managing Protection Policies

Changing storage targets

PowerProtect Data Manager protection policies can be edited in order to change the storage targets being used.

When editing protection policies and viewing the Schedule page, you can change the selected entries for Storage Name in the Primary Backup and Replicate rows. The current entry of each is selected from a drop-down list of those storage targets that are available for the current protection policy.

When reviewing a currently selected storage target and those that are available to choose from, the following should be considered:

The storage target selected for Storage Name in the Primary Backup row will not appear in the drop-down list for Storage Name in the Replicate row.

The storage target selected for Storage Name in the Replicate row will not appear in the drop-down list for Storage Name in the Primary Backup row.

Only those storage targets that have been licensed and configured for use by the current protection policy will appear in a drop-down list.

If a storage target exists but does not appear in a drop-down list, you can click Add at the bottom of the list to configure it for use with the protection policy.

When a storage target is changed, a new storage unit name is automatically created, and its configuration is passed to any backup agents.

Changing storage targets in Storage Group protection policies is not supported.

NOTE:

If you change the storage target for Primary Backup, it might prevent any scheduled backups from being performed

until after the next full backup. To ensure all scheduled backups are performed on schedule, click Back Up Now from

the Protection > Protection Policy pane. This does not apply to VMware crash-consistent or File System backups for

Primary Backup. For those asset types, the storage target can be changed and all scheduled backups will be performed

without further action. It also does not apply to any backups for Replicate.

When you change a storage target, ensure that any dependencies are appropriately configured. For example, you might

need to configure a cloud provider to use the new storage target.

Add or remove assets in a protection policy

Use the PowerProtect Data Manager UI to add or remove an asset in a protection policy.

About this task

When a protection policy is edited and new assets are added, backups for the new assets start from the next scheduled FULL backup job for the protection policy.

Steps

1. Select Protection > Protection Policy.

The Protection Policy window appears.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page.

3. In the Assets row, click Edit. The Assets page appears.

NOTE: For virtual machine protection policies, the view that you selected when creating the policy is retained in this

page, and cannot be changed. For example, if you set up this policy with View Asset Table selected, all assets

protected by this policy will display in a table on this page, and the option to select View by Host will be disabled. Both

views provide additional information about the virtual machines, such as any currently associated tags, protection rules,

and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add

or remove from this policy.

4. To remove containers or assets from the protection policy, select the object and click Remove.

The Assets page updates with the changes.

5. To add a container or asset to the protection policy:

Managing Protection Policies 67

a. Click + Add.

The Add Unprotected Assets dialog displays any objects that are unprotected.

b. Select the individual unprotected assets that you want to add to the policy, or select a container level within the hierarchy to add all assets within that level, and then click Add.

The Assets page updates with the changes.

6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded.

NOTE: For PowerProtect Data Manager version 19.3, a virtual machine with disk exclusion and Cloud Disaster

Recovery (DR) cannot coexist in the same protection policy. If you exclude disks from a virtual machine protection

policy, Cloud DR is not supported.

c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from the protection policy.

7. Click Next to save the changes and go to the Summary page.

8. In the Summary page, click Finish An informational dialog box appears.

9. Click OK to exit the dialog box, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

Edit the retention period for backup copies You can edit the retention period of one or more backup copies to extend or shorten the amount of time that backups are retained.

About this task

You can edit retention for all asset types and backup types.

Steps

1. Select Infrastructure > Assets.

2. From the Assets window, select the tab for the asset type for which you want to edit retention. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

NOTE: For virtual machine assets, you can click the link in the Disk Excluded column next to a virtual machine asset to

view VMDKs that have been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion

from this window. To change the disks that are excluded for a protected asset, select the policy from the Protection

Policies window and click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

5. Select one or more backup copies from the table and click Edit Retention.

6. Choose one of the following options:

To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, months, or years after the backup is performed, select Retention

Value. For example, you could specify that backups expire after 6 months.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

7. When satisfied with the changes, click Save. The asset is displayed in the list with the changes. The Retention column displays both the original and new retention period, and indicates whether the retention period has been extended or shortened.

68 Managing Protection Policies

Delete backup copies In addition to deleting backups upon expiration of the retention period, PowerProtect Data Manager enables you to manually delete backup copies from the DD system.

About this task

If you no longer require a backup copy and the retention lock is not enabled, you can delete backup copies prior to their expiration date.

Starting with PowerProtect Data Manager version 19.6, you can perform a backup copy deletion that deletes only a specified part of a backup copy chain, without impacting the ability to restore other backup copies in the chain. When you select a specific backup copy for deletion, only that backup copy and the backup copies that depend on the selected backup copy are deleted. For example, when you select to delete a full backup copy, any other backup copies that depend on the full backup copy are also deleted.

Steps

1. Select Infrastructure > Assets.

2. From the Assets window, select the tab for the asset type for which you want to delete copies. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

5. Select one or more copies from the table that you want to delete from the DD system, and then click Delete.

A preview window opens and displays the selected backup copies.

NOTE: For assets with backup copies that are chained together such as Microsoft SQL databases, Oracle databases,

SAP HANA databases, and application-aware virtual machines, the preview window lists all the backup copies that

depend on the specified backup copy. If you delete a backup copy, PowerProtect Data Manager deletes the specified

backup copy and all backup copies that depend on the specified backup copy.

6. For all asset types, you can choose to keep the latest backup copies or delete them. By default, PowerProtect Data Manager keeps the latest backup copies. To delete the latest backup copies, clear the checkbox next to Include latest copies.

For VMAX storage group backup copies, you can choose to delete copies that are grouped together in the same protection transaction or delete only selected copies. By default, PowerProtect Data Manager deletes copies that are grouped together in the same protection transaction. To delete only selected copies, clear the checkbox next to Include copies in the same protection transaction.

7. To delete the backup copies, in the preview window, click Delete.

NOTE: The delete operation may take a few minutes and cannot be undone.

An informational dialog box opens to confirm the copies are being deleted. To monitor the progress of the operation, click Go to Jobs. To view the list of backup copies and their status, click OK.

When the job completes, the task summary provides details of each deleted backup copy, including the time that each copy was created, the backup level, and the retention time. The time of copy creation and the retention time is shown in UTC.

An audit log is also generated and provides details of each deleted backup copy, including the time that each copy was created, the backup level, and the retention time. The time of copy creation and the retention time is shown in UTC. Go to Alerts > Audit Logs to view the audit log.

8. Verify that the copies are deleted successfully from the DD system. If the deletion is successful, the deleted copies no longer appear in the table.

Managing Protection Policies 69

Retry a failed backup copy deletion

If a backup copy is not deleted successfully, you can manually retry the operation.

Steps

1. From the Assets window, select the tab for the asset type for which you want to delete copies. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

2. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

3. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

4. Select one or more backup copies with the Deletion Failed status from the table, and then click Delete.

You can also filter and sort the list of backup copies by status in the Copy Status column.

The system displays a warning to confirm you want to delete the selected backup copies.

5. Click OK. An informational dialog box opens to confirm that the copies are being deleted. To monitor the progress of the operation, click Go to Jobs. To view the list of backup copies and their status, click OK.

6. Verify that the copies are successfully deleted from the DD system. If the deletion is successful, the deleted copies no longer appear in the table.

Export data for deleted backup copies

This option enables you to export results of deleted backup copies to a CSV file so that you can download an Excel file of the data.

Steps

1. From the Assets window, select the tab for the asset type for which you want to export results of deleted backup copies. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

2. Select one or more protected assets from the table and click Export Deleted Copies.

If you do not select an asset, PowerProtect Data Manager exports the data for deleted backup copies for all assets for the specific asset type.

3. Specify the following fields for the export:

a. Time Range

The default is Last 24 Hours.

b. Copy Status

In order to export data for deleted backup copies, the backup copies must be in one of the following states:

Deleted Deleting Deletion Failed Deletion Failed (Agent Catalog)

NOTE: You cannot export data for backup copies that are in an Available state.

4. Click Download. If applicable, the navigation window appears for you to select the location to save the CSV file.

5. Save the CSV file in the desired location and click Save.

70 Managing Protection Policies

Remove backup copies from the PowerProtect Data Manager database

This option enables you to delete the backup copy records from the PowerProtect Data Manager database, but keep the backup copies in the DD system.

About this task

For backup copies that could not be deleted from the DD system, you can remove the backup copies from the PowerProtect Data Manager database. Removing the backup copies from PowerProtect Data Manager does not delete the copies in the DD system.

Steps

1. From the Assets window, select the tab for the asset type for which you want to delete copies. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

2. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

3. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

4. Select one or more backup copies with the Deletion Failed or Deletion Failed (Agent Catalog) status from the table, and then click Remove from PowerProtect.

For backup copies with the Deletion Failed (Agent Catalog) status, click Remove from PowerProtect to remove the information from PowerProtect Data Manager for any backup copies that were successfully deleted from the DD system but for which the agent catalog was not deleted from the agent host.

The system displays a warning to confirm you want to delete the selected backup copies.

5. Click OK. An informational dialog box opens to confirm that the copies are being deleted. To monitor the progress of the operation, click Go to Jobs. To view the list of backup copies and their status, click OK.

6. Verify that the copies are deleted from the PowerProtect Data Manager database. If the deletion is successful, the deleted copies no longer appear in the table. The backup copies remain in the DD system.

Removing expired backup copies PowerProtect Data Manager deletes the backup copies of an asset automatically when the retention period of the copy expires.

Information about specifying retention periods for a protection policy schedule is provided within the topic for each policy type.

In order for an expired copy to be deleted, the asset must be managed by PowerProtect Data Manager and in one of the following states:

Protected The asset is currently assigned to an enabled protection policy. Previously Protected The asset has been unassigned from a protection policy and has not yet been re-assigned to

another policy or assigned to an Exclusion policy.

Expired copy cleanup occurs at 00:00 AM UTC each day. If a copy deletion fails, a warning alert appears in the audit log under Alerts > System.

You can monitor the progress of the expired copy removal job from the Jobs window.

Export protection This option enables you to export protection jobs and compliance records to a .CSV file so that you can download an Excel file of protection results data.

Steps

1. Select Protection > Protection Policy.

The Protection Policy window appears, which displays the following information:

Managing Protection Policies 71

Asset type Purpose Group Name Number of Protected Assets Asset Capacity Number of Failures Number of SLA Violations

2. Select the protection policy for which you would like to export the protection records.

If you do not select a protection policy, PowerProtect Data Manager exports the protection records for all the protection policies.

3. Click Export. The Export Asset Protection window appears.

4. Specify the following fields for the export:

a. The Time Range.

The default is Last 24 hours.

This refers to the last complete midnight-to-midnight 24-hour period; that is, yesterday. So, any events that have occurred since the most recent midnight are not in the CSV export. For example, if you run the CSV export at 9am, any events that have occurred in the last 9 hours are not in the CSV export. This is to prevent the overlapping of or partial exporting when queried mid-day on a regular or irregular basis.

b. The Job Status. c. Click Download.CSV.

If applicable, the navigation window appears for you to select the location to save the CSV file.

5. If applicable, save the .CSV file in the desired location and then click Save.

Delete a protection policy You can delete a protection policy that is not protecting any assets.

Prerequisites

If the policy you want to delete is protecting assets, you must associate those assets with a different protection policy before you can delete the policy.

About this task

Use the PowerProtect Data Manager UI to delete a protection policy.

Steps

1. Select Protection > Protection Policy.

2. Select the policy you want to delete and click Delete.

Results

Upon deleting a policy, clean-up of unnecessary components on the DD system, such as storage-units and the Boost user, occurs automatically according to schedule.

Add a Service Level Agreement The SLA Compliance window in the PowerProtect Data Manager UI enables you to add a service level agreement (SLA) that identifies your Service Level Objectives (SLOs). You use the SLOs to verify that your protected assets are meeting the Service Level Agreements (SLAs).

About this task

NOTE: When you create an SLA for Cloud Tier, you can include only full backups in the SLA.

72 Managing Protection Policies

Steps

1. Select Protection > SLA Compliance.

The SLA Compliance window displays with the following information:

SLA Name Stage Type Policies At Risk Objectives Out of Compliance Impacted Assets

2. Select the type of asset for which you want to add the SLA, and click Add.

The Add Service Level Agreement Type window appears.

3. Select the type of SLA that you want to add, and then click Next.

Policy. If you choose this type, go to step 4 Backup. If you choose this type, go to step 5. Promotion. If you choose this type, go to step 6. Replication. If you choose this type, go to step 7. Cloud Tier. If you choose this type, go to step 8.

You can select only one type of Service Level Agreement.

4. If you selected Policy, specify the following fields regarding the purpose of the new Policy SLA:

a. The SLA Name. b. If applicable, select Minimum Copies, and specify the number of Backup and Replication. c. If applicable, select Maximum Copies, and specify the number of Backup and Replication. d. If applicable, select Available Location and select the applicable locations. To add a location, click Add Location.

Options are:

InInclude locations of all copies in the SLO locations. Does not require every SLO location to have a copy. Must InInclude locations of all copies in the SLO locations. Requires every SLO location to have at least one copy. ExcludeLocations of all copies must be other than SLO locations.

e. Click Finish and go to step 9.

5. If you selected Backup, specify the following fields regarding the purpose of the new Backup SLA:

a. The SLA Name. b. If applicable, select Recovery Point Objective (RPO), and then set the duration. The purpose of an RPO is business

continuity planning, and refers to the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

NOTE: You can select only Recovery Point Objective to configure as an independent objective in the SLA, or

select both Recovery Point Objective and Compliance Window. If you select both, the RPO setting must be one

of the following:

Greater than 24 hours or more than the Compliance window duration, in which case RPO validation will occur

independent of the Compliance Window.

Less than or equal to the Compliance Window duration, in which case RPO validation will occur within the

Compliance Window.

c. If applicable, select Compliance Window, and then set the duration, which refers to the time it takes to create the backup copy. Ensure that the Start Time and End Time of backup copy creation falls within the Compliance Window duration specified.

These are the times in which you can expect the specified activity to take place. Any specified activity that occurs outside of this Start Time and End Time triggers an alert.

d. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

e. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks or Years. f. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. g. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

Managing Protection Policies 73

6. If you selected Promotion, specify the following fields regarding the purpose of the new Promotion SLA:

a. The SLA Name. b. If applicable, specify the Recovery Point Objective. c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks, or Years. e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

7. If you selected Replication, specify the following fields regarding the purpose of the new Replication SLA:

a. The SLA Name. b. If applicable, select the Compliance Window, and specify the Start Time and End Time.

These are the times which are permissible and in which you can expect the specified activity to take place. Any specified activity that occurs outside of this start time and end time triggers an alert.

c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, set the Retention Time Objective, and specify the number of Days, Months, Weeks, or Years. e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

8. If you selected Cloud Tier type SLA, specify the following fields regarding the purpose of the new Cloud Tier SLA:

a. The SLA Name. b. If applicable, select the Verify expired copies are deleted option.

This option is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

c. If applicable, set the Retention Time Objective and specify the number of Days, Months, Weeks, or Years. d. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. e. Click Finish.

9. Add the newly added SLA to the protection policy. Select Protection > Protection Policy.

10. In the Schedule section of the Summary window, click Edit.

11. Do one of the following, and then click Next:

Select the added Policy SLA from the Set Policy Level SLA list. Create and add the new SLA policy from theSet Policy Level SLA list.

The Summary window appears.

12. Click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

13. Click Go to Jobs to open the Jobs window to monitor the backup and compliance results, or click OK to exit.

NOTE: Compliance checks occur automatically every day at 2 am Coordinated Universal Time (UTC).

14. In the Jobs window, click next to an entry to view details on the SLA Compliance result.

Export Asset Compliance This option enables you to export compliance records to a CSV file so that you can download an Excel file of compliance results data.

Steps

1. Select Protection > SLA Compliance.

The SLA Compliance window appears. The PowerProtect Data Manager SLA Compliance window displays the following information:

74 Managing Protection Policies

SLA Name Stage Type Policies At Risk Objectives Out of Compliance Impacted Assets

2. Select the SLA for which you would like to export the compliance records.

3. Click Export Asset Compliance. The Export Asset Compliancewindow appears.

4. Specify the following fields for the export:

a. The Time Range.

The default is Last 24 hours.

This refers to the last complete midnight-to-midnight 24 hour period; that is, yesterday. So, any events that have occurred since the most recent midnight are not included in the CSV export. For example, if you run the CSV export at 9am, any events that have occurred in the last 9 hours are not included in the CSV export. This is to prevent the overlapping of or partial exporting when queried mid-day on a regular or irregular basis.

b. The Job Status. c. Click Download.CSV.

If applicable, the navigation window appears for you to select the location to save the CSV file.

5. If applicable, save the CSV file in the desired location and click Save.

Protection Rules Protection rules enable you to automatically determine which assets are assigned to protection policies when the assets are discovered, based on the rule definitions (rules for inclusion).

When you define a protection rule for a protection policy, note the following requirements:

A protection policy must exist prior to creating the protection rule. An asset can only belong to one protection policy. Starting with PowerProtect Data Manager 19.6, assets can be moved from one policy to another policy based on the

priorities of the protection rule. Virtual machine tags created in the vSphere Client can only be applied to a protection rule. To ensure the protection of homogeneous assets, the protection rule must specify a storage asset type. A virtual machine application-aware protection policy that protects a Microsoft SQL Server Always On availability group

(AAG) must include all the virtual machines of the AAG in the same protection group. Failure to meet this requirement might result in Microsoft SQL Server transaction log backups being skipped. Ensure that the protection rules are designed to include all the AAG virtual machines.

NOTE: With PowerProtect Data Manager 19.6 or later, ensure that Oracle protection rules do not use the DB ID and Oracle

SID Name field settings that were supported with earlier versions.

You can manually move an asset into a protection policy, overriding its automatic placement as defined by protection rules. If you do this, the asset will remain protected by that policy, but protection rules will no longer apply to it. To allow protection rules to apply to the asset again, remove the asset from the protection policy.

Creating virtual machine tags in the vSphere Client

Creating virtual machine tags in the vSphere Client is supported by PowerProtect Data Manager with vSphere versions 6.5 and later. Tags enable you to attach metadata to the virtual assets in the vSphere inventory, which makes assets easier to sort and search for when creating a protection policy.

Asset inclusion in a PowerProtect Data Manager protection policy is based on the filtering criteria that you specify when creating a protection rule.

When you create a tag in the vSphere Client, the tag must be assigned to a category in order to group related tags together. When defining a category, you can specify the object types to which the tags will be applied and whether more than one tag in the category can be applied to an object. Within a single rule, you can apply up to 50 rule definitions to tags and categories, as shown in the following example where Category is the category name and Bronze is the tag name:

Category:Category1,Tag:Bronze1

Managing Protection Policies 75

Category:Category2,Tag:Bronze2 Category:Category3,Tag:Bronze3 ... Category:Category50,Tag:Bronze50

In the above example, category names and tag names that exceed 9 or 7 characters respectively reduce the limit for rule definitions in a single rule to less than 50. When rule definitions exceed the maximum limit, no virtual machines are backed up as part of the group, because no members are associated with the group. As a best practice, keep the number of rule definitions within a single rule to 10 or fewer and, in cases where there are a large number of rule definitions within a single rule, keep the number of characters in category or tag names to 10 or fewer.

To view existing tags for vCenter in the vSphere Client, select Menu > Tags & Custom Attributes, and then select the Tags tab. Click a tag link in the table to view the objects associated with this particular tag.

For PowerProtect Data Manager to include tagged assets in a protection rule based on the tags created for the vCenter, you must assign at least one tag to at least one virtual machine. Note that tags associated with containers of virtual machines (for example, a virtual machine folder) are not currently supported for tag associations to assets.

NOTE: Once virtual machines are associated with tags, the association is not reflected in the PowerProtect Data Manager

UI until the timeout period has completed. The default timeout to fetch the latest inventory from the vCenter server is 15

minutes. When adding a protection rule and using tags as the asset filter, you must select VM Tags.

Add a Protection Rule

Use the PowerProtect Data Manager UI to add protection rules. When an asset meets the filter conditions of the rule, the asset is automatically assigned to the protection policy that you define for the protection rule.

Prerequisites

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. Click the tab to select the type of host for which you would like to add the protection rule, for example, Virtual Machines, and then click Add.

The Add Protection Rule wizard opens on the Protection Policy page.

3. Select the target protection policy for the protection rule and click Next. The Asset Filter page appears.

4. Specify the following fields to indicate the purpose of the new protection rule:

a. Name. For example, SQL Rules Prod Finance b. Description. For example, SQL Rules Prod Servers Finance.

c. Field. Using the three fields, build an asset filter that matches your purpose.

From the list in the first field, select an asset name (such as Datacenter Name or namespace name), characteristic (such as asset size), or a tag (VM Tags or namespace label) to use as the rule criteria when searching for assets. The options available depend upon the host type selected in step 2.

From the list in the second field, select the matching criteria. For an asset name, you can select from several options including Begins with, Ends with, Contains, or Equals. For an asset characteristic such as size, you can select Greater than or Less than. For a virtual machine tag or namespace label, you can only select Includes or Does not include.

In the third field, type a search phrase to apply to the rule criteria to determine a match.

For example, a rule with the filters SQL Server Instance Name, Contains, and Finance helps you create a rule to match the assets in your finance department to the selected protection policy.

d. Click Apply. Any asset that matches the rule and is not currently included in a PowerProtect Data Manager protection policy displays in the Unprotected Assets matching filter table.

e. Verify that the assets that display in the Unprotected Assets matching filter table are the assets that you want to include in the protection policy. If not, clear the filter to view all unprotected assets and build your filter again.

f. When satisfied with the rule matches, click Next.

The Summary page appears.

76 Managing Protection Policies

5. Click Finish.

Results

The protection rule is run automatically upon creation.

Run a Protection Rule on demand

PowerProtect Data Manager automatically runs protection rules when new assets are detected or when existing assets are modified. You can also run protection rules on demand.

Prerequisites

NOTE:

For SQL, Oracle, SAP HANA, and File system asset types, the protection rule runs only upon scheduled discovery in

PowerProtect Data Manager. Ensure that you schedule discovery for these asset types.

To schedule discovery in the PowerProtect Data Manager UI, complete the following steps:

1. Select Infrastructure > Asset Sources.

2. Select the App/File System Host tab.

3. Select the application host, and then click Discover.

4. From the Discovery Schedule list, select the time of day to initiate the discovery.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. Select the required protection rules, and then click Run.

PowerProtect Data Manager runs all the selected protection rules of the current asset type.

Edit or delete a Protection Rule

Use the PowerProtect Data Manager UI to edit a protection rule. You can change the name, description, the rule filters, and the associated protection policy.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. Select a protection rule, and then click Edit. The Summary window appears.

3. To edit the name or description of the protection rule, modify the desired fields and click Finish.

4. To delete a protection rule, select the rule and click Delete.

When you click Delete, PowerProtect Data Manager will remove from protection policies any assets that were added because of this protection rule. PowerProtect Data Manager will add those assets again if you do not update related protection rules.

Change the priority of an existing Protection Rule

Use the PowerProtect Data Manager UI to change the priority of a protection rule.

About this task

When multiple protection rules exist, you can define the priority of each rule. Priority determines which protection rule that PowerProtect Data Manager will apply to an asset if the asset matches multiple protection rules, and if the matching rules have conflicting actions. For example, if an asset protection policy assignment matches several protection rules and each rule

Managing Protection Policies 77

specifies a different protection policy assignment, the protection policy is determined by the protection rule with the highest priority.

An integer is used to represent the priority of the protection rule. The smaller value has the higher priority.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. To change a protection rule's priority, select the rule and click Up or Down.

The smaller value has the higher priority.

Configure the behavior of Protection Rules

You can use the REST API to change the system settings for protection rules to determine the behavior that results when a rule changes.

The API documentation at https://developer.dellemc.com provides instructions. NOTE: If upgrading from a previous release of PowerProtect Data Manager, the configured behavior for protection rule

changes continues to be applied to the current release. For example, in PowerProtect Data Manager 19.4 if you did not

enable changes to protection rule behavior in the application.properties configuration file to move assets across

policies, you will not be able to change the behavior using this method in PowerProtect Data Manager 19.5 or later.

However, if you updated this configuration file to enable movement of assets across policies when protection rules change,

then this behavior will continue to be applied to move assets across policies after the upgrade.

78 Managing Protection Policies

Restoring Data and Assets

Topics:

View backup copies available for restore Restore a virtual machine or VMDK Restore an application-aware virtual machine backup Restoring a Kubernetes namespace Self-service restore of Kubernetes namespaces Restore the PowerProtect Data Manager server Restore Cloud Tier backups to the DD system

View backup copies available for restore When a protection policy is successfully backed up, PowerProtect Data Manager displays details such as the name of the storage system containing the asset backup, location, the creation and expiry date, and the size. To view a backup summary:

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets, or go to Recovery > Assets.

Assets that have copies are listed.

2. Select a tab to view assets by type.

The entire list of assets that are associated with this type are listed. You can also search for assets by name. For virtual machines, you can also click the File Search button to search on specific criteria.

NOTE: In the Recovery > Assets window, only tabs for asset types supported for recovery within PowerProtect Data

Manager display. Supported asset types include the following:

Virtual Machines

File System

Storage Group

Kubernetes

3. To view more details, select an asset and click View copies.

The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.

When you click a child node, the right pane displays the following information:

Storage system where the copy is stored. The number of copies Details of each copy, including the time that each copy was created, the consistency level, the size of the copy, the

backup type, the copy status, and the retention time. The indexing status of each copy at the time of copy creation:

Success indicates that all files or disks are successfully indexed. Partial Success indicates that only some disks or files are indexed and might return partial results upon file search. Failed indicates that all files or disks are not indexed. In Progress indicates that the indexing job is in progress.

If indexing has not been configured for a backup copy, or if global expiration has been configured and indexed disks or files have been deleted before the backup copy expiration date, the File Indexing column displays N/A.

The indexing status updates periodically which enables you to view the latest status.

7

Restoring Data and Assets 79

For virtual machine backups, a Disk Excluded column enables you to view any virtual disks (VMDKs) that were excluded from the backup.

Restore a virtual machine or VMDK After virtual assets are backed up as part of a virtual machine protection policy in the PowerProtect Data Manager UI, you can perform image-level and file-level recoveries from individual or multiple virtual machine backups, and also restore individual virtual machine disks (VMDKs) to their original location.

All types of recoveries are performed from the Recovery > Assets window. Recovery options include the following:

Restore and Overwrite Original VM: Restore to the original virtual machine. Restore Individual Virtual Disks: Restore select virtual disks to the original location. Create and Restore to New VM: Restore to a new virtual machine. Instant Access VM: Instant access to the virtual machine backup for browse and restore. File Level Restore: Restore individual files/folders the original or a new virtual machine Direct Restore to ESXi: Recover the virtual machine directly to an ESXi host without a vCenter server.

The Restore button, which launches the Restore wizard, is disabled until you select one or more virtual assets in the Recovery > Assets window. Selecting multiple assets disables the View Copies button, since this functionality is available within the first page of the Restore wizard.

To access the Restore and Overwrite Original VM, Create and Restore to New VM, and Instant Access VM recovery types, or the Restore Individual Virtual Disks option, select one or more virtual assets and then click Restore to launch the Restore wizard.

To access the File Level Restore and Direct Restore to ESXi recovery options, select a virtual asset and then click View Copies.

In both instances, you must select a backup copy in the first page of the Restore wizard before you can go to the Options page, which displays the available recovery options.

NOTE: For all options, recovery in the PowerProtect Data Manager UI can only be performed if the backup or replica is on a

DD system. If a replica backup does not exist on such storage, you must manually replicate this backup to DD storage

before performing the restore.

The following sections describe each recovery option and provide instructions to perform the recovery.

NOTE: SQL virtual machine full database and transaction log restore from application-aware virtual machine protection

policies must be performed using Microsoft application agent tools. The section Restore an application-aware virtual

machine backup provides more information.

Restoring a virtual machine backup with the storage policy association

vSphere storage-based policies are used to communicate to the storage system details about how the virtual machine and its contents should be stored. At the time of backup, the existing policy assignments for the virtual machine will be stored in the backup copy.

During a restore to the original virtual machine in the PowerProtect Data Manager UI or the vSphere Client, you can select the Restore Storage Policies option if you want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

This option is only applicable to virtual machine backup copies taken with PowerProtect Data Manager 19.6 and later. If you select this option but the virtual machine backup copy was created with PowerProtect Data Manager version 19.5 and earlier, or the storage policy has been deleted from the vCenter Server, the virtual machine restore will proceed but any storage policy association will not be restored.

NOTE: Enabling this option requires vCenter version 6.7 and later.

80 Restoring Data and Assets

Prerequisites to restore a virtual machine

Review the following requirements before you restore a virtual machine in PowerProtect Data Manager:

Users who want to perform a virtual machine restore must have Admin or Export and Recovery Admin privileges. Go to Administration > Roles and review the user profile to ensure that the user has the appropriate privileges. A user with the role "User" cannot perform a restore.

Ensure that you have added the DD system, the DD Management Center (DDMC) or DD Virtual Edition (DDVE), and the vCenter server, and that the protection of virtual machine copies has completed successfully.

To check, go to Infrastructure > Assets and Infrastructure > Asset Sources.

Ensure that protection of the virtual machines completed successfully. If the virtual machines have been backed up by a protection policy, the assets appear in the Recovery > Assets window.

If performing a restore to the original virtual machine, a minimum vCenter version 6.7 is required if you want to restore the virtual machine protection policy backup's storage policy assignments.

If performing a restore to a new location, ensure that sufficient space is available on the target datastore. Verify that the virtual machine copy that is selected for restore has not expired.

Restore and Overwrite original virtual machine

Recovers a virtual machine backup to its original location on the vCenter. This operation rolls the virtual machines that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time. Use this process for restoring the production system.

Prerequisites

Review Prerequisites to virtual machine restore before performing the restore.

About this task

NOTE: If the original virtual machine was deleted, a Restore and Overwrite Original VM recovery attempts to re-create

the virtual machine. However, if the original virtual machine resources such as the datastore and cluster are no longer

available, the restore fails and a Restore to New is required.

Steps

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all virtual machines available for recovery.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the asset name of the specific virtual machine or use the File Search button to search on specific criteria for files within backed-up virtual machines.

The Recovery wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup to the original location, and then click Next.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

The Restore Type page displays.

7. On the Restore Type page:

a. Select Restore to Original Folder and Overwrite Original Files.

Restoring Data and Assets 81

NOTE: If the system determines that the original virtual machine datastore(s) may be insufficient to complete the

restore a warning is displayed. In this case, create more space in the original datastore(s), and then, select Proceed

Anyways.

b. Select the Restore VM Tags checkbox to restore vCenter tags and categories associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on

the assets in the restore location will be replaced with the tags and categories from the assets in the restored copy.

If the tags and categories being restored do not exist in the vCenter Server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings that

determine the relationship of tags within a category. If tags and categories on the vCenter have been renamed since

the last backup, the renamed tags and categories will not be overwritten upon restore. For example, if a tag's ID is

the same but the tag's name has been changed since the backup, a new tag is created based on the tag name in the

backup copy being restored.

Upon successful restore, the replaced tags and categories will not be deleted in the vSphere Client, and can be

viewed in the Tags & Custom Attributes window, or the Tags pane of the Summary window when the virtual

machine is selected.

c. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore will proceed but any storage policy association will not be restored.

NOTE: Enabling this option requires vCenter version 6.7 and later.

d. Click Next.

If the current virtual machine disk configuration is identical to the copy being restored, the Summary page appears. If there is a mismatch, however, the Options page appears. This page displays the current configuration of the virtual machine along with any disks that have been added since the last backup.

8. On the Options page, for any hard disks in the current virtual machine configuration that were not part of the original backup:

Select Delete disks that will be detached to remove these disks upon restore. Clear Delete disks that will be detached to keep these disks in their original folders on the virtual machine after the

restore. These disks will not be in the virtual machine configuration, but after the restore you can then use the vSphere Client to manually reattach or download these disks as appropriate.

9. Click Next. The Summary page appears with a confirmation message indicating that the virtual machine will be powered off and that the virtual machine in the datastore will revert to the point in time of the selected backup copy before being powered back on.

10. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore individual virtual disks

A virtual disk (VMDK) restore recovers individual VMDKs to their original location on the vCenter, rolling the VMDKs that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time.

Prerequisites

Review Prerequisites to virtual machine restore before you perform the following procedure.

About this task

NOTE: When you restore individual VMDKs, only the selected disks are restored. The virtual machine configuration does

not change.

82 Restoring Data and Assets

Steps

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all virtual machines available for recovery.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Individual Virtual Disks to restore specific VMDKs, and then click Next. The Select Disks page displays.

7. From the Backup Properties pane, select the VMDKs that you want to restore, and then click Next. Note that individual VMDKs can only be restored to the original location. The Summary page appears with a confirmation message indicating that the selected disk(s) will be overwritten in the current configuration with the copy from the backup.

8. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore to new virtual machine

A Create and Restore to New VM enables you to create a new virtual machine using a copy of the original virtual machine backup. Other than having a new name or location and a new vSphere VM Instance UUID, this copy is an exact replica of the virtual machine that you backed up with the protection policy in PowerProtect Data Manager.

Prerequisites

Review Prerequisites to virtual machine restore before you perform this procedure.

Steps

1. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to run file level restore workflows on specific files within VMs.

The Recovery wizard appears.

2. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. Click OK to save the selection and exit the dialog, and then click Next.

5. On the Purpose page:

Select Restore Entire VMs if you want to restore an image-level virtual machine backup. NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

Select Restore Individual Virtual Disks if you want to restore only specific VMDKs.

NOTE: Individual disks can only be restored to the original location.

6. Click Next.

Restoring Data and Assets 83

7. On the Restore Type page:

a. Select Create and Restore to New VM. b. Select the Restore VM Tags checkbox to restore vCenter tags and categories associated with this backup copy. Tags

are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on

the assets in the restore location will be replaced with the tags and categories from the assets in the restored copy.

If the tags and categories being restored do not exist in the vCenter Server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings that

determine the relationship of tags within a category. If tags and categories on the vCenter have been renamed since

the last backup, the renamed tags and categories will not be overwritten upon restore. For example, if a tag's ID is

the same but the tag's name has been changed since the backup, a new tag is created based on the tag name in the

backup copy being restored.

Upon successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

c. Click Next.

8. On the VM Information page:

a. From the Restore to vCenter list, select the vCenter server for the new virtual machine restore. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

b. Select the destination data center. c. Click Next.

9. On the Restore Location page:

a. Select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster.

b. If you select an ESXi host within this page, the next page is unnecessary. c. Click Next.

10. On the ESX Host page:

If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click Next.

If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to proceed.

11. On the Datastore page, select the datastore where you want to restore the virtual machine disks.

NOTE:

The Total Estimated Space Needed for Recovery is displayed and updated according to the specified disk

provisioning type.

In the datastore list:

The free space in each datastore is displayed.

If a datastore is estimated to be smaller than required for recovery, it is displayed in red alongside an error icon.

Select Browse... to display the total capacity, provisioned capacity, and free capacity of all available datastore(s),

and select a datastore.

a. If you are restoring multiple virtual machines, select the Datastore and Provisioning Type to use for all virtual machines.

b. If you are restoring one virtual machine:

To restore all disks to the same location, keep Configure Per Disk disabled, and select the datastore from the datastore list in the Storage column.

To restore disks to different locations, enable Configure Per Disk, and for each disk, select a datastore from the datastore list in the Storage column. Select how to provision the disk from the provisioning types in the Disk Format column.

NOTE: If you select a datastore whose estimated free space is smaller than required for recovery, a warning is

displayed. In this case, you can select Proceed Anyways to continue, but it is recommended to create more space in

the specified datastore(s) before doing so.

84 Restoring Data and Assets

c. Click Next.

12. On the Options page:

a. For Select Access Level, keep the slider set to Yes if you want to enable instant access for this restore.

When you select this option, the virtual machine is created and turned on while temporarily accessing the VMDKs from DD storage. Storage vMotion is initiated to the target datastore. The virtual machine becomes available for use when it is turned on.

b. (Optional) For the recovery options, select Power on the virtual machine when the recovery completes and Reconnect the virtual machine's NIC when the recovery completes. Power on the virtual machine when the recovery completes is selected by default when instant access is enabled.

c. Click Next.

13. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.

14. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Instant access virtual machine restore

An Instant Access VM restore enables you to create a new virtual machine directly from the original virtual machine backup on the DD system for the purposes of instant backup validation and recovery of individual files. The instant access virtual machine is initially available for 7 days. This process does not copy or move any data from the DD system to the production datastore. An instant access virtual machine restore also provides the option to move the virtual machine to a production datastore when you want to retain access to the virtual machine for a longer time.

Steps

1. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine, or click the File Search button to search on specific criteria.

The Recovery wizard appears.

2. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. Click OK to save the selection and exit the dialog, and then click Next.

5. On the Purpose page:

Select Restore Entire VMs if you want to restore an image-level virtual machine backup. NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

Select Restore Individual Virtual Disks if you want to restore only specific VMDKs.

NOTE: Individual disks can only be restored to the original location.

6. On the Restore Type page:

a. Select Instant Access VM. b. Select the Restore VM Tags checkbox to restore vCenter tags and categories associated with this backup copy.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on

the assets in the restore location will be replaced with the tags and categories from the restored copy. If the tags

and categories being restored do not exist in vCenter at the time of the restore, or have been deleted, they will be

re-created as part of the restore, along with the tag description and the cardinality settings that determine the

relationship of tags within a category. If tags and categories on the vCenter have been renamed since the last

backup, the renamed tags and categories will not be overwritten upon restore. For example, if a tag's ID is the same

but the tag's name has been changed since the backup, a new tag is created based on the tag name in the backup

copy being restored.

Restoring Data and Assets 85

Upon successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

c. Click Next.

7. On the VM Information page:

a. Select whether you want to use the original virtual machine name for the instant access virtual machine restore, or rename the instant access virtual machine by appending a suffix to the original name.

b. From the Restore to vCenter list, select the vCenter server for the instant access virtual machine restore. You can select the vCenter of the original virtual machine backup, or another vCenter. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

c. Select the destination data center. d. Click Next.

8. On the Restore Location page, select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster. If you select an ESXi host within this page, the next page is unnecessary. Click Next.

9. On the ESX Host page:

If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click Next.

If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to proceed.

10. On the Options page:

a. Specify a name for the Instant Access virtual machine. b. Optionally, select Power on the virtual machine when the recovery completes and Reconnect the virtual

machine's NIC when the recovery completes. Power on the virtual machine when the recovery completes is selected by default for instant access virtual machine restores.

c. Click Next.

11. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore. A confirmation message displays indicating that the restore has been initiated and providing the option to go to the Jobs window to monitor the restore progress.

12. Go to the Jobs window to view the entry for the instant access virtual machine recovery and verify when the recovery

completes successfully. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Results

To monitor and manage the instant access virtual machine recovery, select Recovery > Running Activities, and then click the Instant Access Sessions tab. From this window, you can also extend the instant access virtual machine session beyond the default period of 7 days.

NOTE: On a single-node system such as a DD system, instant access/restore functionality has been enhanced to return a

failure message when overwhelmed with traffic. For example, if on the target node or the ESXi host there are Live VM

and/or Instant Restore sessions that are in conflict, instant access/restore jobs will fail with a message indicating a

resource contention issue. If this occurs, you need to clear the conflicts and then restart the session in order for the job to

execute.

Manage and monitor Instant Access Sessions

The Instant Access Sessions tab in the Recovery > Running Sessionswindow enables you to manage the status of a virtual machine restore to new or instant access virtual machine restore (for example, by extending the availability period or deleting an instant access virtual machine) and monitor vMotion events.

NOTE: The Instant Access Sessions that are used by a SQL application-aware self-service restore are displayed in the

PowerProtect Data Manager UI, but management is disabled. Use the SQL application-aware self-service restore UI to

manage these sessions.

When the Jobs window indicates that a recovery has completed successfully, go to Recovery > Running Sessions > Instant Access Sessions to access information about the sessions. This window enables you to monitor and manage all exported copies that you have created from the DD system. An active restore session with a state of Mounting indicates that the

86 Restoring Data and Assets

restore is still in progress. Once the state changes to Mounted, the restore is complete and the instant access virtual machine is ready. When you select the session in the table, you can choose from three options:

Extend Click to extend the number of days the instant access virtual machine restore is available. The default retention period of an instant access virtual machine restore is 7 days.

Migrate Click to open the Migrate Storage vMotion wizard, which enables you to move the instant access virtual machine to a protection datastore. Migrate an instant access session provides instructions.

Delete Click if you no longer require the active restore session. Note that you can also vMotion from inside the vCenter server, and PowerProtect Data Manager removes the Instant Access Session upon detection.

For instant access virtual machine restores, availability of the instant access virtual machine session is also indicated in the vSphere Client. The session appears in the Recent Tasks pane, and you can expand the cluster and select the instant access virtual machine to view summary information, as shown in the following figure.

Figure 1. instant access virtual machine restore in the vSphere Client

Migrate an Instant Access session

Once you validate that the instant access virtual machine is the virtual machine that you require for production, click Migrate to open the Migrate Storage vMotion wizard, which enables you select the session and move the virtual machine to a production datastore.

Steps

1. Go to Recovery > Running Sessions, and click the Instant Access Sessions tab.

2. Select a session from the table that is in Mounted state, and click Migrate. The Migrate Storage vMotion wizard displays.

3. On the Disk Files Datastore page, select the datastore where you want to relocate the instant access virtual machine, and then click Next.

To migrate all VMDKs to the same datastore, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

To migrate VMDKs to separate datastores, move the Configure per disk slider to the right, and then:

a. Select a datastore for each disk from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

4. On the Summary page, review the information to ensure that the details are correct, and then click Migrate.

5. Go to the Jobs window or the Instant Access Sessions window to view the progress of the migration.

In the Jobs window, the migration job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed. In the Instant Access Sessions window, you can monitor the vMotion status of

Restoring Data and Assets 87

the migration. When a vMotion is in progress, the status indicates VMotioning. Once the storage vMotion for the session is complete, the status of the session changes to Deleting as the session is being removed from the Instant Access Sessions window.

File level restore to original virtual machine

A file level restore to original virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to the same or a new location on the original vCenter Server.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore limitations on page 189. Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that

the agent package is installed and the agent process is running. If the FLR Agent is not installed, the installation is initiated automatically when you start the mount.

When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 187 provides more information.

NOTE: For file-level restores, you can only restore files:

From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

To virtual machines within the same vCenter.

About this task

NOTE: File level restore in the PowerProtect Data Manager UI can only be performed by an administrator.

Steps

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all the virtual machines available for recovery.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name, or click the File Search button to search on specific criteria.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Original Virtual Machine, and then click Next.

6. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount. If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

88 Restoring Data and Assets

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

d. Upon successful mount, click Next.

7. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

8. On the Options page, select from one of the following options, and then click Next.

Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original location on the original virtual machine.

Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original virtual machine.

9. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information.

b. Click Restore.

10. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

File level restore to alternate virtual machine

A file level restore to alternate virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to a new location on a new virtual machine. This restore can be performed to a primary or secondary vCenter Server.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore limitations on page 189. Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that

the agent package is installed and the agent process is running. If the FLR Agent is not installed, the installation is initiated automatically when you start the mount.

When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 187 provides more information.

NOTE: For file-level restores, you can only restore files:

From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

To virtual machines within the same vCenter.

Steps

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all the virtual machines available for recovery.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name, or click the File Search button to search on specific criteria.

The Recovery > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

Restoring Data and Assets 89

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Alternate Virtual Machine, and then click Next.

6. On the Select Target VM page, choose from one of the following options:

Search for a target virtual machine by typing the name. Browse from the available vCenter Servers to locate the destination virtual machine.

7. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount. If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

d. Upon successful mount, click Next.

8. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

9. On the Restore Location page:

a. Browse the folder structure of the destination virtual machine to select the folder where you want to restore the objects. b. Click Next.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but this virtual machine and vCenter is now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded or an added VM Direct appliance that is registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all of the virtual machines available for recovery.

2. Select the checkbox next to the desired virtual machine and click View Copies.

90 Restoring Data and Assets

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Recovery > Asset window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the recovery completes, if desired. Power on the virtual machine when the recovery completes is selected by default.

b. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next.

To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore an application-aware virtual machine backup When virtual machine applications are protected within a protection policy in PowerProtect Data Manager, you can recover the application data using the Microsoft application agent, or perform a centralized restore within the PowerProtect Data Manager UI.

The PowerProtect Microsoft Application Agent SQL Server User Guide provides instructions on how to restore an application- aware virtual machine using the VM Direct SQL Server Management Studio (SSMS) plug-in.

Restoring a Kubernetes namespace After namespace contents are backed up as part of a Kubernetes cluster protection policy in the PowerProtect Data Manager UI, you can perform restores from individual namespace backups.

All types of restore are performed from the Recovery > Assets window. Recovery options include the following:

Restore to Original: Restore to the original namespace on the original cluster. Restore to New: Create a namespace, and restore to this location on the original cluster or a different cluster. Restore to Existing: Restore to an existing namespace in the original cluster or a different cluster.

The Restore button, which launches the Restore wizard, is disabled until you select a namespace in the Recovery > Assets window.

Select a namespace and then click Restore to launch the Restore wizard. Alternatively, you can select a namespace and then click View Copies.

Restoring Data and Assets 91

In both instances, you must select a backup in the first page of the Restore wizard before proceeding to the Purpose page, which displays the available recovery options.

NOTE: Manually replicating backups to DD storage will not create PCS records in PowerProtect Data Manager. It is

recommended to perform these backups on the local tier, as a cloud tier backup will require a recall operation.

Restore to the original namespace

Perform the following to restore a Kubernetes protection policy backup to the original namespace within a Kubernetes cluster:

About this task

Steps

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page:

a. Select the radio button next to a backup copy. b. Click Next.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Cluster page, select Restore to Original Cluster, and then click Next.

5. On the Purpose page, select from one of the following options:

Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs). Optionally, you can also select Include cluster scoped resources to restore the cluster resources that were backed up automatically as part of the Kubernetes protection policy. This option is only available for PowerProtect Data Manager 19.6 and later Kubernetes protection policy backups.

NOTE: Selecting Include cluster scoped resources will restore all instances of cluster roles, cluster role bindings

and custom resource definitions (CRDs) that were present at the time of the backup.

Restore Only PVCs to restore PVCs without namespace or cluster resources.

6. Click Next. The Restore Type page displays.

7. On the Restore Type page, select Restore to Original Namespace, and then click Next. The PVCs page appears, displaying the PVCs in the namespace that you plan to restore, along with the PVC configuration in the original target namespace.

8. On the PVCs page, if the configuration of the namespace you want to restore is different from the configuration in the target namespace:

Select Overwrite content of existing PVCs to restore selected PVCs and overwrite existing PVCs in the target location if they have the same name.

Select Skip restore of existing PVCs to restore selected PVCs without overwriting existing PVCs in the target location if they have the same name.

9. Click Next. The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

10. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

92 Restoring Data and Assets

Restore to a new namespace

Perform the following to restore a Kubernetes protection policy backup to a new namespace within a Kubernetes cluster:

About this task

Steps

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page:

a. Select the radio button next to a backup copy. b. Click Next.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Cluster page, select one of the following options, and then click Next:

Restore to Original ClusterSelect this option to restore to a new namespace on the original cluster. Restore to an Alternate ClusterSelect this option to restore to a new namespace on a different cluster, and then

select the cluster from the list. A restore to an alternate cluster can be useful when migrating namespaces from a cluster on-premises to a cluster in the cloud, when moving namespaces from a lower cluster version to a higher cluster version, or when moving from one environment to another (for example, from a test environment to a production environment).

NOTE: When restoring to an alternate cluster, ensure that this Kubernetes cluster has been added and discovered in

the PowerProtect Data Manager UI Asset Sources window.

5. On the Purpose page:

a. Select Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs). Optionally, you can also select Include cluster scoped resources to restore the cluster roles, cluster role bindings and custom resource definitions (CRDs) that were backed up automatically as part of the Kubernetes protection policy. This option is only available for PowerProtect Data Manager 19.6 and later Kubernetes protection policy backups.

b. Click Next.

The Restore Type page displays.

6. On the Restore Type page, select Restore to New Namespace, and then type a name for the new namespace. Click Next. The PVCs page appears, displaying the PVCs in the namespace that you plan to restore.

7. On the PVCs page:

a. Clear the checkbox next to any PVCs that you do not want to restore. b. Click Next.

The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

8. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Next steps

To view the new namespace as an asset within the PowerProtect Data Manager UI, initiate a full discovery of the Kubernetes cluster from the Asset Sources window.

Restoring Data and Assets 93

Restore to an existing namespace

Perform the following to restore a Kubernetes protection policy backup to an existing namespace within a Kubernetes cluster:

About this task

Steps

1. In the PowerProtect Data Manager UI, select Recovery > Assets and select the Kubernetes tab.

The Recovery window displays all protected and unprotected namespaces.

2. Select the checkbox next to a protected namespace and click Restore.

You can also use the filter in the Name column to search for a specific namespace, or use the Search field to search on specific criteria.

The Recovery wizard appears.

3. On the Select Copy page:

a. Select the radio button next to a backup copy. b. Click Next.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. On the Cluster page, select one of the following options, and then click Next:

Restore to Original ClusterSelect this option to restore to an existing namespace on the original cluster. Restore to an Alternate ClusterSelect this option to restore to an existing namespace on a different cluster, and

then select the cluster from the list. A restore to an alternate cluster can be useful when migrating namespaces from a cluster on-premises to a cluster in the cloud, when moving namespaces from a lower cluster version to a higher cluster version, or when moving from one environment to another (for example, from a test environment to a production environment).

NOTE: When restoring to an alternate cluster, ensure that this Kubernetes cluster has been added and discovered in

the PowerProtect Data Manager UI Asset Sources window.

5. On the Purpose page, select from one of the following options:

Restore Namespace and Select PVCs to restore namespace resources and selected persistent volume claims (PVCs). Optionally, you can also select Include cluster scoped resources to restore the cluster roles, cluster role bindings and custom resource definitions (CRDs) that were backed up automatically as part of the Kubernetes protection policy. This option is only available for PowerProtect Data Manager 19.6 and later Kubernetes protection policy backups.

Restore Only PVCs to restore PVCs without namespace resources.

6. Click Next. The Restore Type page displays.

7. On the Restore Type page, select Restore to Existing Namespace, and then select a namespace from the Select Namespace list. Click Next. The PVCs page appears, displaying the PVCS in the namespace that you plan to restore, along with the PVC configuration in the original target namespace.

8. On the PVCs page, if the configuration of the namespace you want to restore is different from the configuration in the target namespace:

Select Overwrite content of existing PVCs to restore selected PVCs and overwrite existing PVCs in the target location if they have the same name.

Select Skip restore of existing PVCs to restore selected PVCs without overwriting existing PVCs in the target location if they have the same name.

9. Click Next. The Summary page appears with a confirmation message indicating that namespace resources, including pods, services, secrets, and deployments, will not be overwritten during the restore, and that all resources that do not currently exist in the namespace will be restored.

10. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

94 Restoring Data and Assets

Self-service restore of Kubernetes namespaces PowerProtect Data Manager supports the self-service restore of namespaces from within the Kubernetes cluster. The following procedure describes how to perform a self-service restore:

Prerequisites

NOTE: A Kubernetes administrator can list the 100 most recent PowerProtect Data Manager backups that have taken place

in the cluster within the last 30 days. Additionally, the last backup of every namespace backed up within the last 30 days

using PowerProtect Data Manager is listed. Any backups not listed have to be restored from the PowerProtect Data

Manager UI.

Steps

1. Run the following command to list PowerProtect Data Manager backups performed within the last 30 days on the cluster:

kubectl get backupjob -n powerprotect The command output lists all available backupJob custom resources of PowerProtect Data Manager, in the form . For example:

admin@method:~> ~/k8s/kubectl get backupjob -n powerprotect NAME AGE testapp1-2019-11-16-14-15-47 3d9h testapp1-2019-11-16-17-00-49 3d7h

2. Select the backup that you want to restore from the list, and then create a RestoreJob yaml file in the following format:

apiVersion: "powerprotect.dell.com/v1beta1" kind: RestoreJob metadata: name: namespace: powerprotect spec:

recoverType: RestoreToNew #Default is RestoreToOriginal backupJobName: # For e.g. testapp1-2019-11-16-14-15-47 namespaces: - name: alternateNamespace: # Name for the recovered namespace. Needed only for RestoreToNew. Should not be specified for RestoreToOriginal persistentVolumeClaims: - name: "*" #volumes to be recovered. By default all volumes backed up will be recovered

3. Run the following command to apply the yaml:

kubectl apply -f -n powerprotect 4. Run the following command to track the restore progress:

kubectl get restorejob -n powerprotect -o yaml -w 5. Upon successful completion of the restore, run the following command to delete the RestoreJob:

kubectl delete restorejob -n powerprotect

Restore the PowerProtect Data Manager server You can restore PowerProtect Data Manager server persisted data as a new instance using any of the backups. A System Administrator can carry out the restore.

Prerequisites

Ensure that:

Restoring Data and Assets 95

The PowerProtect Data Manager version that is deployed on your system and the backups you are using for the restore match.

The network configuration is the same on the newly deployed PowerProtect Data Manager system as on the failed instance that you are restoring.

Steps

1. Deploy the PowerProtect Data Manager OVA and power it on.

2. Select Restore Backup.

To delay jobs defined by your protection policies until otherwise specified, select After restore, keep the product in recovery mode so that scheduled workflows are not triggered. When selected, after restore the system enters recovery maintenance mode. During recovery maintenance mode:

All jobs defined by your protection policies that modify the backup storage (for example, backup creation, backup deletion, and PPDM Server DR jobs) are not triggered.

All operations that write to the backup storage are disabled. A system alert is displayed in PowerProtect Data Manager.

To enable automatically scheduled operations and user operations that write to the backup storage, click Return to full Operational mode in the alert.

3. Specify the following storage information:

a. DD system IP where the recovery backups are stored. b. DD NSF Export Path where the recovery backups are stored. c. Click Connect.

4. Select the PowerProtect Data Manager instance that you would like to restore, and then click OK.

5. Select the backup file that you would like to use for recovery, and then click Recover.

6. Specify the lockbox passphrase associated with the backup, and start the recovery. This step initiates the recovery and display the progress status. The recovery process can take approximately eight minutes before the URI is redirected to the PowerProtect Data Manager login.

Results

The PowerProtect Data Manager server is recovered.

Next steps

After a successful recovery:

The time zone of the PowerProtect Data Manager instance is set to the same as that of the backup. The operating system user passwords and PowerProtect Data Manager login are set to the lockbox phrase previously

provided in step 6.

Restore Cloud Tier backups to the DD system Once a Cloud tier backup is recalled, restore operations of these backups are identical to normal restore operations.

The PowerProtect Data Manager software recalls a copy of the backup from the Cloud unit to the local (active) tier of the DD system, which then allows you to perform a restore of the backup from the active tier to the client. The status appears as Cloud, and changes to Local Recalled after cloud recall completes. After the restore, the backup copy is removed from Cloud tier, and is stored on the active tier of the DD system for a minimum of 14 days, after which the backup may be returned to the cloud depending on your protection policy.

96 Restoring Data and Assets

Recall and restore from Cloud tier

To recall a backup on Cloud tier to the active tier on a DD system and restore this backup, perform the following:

Prerequisites

NOTE: When a backup is recalled from Cloud tier to the active tier, the copy is removed from Cloud tier.

Steps

1. In the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. On the Assets window, select the tab that contains the asset you want to recall from Cloud Tier, and then click View Copies.

3. Click DD, and then select from one of the available copies that appear in the table.

4. Click Recall. The Recall from Cloud dialog box appears.

5. In the Retain until box, specify how long you want to keep the copy on the active tier, and then click OK.

6. Go to the Jobs window to monitor the recall operation. When the copy has been moved successfully, the Location changes from Cloud to Local.

7. Select Recovery > Assets, and then select the tab that contains the recalled asset.

8. Select the recalled asset, and then click Restore.

NOTE: If you are unsure whether the asset has been recalled, click View Copies and select DD to view the available

backup copies. If the asset backup is a recalled copy, the Status column indicates Local Recalled.

9. Select the recalled copy to re-tier the copy to the active tier.

Restoring Data and Assets 97

Preparing for and Recovering From a Disaster

Topics:

Managing system backups Manage PowerProtect Data Manager backups for disaster recovery Overview of PowerProtect Data Manager Cloud Disaster Recovery Prepare the DD system recovery target Configure backups for disaster recovery Configure PowerProtect Data Manager server disaster recovery backups Record settings for disaster recovery Restore PowerProtect Data Manager from an external DD system Recovering a Search cluster from a DR backup Troubleshooting backup configuration issues Troubleshoot recovery of PowerProtect Data Manager Quick recovery Recover a failed PowerProtect Data Manager backup

Managing system backups The PowerProtect Data Manager system protection service enables you to protect the persistent data of a PowerProtect Data Manager system from catastrophic loss by creating a series of system backups.

Each backup is considered a full backup although it is created in an incremental manner. The persistent data that is saved in a backup includes the Lockbox and Elasticsearch databases. The backup operation creates a point-in-time snapshot of the database while the system is in a quiesced state. While the system is quiesced, user functionality is limited. After the snapshot completes and while PowerProtect Data Manager copies the snapshots to the DD storage unit, full user functionality is restored. If the system fails to quiesce, PowerProtect Data Manager still takes a backup, which is marked as crash consistent instead of application consistent.

To store system backups, you must configure and assign a private DD storage unit for the PowerProtect Data Manager system. The system protection service enables you to manage the frequency and start time of an automated system backup, perform on-demand backups, and define the length of time that the system backups are available for recovery.

File Search indexes are backed up for DR recovery along with other component DR backups. For this release, recovery requires manual steps. Contact Customer Support.

Manage PowerProtect Data Manager backups for disaster recovery View PowerProtect Data Manager backups and perform manual backups.

About this task

You can view the last 5 PowerProtect Data Manager backups.

Steps

1. From the PowerProtect Data Manager UI, select System Settings > Disaster Recovery > Manage Backups.

2. To perform a manual backup:

8

98 Preparing for and Recovering From a Disaster

You can back up to only one DD host at a time. When you enter new DD information for backup, you overwrite the existing DD host for backup. If there are more than one external DD systems, you can change which DD system has the backup.

a. Click Backup Now.

The Enter a name for your backup dialog appears.

b. [Optional] Type a name for your backup.

You can leave the backup name blank, and PowerProtect Data Manager provides a name for the backup using the naming convention UserDR-. If you provide a name with the convention that PowerProtect Data Manager uses for scheduled backups, which is SystemDR, PowerProtect Data Manager displays an error.

c. Click Start Backup.

The backup appears as an entry in the table. To view details for the backup, click the arrow icon.

If a new search engine node is deployed,PowerProtect Data Manager backs up the search cluster. When the backup is complete, you can view the status of the search cluster backup in the details. To view details for the backup, click the arrow icon.

To monitor the status of the backup, select Jobs > Protection and look for a job with the name Protect the server datastore.

3. To delete a backup:

a. Select a backup from the list. b. Click Delete.

The system displays a warning to confirm you want to delete the backup. Click Yes to proceed.

4. Click Close.

Overview of PowerProtect Data Manager Cloud Disaster Recovery The Cloud Disaster Recovery (DR) feature enables you to utilize a cloud DR site by deploying the Cloud DR Server in the public cloud. You can use the PowerProtect Data Manager UI for the purpose of running VM protection and DR workflows in the cloud.

Examples of Cloud DR workflows include the following:

Cloud DR site copy managementSet the Cloud DR site by creating a VM protection policy in the PowerProtect Data Manager UI.

VM copy failover validationBefore a disaster occurs, you can validate the failover of a VM copy to the cloud within PowerProtect Data Manager by running a DR test and then monitoring the test progress.

Fail over a production VMYou can fail over a production virtual machine within PowerProtect Data Manager by running a DR failover operation and then verifying that the restored VM appears within Amazon Web Services (AWS) or Microsoft Azure cloud.

The PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide provides more information about Cloud DR workflows within PowerProtect Data Manager.

Prepare the DD system recovery target Before you can configure PowerProtect Data Manager for backup and recovery, you must configure the NFS export on the DD target system.

Steps

1. Use a Web browser to log in to the DD System Manager as the system administrator user.

2. In the Summary tab in the Protocols pane, select NFS Exports > Create Export.

3. In the Create NFS Export window, provide the following information, and then click OK.

Export Namethe name of the DD MTree Directory Paththe full directory path for DD MTree that you created. Ensure that you use the same name for the

directory.

Preparing for and Recovering From a Disaster 99

NOTE: For an external DD system, specify a path similar to the following, /data/col1/ . Where is

the MTree used to store the DR backups.

4. When the progress message indicates that the save operation is complete, click Close.

5. In the Summary tab in the Protocols pane, click NFS Exports.

6. Under NFS Protocols > Exports, select the DD MTree from the list of exports and click Add Clients.

7. In the Add Clients window, provide the following information, and then click OK.

ClientIP address or host name of the PowerProtect Data Manager. NOTE: To configure DR protection for an existing Search cluster, add the IP address or host name of the Search

cluster to the NFS Client list.

Accept the default settings for the rest of the fields. Current SelectionEnsure that the list includes no_root_squash, which is required for permission for your system

to change the directory structure on the NFS share.

Configure backups for disaster recovery Configure your system to automatically create backups in the event of a disaster or catastrophic outage.

Prerequisites

Ensure that you have configured a DD system as a replication location. See Prepare the DD system recovery target on page 99.

Steps

1. Log in to PowerProtect Data Manager as administrator.

2. Select System Settings > Disaster Recovery > Configuration.

3. Enter the following information, and then click Save.

Select Enable backup. DD SystemIP address or host name of the DD system where you created the MTree with NFS Export NFS Export Paththe path of the NFS Export

Results

The initial backup runs, and then backups are automatically triggered every hour.

Configure PowerProtect Data Manager server disaster recovery backups Configure disaster recovery protection for the PowerProtect Data Manager system and the system metadata.

Prerequisites

For external DD system backups, ensure that you carry out the procedure described in Configure the DD system on page 127.

Steps

1. From the PowerProtect Data Manager UI, select System Settings > Disaster Recovery > Configuration.

2. Configure the backup with the following attributes:

a. In the DD System field, type the DD system to back up. b. In the NFS Export Path field, type the path where backups are stored on the target DD system.

3. Click Save.

100 Preparing for and Recovering From a Disaster

Record settings for disaster recovery Plan for disaster recovery by recording vital information.

About this task

In the event of a major outage, you will need certain information to recover your systems.

Steps

Ensure that you record the following information on a local drive outside PowerProtect Data Manager:

PowerProtect Data Manager build numberCustomer Support can provide this information. It is not mandatory. Port GroupsLog in to the vSphere Client, right-click the appliance name and select Edit Settings. Record the port

group settings that are assigned to PowerProtect Data Manager. NFS export detailsClick the System Settings icon and select Disaster Recovery > Configuration. Under Backup,

record the host IP address and the NFS Export Path. Run the GET /Configurations API (api/v2/configurations) from PowerProtect Data Manager and save the

details for network information.

To get the PowerProtect Data Manager token:

curl --request POST 'https:// :8443/api/v2/login' --header 'Content-Type: application/json' --data '{"username": ,"password": }' -k

You can use this bearer token to get the configuration from PowerProtect Data Manager:

curl --request GET 'https:// :8443/api/v2/configurations' --header 'Content-Type: application/json' --header 'Authorization: Bearer ' -k

Restore PowerProtect Data Manager from an external DD system You can restore PowerProtect Data Manager from an external DD system where the data is replicated.

Prerequisites

Ensure that all the information listed in Record settings for disaster recovery on page 101 is available. Ensure that the FQDN of the PowerProtect Data Manager is the same as the host name. Ensure that the VM for PowerProtect Data Manager is powered on. Ensure that you have set up the recovery target system. See Prepare the DD system recovery target on page 99.

About this task

When your primary PowerProtect Data Manager system fails because of a major event, deploy a new PowerProtect Data Manager system and recover the backup from the external DD system.

NOTE: If your recovery system is on a different FQDN, see Troubleshoot recovery of PowerProtect Data Manager on page

103.

Steps

1. Use the .ova file to deploy a new PowerProtect Data Manager system.

2. On the Install window under Welcome, select Restore Backup.

3. (Optional) To keep the PowerProtect Data Manager server in recovery mode after the restore completes, select the checkbox.

Preparing for and Recovering From a Disaster 101

When this option is enabled, PowerProtect Data Manager enters into recovery mode and stops scheduled workflows from running.

4. Under Select File, enter the DD System and NFS Export Path where the backup is located, and then click Connect. A list of the available recovery backups on the DD system appears.

5. Select the backup from which to recover the system, and click OK.

6. Provide the Lockbox Passphrase and click Start. When the Passphrase is verified, the recovery starts. Recovery can take a few minutes.

Results

When recovery is complete, the PowerProtect Data Manager login page appears.

When you log in to PowerProtect Data Manager, If the option to keep the PowerProtect Data Manager server in recovery mode was selected, a red banner appears at the top of the PowerProtect Data Manager UI. The banner indicates that the PowerProtect Data Manager system is operational but scheduled workflows are disabled. If you want to return PowerProtect Data Manager to full operational mode and enable scheduled workflows, click Return to full operational mode.

Recovering a Search cluster from a DR backup Recovery of a Search cluster is a manual process to be completed by the administrator.

Prerequisites

Complete the steps to perform disaster recovery of PowerProtect Data Manager. On the Restore PPDM page:

Record the Selected Host information ( and ) PowerProtect Data Manager. Record the of the selected backup.

About this task

Use this procedure to set the cluster to the selected point in time.

Steps

1. Login to PowerProtect Data Manager with the same administrator credentials you used before the PowerProtect Data Manager was restored.

2. Locate the backup manifest file:

a. Use SSH to log in to PowerProtect Data Manager with administrator credentials. b. Navigate to the directory path /data01/server_backups/ _ .

c. Run grep -Rnwa -e ' ' --include=*.manifest 3. Open the backup Manifest file.

4. Locate the Components section, which contains Search Cluster.

The values for the following fields listed in the Search Cluster section are needed for the POST Call in the next step.

Name=id BackupPath, which contains :/data/col1/ / /

SearchCluster For example:

"Components": [ { "name": "SearchCluster", {{ "id": "c25290d9-a88c-4a15-9e7c-656f186209ae", }} {{ "version": "v2", }} {{ "backupPath": "10.25.12.74:/data/col1/serverdr_backup/vm- qa-0091_6ce36793-3379-45d2-84bd-d8bde69e52d4/SearchCluster", }} {{ "backupStatus": "SUCCESSFUL", }} {{ "backupsEnabled": true }} {

{ } }} {{ ]}}

102 Preparing for and Recovering From a Disaster

where:

NFSHost = "10.25.12.74" NFSExport = "/data/col1/serverdr_backup" NFSDirPath = "vm-qa-0091_6ce36793-3379-45d2-84bd-d8bde69e52d4/SearchCluster" Name = "c25290d9-a88c-4a15-9e7c-656f186209ae"

5. Run the following POST call:

https:// :8443/api/v2/search-clusters/component-backups/ /restore

{

"ddDirectoryPath" : " ",

"ddHost" : " ",

"ddNfsExportName" : " "

}

6. To monitor the status of the restore process, in the PowerProtect Data Manager UI, select Jobs > Protection and look for a job with the description, Restoring backup Search Node.

Troubleshooting backup configuration issues The following section provides a list of error messages that might appear when you configure an appliance backup configuration.

DD storage unit mount command failed with error: 'Cannot mount full path: Access is denied'

This error message appears when an NFS export does not exist on the DD system for the full path to the DD Boost Storage Unit.

To resolve this issue, ensure that you have configured an NFS export for the full path of the DD Boost storage unit and that the appliance is an Export client.

DD storage unit mount command failed with error: 'Cannot resolve FQDN: The name or service not known'

This error message appears when the appliance cannot contact the DD system by using the specified FQDN. To resolve this issue, ensure that you can resolve the FQDN and IP address of the DD system.

Troubleshoot recovery of PowerProtect Data Manager When the FQDN of the recovery site is different from the FQDN of the primary site, a mount error might occur and the recovery process requires a few extra steps.

About this task

If a mount error occurs during recovery, follow this work-around procedure.

Steps

1. On the DD system where the backup is located, delete the replication pair and mount it for PowerProtect Data Manager.

2. When recovery is complete, on PowerProtect Data Manager, regenerate the certificates using the following command.

sudo -H -u admin /usr/local/brs/puppet/scripts/generate_certificates.sh -c

Preparing for and Recovering From a Disaster 103

3. Restart the system and select the URL of the primary PowerProtect Data Manager system. The https://PPDM IP/#/progress page appears and recovery resumes.

4. Log in to the primary PowerProtect Data Manager. The PowerProtect Data Manager VM vCenter console shows an error, which you can ignore.

5. Open the primary PowerProtect Data Manager using the original IP address and log in.

Results

Recovery is complete.

Quick recovery After a disaster, the quick recovery feature allows you to restore assets and data that you replicated to a destination system at a remote site.

Quick recovery sends metadata from the source system to the destination system, following the flow of backup copies. This metadata makes the replication destination aware of the copies and enables the recovery view. You can recover your workloads at the remote site before you have the opportunity to restore the source PowerProtect Data Manager system.

For example, the following figures show two sites that are named A and B, with independent PowerProtect Data Manager and DD systems. Each site contains unique assets. Figure Separate datacenters, before disaster on page 104 shows the initial configuration with both sites replicating copies to each other. Figure Separate datacenters, after disaster on page 105 shows the aftermath, with site A down. The site A assets have been restored with quick recovery into the site B environment from the replicated copies.

Figure 2. Separate datacenters, before disaster

104 Preparing for and Recovering From a Disaster

Figure 3. Separate datacenters, after disaster

PowerProtect Data Manager supports quick recovery for alternate topologies. You can configure quick recovery for one-to- many and many-to-one replication. For example, the following figure shows a source PowerProtect Data Manager replicating to a standby DD system with its own PowerProtect Data Manager, all in the same data center. If the source system fails, the quick recovery feature ensures that you can still restore from those replicated copies before you restore the source.

Preparing for and Recovering From a Disaster 105

Figure 4. Standby DD system

The following topics explain the prerequisites, how to configure PowerProtect Data Manager to support quick recovery, and how to use the recovery view to restore assets.

Quick recovery prerequisites

Before you configure quick recovery, complete the following items:

Attach at least two DD systems to the source system: one for protection storage and one for replication. Register asset sources with the source system and configure protection policies to protect those assets. Configure protection policies to replicate backup copies to the DD system at the remote site. Back up the protected assets and confirm that backup data successfully replicates to the destination DD system.

Before you use the quick recovery remote view, add the destination system to the list of remote systems on the source.

106 Preparing for and Recovering From a Disaster

Add a remote system for quick recovery

Configure PowerProtect Data Manager to send metadata to another system to which you have replicated backups.

Steps

1. Log in to PowerProtect Data Manager as administrator.

2. Select System Settings > Disaster Recovery > Remote Systems.

The Remote Systems tab opens and displays a table of configured remote PowerProtect Data Manager systems.

3. Click Add. The Add Remote PowerProtect System window opens.

4. Complete the Name and FQDN/IP fields.

The Name field is a descriptive name to identify the remote system.

5. In the Port field, type the port number for the REST API on the remote system.

The default port number for the REST API is 8443.

6. From the Credentials field, select an existing set of credentials from the list.

Alternatively, you can click Add Credentials from this list to add new credentials. Provide a descriptive name for the credentials, a username, and a password. Then, click Save to store the credentials.

7. Click Verify.

PowerProtect Data Manager contacts the remote system and obtains a security certificate for identity verification.

The Verify Certificate window opens to present the certificate details.

8. Review the certificate details and confirm each field against the expected value for the remote system. Then, click Accept to store the certificate. The Certificate field changes to VERIFIED and lists the server's identify.

9. Click Save. PowerProtect Data Manager returns to the Remote Systems tab of the Disaster Recovery window. The configuration change may take a moment to complete.

10. Click Cancel. The Disaster Recovery window closes.

11. Select System Settings > Disaster Recovery > Remote Systems.

The Remote Systems tab opens.

12. Verify that the table of remote systems contains the new PowerProtect Data Manager system.

13. Click Cancel. The Disaster Recovery window closes.

Next steps

On the remote system, open the recovery view and verify that backups are visible and accessible. Dell Technologies recommends that you perform a test restore.

Metadata syncs between source and destination systems every six hours. If backups are not visible, allow sufficient time for the first sync before troubleshooting.

Edit a remote system

You can change the descriptive name of the remote system, as well as the REST API port number and credentials.

Steps

1. Select System Settings > Disaster Recovery > Remote Systems.

The Remote Systems tab opens and displays a table of configured remote PowerProtect Data Manager systems.

2. Locate the row that corresponds to the appropriate remote system, and then select the checkbox for that row. The PowerProtect Data Manager enables the Edit button.

3. Click Edit. The Edit Remote PowerProtect System window opens.

Preparing for and Recovering From a Disaster 107

4. Modify the appropriate parameters, and then click Save.

If you change the port number, you may need to re-verify the remote system security certificate.

PowerProtect Data Manager returns to the Remote Systems tab of the Disaster Recovery window. The configuration change may take a moment to complete.

5. Click Cancel. The Disaster Recovery window closes.

Quick recovery remote view

Use the remote view to work with replicated copies on the destination system after the source is no longer available. For example, to restore critical assets before you are able to restore the source system.

On the destination system, log in as administrator. The remote server contains an additional Remote Systems icon in the banner.

When you click Remote Systems, PowerProtect Data Manager presents a drop-down that contains the names of the local system and any connected systems. Each entry has the identifying suffix (Local) or (Remote).

Select the source system from which you have replicated backups. PowerProtect Data Manager opens the remote view and presents a subset of the regular UI navigation tools:

Recovery

Assets Shows replicated copies. Running Sessions Allows you to manage and monitor Instant Access sessions.

Alerts Shows alert information in a table, including audit logs. Jobs Shows the status of any running restore jobs.

Each tool has the same function as for the local system. However, since the remote view is intended only for restore operations, the scope is limited to the replicated copies from the selected source system. While in remote view, a banner identifies the selected system.

NOTE: For virtual machines, the quick recovery restore workflow does not include the Restore VM Tags option to restore

vCenter tags and categories from the backup.

Use Recovery > Assets to locate copies. The instructions for restoring each type of asset provide more information about restore operations.

When the recovery is complete, click Remote Systems and select the name of the local system to exit remote view.

Recover a failed PowerProtect Data Manager backup

Steps

1. Redeploy the PowerProtect Data Manager OVA.

2. Call Dell EMC Technical support.

108 Preparing for and Recovering From a Disaster

Managing Alerts, Jobs, and Tasks

Topics:

Configure Alert Notifications View and manage alerts View and manage Audit Logs Monitor and view jobs Monitor and view tasks Restart a job or task manually Restart a job or task automatically Resume misfire jobs after a PowerProtect Data Manager upgrade Cancel a job or task Export logs for a job or task

Configure Alert Notifications The Alert Notifications window of the UI enables you to configure email notifications for PowerProtect Data Manager alerts.

Steps

1. Select Administration > Alert Notifications

The Alert Notifications window appears with a table that displays the details for existing notifications.

2. Click Add.

The Add Alert Notification dialog appears.

3. In the Name field, type name of the individual or group who will receive the notification email.

4. In the Email field:

a. Specify the email address or alias to receive notifications. This field is required in order to create an alert notification. Separate multiple entries with a comma.

b. Click Test Email to ensure that a valid SMTP configuration exists.

5. From the Category list, select the notification category.

6. From the Severity list, select the notification severity.

7. In the Duration field, specify how often the notification email will be sent out. For example, you can set the duration to 60 minutes in order to send out a notification email every 60 minutes.

8. In the Subject field, optionally type the subject that you would like to attach to the notification email.

9. Click Save to save your changes and exit the dialog.

Results

The Alert Notifications window updates with the new alert notification. At any time, you can Edit, Delete, or Disable the notification by selecting the entry in the table and using the buttons in this window.

View and manage alerts Alerts enable you to track the performance of data protection operations in PowerProtect Data Manager so that you can determine whether there is compliance to service level objectives. You can access the alerts from the Alerts window.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Alerts.

9

Managing Alerts, Jobs, and Tasks 109

The Alerts window displays alert information in a table. You can filter the alerts by Severity, Date, Category, or Acknowledge.

2. Select the System tab. The System tab displays all alert types.

3. To view more details about a specific entry, click next to the entry in the table.

4. For the following steps, connect to the PowerProtect Data Manager console with an account that has the Admin role.

5. To acknowledge the alert, select the alerts and then click Acknowledge.

6. To add or edit a note for the alert, click Add/Edit Note, and when finished, click Save.

7. To export a report of alert information to a .CSV file which you can download for Excel, select an entry in the table and then click Export.

NOTE: If you apply any filters in the table, exported alerts include only those alerts that satisfy the filter conditions.

View and manage Audit Logs Audit logs enable you to view specific information about jobs that are initiated in PowerProtect Data Manager so that you can determine compliance to service level objectives. You can access the audit logs from the Alerts window.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Alerts.

The Alerts window displays alert information in a table. You can filter the alerts by Severity, Date, Category, or Acknowledge.

2. Select the Audit Logs tab.

3. To view more details about a specific entry, click next to the entry in the table.

4. To export an audit log report to a .csv file which you can download as an Excel file, select an entry in the table and click Export.

NOTE: If you apply any filters in the table, exported audit logs include only those logs that satisfy the filter conditions.

5. To change the retention period for audit logs, click Set Boundaries, select the number of days from the Days of Retention menu, and then click Save.

Monitor and view jobs The Jobs window in the PowerProtect Data Manager UI enables you to monitor the status of certain data protection, system, and maintenance jobs and to view details. To perform analysis or troubleshooting, you can view a detailed log of a failed job.

To access the Jobs window, open the PowerProtect Data Manager UI left navigation pane, and select Jobs. The Jobs window appears, displaying all completed and running jobs.

Jobs are categorized as protection jobs or system jobs. To view protection jobs, click the Protection tab. To view system jobs, click the System tab. By default, the Jobs window opens on the Protection tab.

The following table lists the jobs that are displayed in the Jobs window.

Table 24. Protection jobs and System jobs

Protection System

The Protection tab displays the following job types:

Cloud Tier Export Reuse Notify Protect Replicate Restore

The System tab displays the following job types:

Cloud Protect Config Delete Disaster Recovery Cloud Disaster Recovery

110 Managing Alerts, Jobs, and Tasks

Table 24. Protection jobs and System jobs

Protection System

Cloud Copy Recovery Discovery Manage Notify System Validate

The Jobs window provides you with options to filter and sort the information that appears:

Filter jobs by statusBy default, the Jobs window displays all jobs regardless of status.

To display only jobs with a specific status, at the top of the Jobs window, select one of the following options:

Critical Warning Success Canceled Running Queued Completed

Filter jobs by time rangeBy default, the Jobs window displays all jobs regardless of time range. To display jobs for a set time range, select from one of the available options.

Filter jobs by Description, Policy Name, Job Type, Asset Type, Start Time, Status, or Events, by clicking in their respective column.

Sort jobs by Description, Policy Name, Job Type, Asset Type, and Start Time by clicking the column heading.

You can use the Search field to filter jobs based on a search string. When you type a keyword in the Search field, the PowerProtect Data Manager UI filters the results as you type. To clear the search filter, remove all keywords from the Search field.

To view details for a job, click the magnifying glass icon in the Details column next to the job name.

You can also monitor the status of individual tasks, view task details, and perform certain operations on tasks.

NOTE: Job duration includes the sum of all tasks plus the job processing time.

Monitor and view tasks Within a job, you can view the status of specific tasks. This information can be helpful when troubleshooting to determine whether one or more tasks caused a job to fail.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears.

2. Click the magnifying glass icon in the Details column next to the job name.

The Details pane appears on the right, with a Task Summary at the bottom.

3. Next to Task Summary, click the link that indicates the total number of tasks.

A new window opens to display a list of all tasks for the job and details for each task.

The success or failure of individual tasks is indicated in the Status column. If a failed task requires action, a status of Critical appears.

4. (Optional) Sort and filter the information that appears:

To filter tasks by status, at the top of the tasks window, select one of the following options:

Critical Warning

Managing Alerts, Jobs, and Tasks 111

Success Canceled Total

To sort tasks by Task Name, Status, or Asset Name, click a column heading.

To filter tasks by Task Name, Status, or Asset Name, click in their respective column. To filter tasks based on a search string, type the string in the Search field.

5. To view task details and summary information, complete the following steps:

a. Click the magnifying glass icon in the Details column next to the individual task. b. Review the summary information in the Steps pane, which describes the task activity.

NOTE: If the job has a critical status, click to view additional information and any applicable recommended

actions.

c. Click Close. d. Review the details for the task in the Details pane.

Restart a job or task manually You can manually restart a failed virtual machine backup in the Jobs window of the PowerProtect Data Manager UI.

About this task

When you click Restart, the job or task restarts immediately, regardless of the scheduled activity window. NOTE: If a policy with both protection and Cloud Data Recovery (CDR) stages fails, the CDR job is canceled and cannot be

restarted.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying all completed and running jobs. You can filter the information that appears in the window. Monitor and view jobs on page 110 provides more information.

2. Select Protection or System.

3. To restart a failed job, select the failed job from the list, and then click Restart.

4. To restart a failed task:

a. Click the magnifying glass icon in the Details column next to the job name

The Details pane appears on the right, with a Task Summary at the bottom.

b. Next to Task Summary, click the link that indicates the total number of tasks. c. Select a failed task, and then click Restart. d. Click Close.

Results

After the job or task has been restarted, the status indicates Running or Queued. To display only jobs that are running or queued, at the top of the Jobs window, select Running or Queued.

Restart a job or task automatically If a backup job fails or one of the tasks within the job fails, you can enable automatic restart of the failure by configuring auto retry in the entrypoint.sh file. Auto retry can be useful in situations where the failure is due to an intermittent issue, such as a network or service interruption.

Prerequisites

In PowerProtect Data Manager, some services that are required for auto retry, such as the workflow service, have been moved into a docker container. In order to enable auto retry, ensure that the workflow service is running in a docker.

112 Managing Alerts, Jobs, and Tasks

About this task

Auto retry is only supported for daily, weekly, or monthly schedules for virtual machine and File System agent protection operations.

Steps

1. Log in to the PowerProtect Data Manager server by using SSH.

2. Copy the entrypoint.sh file from the workflow container by typing the following:

docker cp workflow:/workflow/bin/entrypoint.sh . 3. Configure auto retry by adding a line to entrypoint.sh:

a. Type vi entrypoint.sh b. Before the last line in the output, -jar /${APP_NAME}/lib/workflow-manager.jar), add the following:

-Denable.auto.retry.scheduler=true \ NOTE: Auto retry is disabled by default. After adding this line, if you want to disable this setting at any point, change

the entry to -Denable.auto.retry.scheduler=false \

4. Optionally, add the following application properties to the file to specify a maximum number of auto retries and a time interval at which subsequent auto retry attempts will occur:

-Dfailed.job.retry.max.count=2 \ -Dfailed.job.retry.interval=PT30M \

NOTE: The values specified above are the recommended default values. Auto retries will only occur during the activity

window. If you perform a manual retry in the PowerProtect Data Manager UI, this retry will not count towards the auto

retry max count.

For the interval duration, the value must be specified in ISO-8601 format.

5. Save the entrypoint.sh file to the workflow container by typing the following:

docker cp entrypoint.sh workflow:/workflow/bin/ 6. Restart the workflow service by using one of the following methods:

Type docker container restart workflow NOTE: For the configuration to be applied successfully using this method, you can only restart the container. If you

restart your workflow service or your PowerProtect Data Manager operating system, the configuration will be lost.

Type the following to save the docker image and restart the workflow service:

docker commit workflow dpd/ppdm/ppdmc-workflow:19.6.0-1-SNAPSHOT workflow restart You can use this method to permanently apply the configuration change after restoring the docker image.

Results

Upon configuration, the workflow service is scheduled to run every 30 minutes to determine if any jobs or tasks have failed. If a restart occurred, the status will indicate Running or Queued. To view whether a failed job or task has been restarted, go to the Jobs window in the PowerProtect Data Manager UI and select Running or Queued.

Resume misfire jobs after a PowerProtect Data Manager upgrade During an upgrade, the PowerProtect Data Manager system enters maintenance mode. Any job that is not in queue and is scheduled to run during the time that the PowerProtect Data Manager system is in maintenance mode will be missed. These missed jobs are known as misfires. As of this release, PowerProtect Data Manager uses the Quartz Scheduler to resume scheduled workflows when the service recovers or when the schedule resumes.

Managing Alerts, Jobs, and Tasks 113

About this task

The trigger and firing data of jobs are stored in a PostgreSQL database application. If the schedule service is down, such as during an upgrade, the Quartz Scheduler recovers this data and resumes the jobs when the PowerProtect Data Manager system is operational again.

NOTE: In the current release, this feature is enabled by default.

You can enable or disable the misfire feature by configuring the entrypoint.sh file.

Steps

1. Log in to the PowerProtect Data Manager server by using SSH.

2. Copy the entrypoint.sh file from the scheduler container by typing the following:

docker cp scheduler:/scheduler/bin/entrypoint.sh . 3. Configure the misfire conditions in the entrypoint.sh file:

NOTE: Before the last line in the output, -jar /${APP_NAME}/lib/scheduler-core.jar), add the lines for

each misfire condition.

a. To enable misfire and trigger each job once, add the following properties and corresponding values:

- Dspring.quartz.properties.misfire.cron.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_FIRE _AND_PROCEED \

NOTE: This condition is enabled by default.

- Dspring.quartz.properties.misfire.calendar.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_ FIRE_AND_PROCEED \

b. To enable misfire and trigger each job as many times as misfire happens, add the following properties and corresponding values:

- Dspring.quartz.properties.misfire.cron.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_IGNO RE_MISFIRES \ - Dspring.quartz.properties.misfire.calendar.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_ IGNORE_MISFIRES \

c. To disable misfire, add the following properties and corresponding values:

- Dspring.quartz.properties.misfire.cron.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_DO_N OTHING \ - Dspring.quartz.properties.misfire.calendar.strategy=WITH_MISFIRE_HANDLING_INSTRUCTION_ DO_NOTHING \

4. Save the entrypoint.sh file to the scheduler container by typing the following:

docker cp entrypoint.sh scheduler:/scheduler/bin/ 5. Restart the scheduler service by using one of the following methods:

Type docker container restart scheduler NOTE: For the configuration to be applied successfully using this method, you can only restart the container. If you

restart your scheduler service or your PowerProtect Data Manager operating system, the configuration will be lost.

Type the following to save the docker image and restart the scheduler service:

docker commit scheduler dpd/ppdm/ppdmc-scheduler:19.6.0-1-SNAPSHOT scheduler restart You can use this method to permanently apply the configuration change after restoring the docker image.

114 Managing Alerts, Jobs, and Tasks

NOTE: Ensure that the PowerProtect Data Manager version specified in the commit command matches the

PowerProtect Data Manager version that is deployed on your system.

Cancel a job or task From the PowerProtect Data Manager UI, you can cancel a backup that is still in progress, or any asset protection and replication activities when the tasks are queued.

About this task

NOTE: The Cancel operation is only available for supported jobs and tasks.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying all completed and running jobs. You can filter the information that appears in the Jobs window. Monitor and view jobs on page 110 provides more information.

2. In the Jobs window, select Protection or System.

3. To cancel a job, select a job that is in-progress, and then click Cancel.

NOTE: If a job is almost complete, the cancellation might fail. If the cancellation fails, a message displays indicating that

the job cannot be canceled.

4. To cancel an individual task:

a. Click the magnifying glass icon next to the job name.

The Details pane appears on the right, with a Task Summary at the bottom.

b. Next to Task Summary, click the link that indicates the total number of tasks. c. Select a task that is in-progress or queued, and then click Cancel.

NOTE: If a task is almost complete, the cancellation might fail. If the cancellation fails, a message displays indicating

that the task cannot be canceled.

d. Click Close.

Results

The Jobs window displays the status of the canceled job or task. If the cancellation is successful, then the status eventually changes to Canceled. If the cancellation is not successful, then the status might indicate either Success or Critical.

Export logs for a job or task The PowerProtect Data Manager UI enables you to export and view a detailed log of a job or task. You can view logs to perform analysis or troubleshooting.

About this task

NOTE: You can only export logs for failed jobs and tasks that have a log available to download. If a log is available to

download, the Export Log button is enabled.

Steps

1. In the PowerProtect Data Manager UI left navigation pane, select Jobs.

The Jobs window appears, displaying all completed and running jobs. You can filter the information that appears in the Jobs window. Monitor and view jobs on page 110 provides more information.

2. In the Jobs window, select Protection or System.

3. To export a log for a completed job, select a job from the list, and then click Export Log.

4. To export a log for a completed task:

a. Click the magnifying glass icon next to the job name.

Managing Alerts, Jobs, and Tasks 115

The Details pane appears on the right.

b. In the Task Summary section, click the link that indicates the total number of tasks. c. Select a completed task, and then click Export Log.

116 Managing Alerts, Jobs, and Tasks

Modifying the System Settings

Topics:

System settings System Support Modifying the PowerProtect Data Manager virtual machine disk settings Configure the DD system Virtual networks (VLANs)

System settings You can use the PowerProtect Data Manager UI to modify system settings that are typically configured during PowerProtect Data Manager installation.

To access System Settings, click the icon in the top-right.

Modify the network settings

You can modify the IP address, subnet mask, gateway, and DNS servers that are defined for the appliance.

Steps

1. Select System Settings > System > Network.

2. Update the fields as necessary:

Domain Name IP Address

NOTE: When you change the domain name or IP address, the system becomes unavailable until all components are

restarted.

Subnet Mask Gateway Primary DNS Secondary DNS

3. Click Save.

Synchronize time on PowerProtect Data Manager and other systems

The PowerProtect Data Manager system time is synchronized with the ESXi host system.

The PowerProtect Data Manager system time must match the systems with which it interfaces or compliance check will fail. Dell EMC recommends that all systems be configured to use an NTP server.

NOTE: Times in the UI are always displayed as local to the users time zone based on their browser or system settings. The

PowerProtect Data Manager system might be in a different time zone but when viewing the UI it will always show the times

local to the user.

10

Modifying the System Settings 117

Modify the appliance time zone

Use this procedure to modify the time zone for the PowerProtect Data Manager appliance.

Steps

1. Select System Settings > System > Timezone.

2. From the Timezone list, select the applicable time zone.

3. Click Save.

Change the system root user password

Perform the following steps if you want to change the password for the root user.

Prerequisites

NOTE: Changing the password only changes the password for the UI login, not for the appliance. Make note of your original

appliance password in case you require this password for appliance operations.

Steps

1. Select System Settings > Authentication.

The System Users window appears.

2. Select the User name for the password to edit and click Edit. The Change the password for the root user dialog box appears.

3. In the Old Password box, enter the existing password.

4. In the New Password and Confirm Password boxes, enter the new password.

5. Click Save.

Enable replication encryption

You can ensure that replicated content is encrypted while in-flight to the destination storage, and then decrypted before it is saved on the destination storage.

About this task

The encryption settings on both the source and destination systems must match to ensure successful replication.

For example, if you enable in-flight encryption in PowerProtect Data Manager, the setting must be enabled on each source and destination server before defining the PowerProtect Data Manager replication objective. If encryption is enabled after the initial definition of replication objectives, any replication jobs that were initiated during the period when the source and destination server encryption settings did not match will fail.

Steps

1. Select System Settings > Security.

The Security dialog box appears.

2. Click the Replication Encryption switch so it is enabled, and then click Save.

Next steps

The Infrastructure > Storage window of the PowerProtect Data Manager UI displays the status of the in-flight encryption setting for all attached storage systems.

NOTE: For systems with DD OS version 6.2 and earlier installed, the status might display as Unknown. DD OS version 6.3

and later supports authentication mode. DD OS versions earlier than version 6.3 support only anonymous authentication

mode. PowerProtect Data Manager supports only anonymous and two-way authentication modes. Ensure that both source

and destination system servers use the same authentication mode.

118 Modifying the System Settings

You can take additional steps on your PowerProtect Data Manager server to enable in-flight encryption on connected DD systems by using DD System Manager, as described in the DD Operating System Administration Guide.

License types

The available license types are:

TrialApplied automatically on installation of PowerProtect Data Manager and enables full use of the product without applying a license key for up to 90 days. When the trial period ends, PowerProtect Data Manager continues to operate with full functionality so that you can apply a permanent license.

Front-end protected capacity by terabyte (FETB)The primary model of eLicensing, which is based on the capacity that you want to protect. For example, you can purchase a 100-TB license, which enables you to protect up to 100 TB of data.

Socket-basedLicensed per CPU socket on virtual machine hosts that are being backed up or replicated.

NOTE: When you upgrade from a previous release, for example, eCDM 3.0.0-18, to PowerProtect Data Manager, any

existing license and its associated Secure Remote Services connection are removed from the system and replaced with the

90-day trial license. If you have a valid FETB or socket license for PowerProtect Data Manager, upload this license and set

up the associated Secure Remote Services connection.

Perpetual and term-based (subscription) licensing

Licensed software is offered in perpetual and term-based licenses. Your quote identifies whether your license rights are perpetual or term-based.

A perpetual license enables you to use the software for as long as you are in compliance with the terms of the license agreement.

A term-based license enables you to use the software for a specified time, as long as you are in compliance with the terms of the license agreement. At the end of the license term, you must either stop using the software, extend the license term, or purchase new licenses through an agreement with Dell EMC.

PowerProtect Data Manager licenses

You can add a license file to PowerProtect Data Manager and view license details, such as capacity usage and software ID number.

Prerequisites

To obtain the XML license file from the Dell EMC license management website, you must have the License Authorization Code (LAC), which is emailed from Dell EMC. If you have not received the LAC, contact your technical support professional.

About this task

To review existing license information, go to Settings > License.

To add a license, perform the following steps:

Steps

1. Click the System Settings icon along the top-right: .

2. Go to Settings > License > Upload file.

3. Do one of the following:

Copy and paste license file text into the License window. Browse to the location where a license file is located, select the license file and click Open.

The license file content appears in the License window.

4. Click Save.

Modifying the System Settings 119

Results

A message appears in the License window to confirm that the license is successfully added.

System Support You can use the PowerProtect Data Manager UI to manage and modify support settings, such as the mail server setup and Secure Remote Services registration, that are typically configured during installation.

To access the Support window, click the icon in the top-right, and then select System Settings > Support.

Register the Secure Remote Services gateway

Secure Remote Services (SRS) enables you to register PowerProtect Data Manager with a gateway host IP address for remote access. You can register only one SRS gateway for PowerProtect Data Manager. After PowerProtect Data Manager is registered, Technical Support Engineers can remotely connect to PowerProtect Data Manager to troubleshoot issues, and you can receive critical updates PowerProtect Data Manager by using SRS version 3.36.20.10 or later.

Prerequisites

You must apply a valid PowerProtect Data Manager license. You must have an SRS gateway ServiceLink account open and deployed. Your Dell EMC Sales representative can assist you.

About this task

If you update a license file with a different SWID, the SRS gateway requires the new SWID. Reregister the license file with the SRS gateway to ensure the SRS gateway has the new SWID.

Steps

1. From the PowerProtect Data Manager UI, select System Settings > Support > Secure Remote Services

2. Enter the following information:

The hostname or IP address of the virtual machine that is deployed for SRS. The username and password for the SRS gateway account. The SRS gateway account credentials are provided by the

ServiceLink team.

3. Click Save to complete registration of the SRS gateway.

NOTE: Currently, you can use only an IPv4 address for the gateway. IPv6 is not supported.

Remove the Secure Remote Services gateway

Prerequisites

You must disable Auto Support to delete Secure Remote Services. If you have Auto Support enabled, you will receive an error message when you attempt to delete Secure Remote Services.

About this task

Use the following procedure to remove the Secure Remote Services gateway.

Steps

1. From the PowerProtect Data Manager UI, select System Settings > Support > Auto Support.

2. Move the Enable Auto Support slider to Disabled, and then click Save.

3. Select System Settings > Support > Secure Remote Services

The Secure Remote Services Configuration dialog box appears.

120 Modifying the System Settings

4. Click Delete to remove the Secure Remote Services gateway.

Callhome

When you register an Secure Remote Services gateway, you also enable the Callhome feature, which allows Technical Support Engineers to collect data that is related to troubleshooting device and PowerProtect Data Manager software issues. Callhome does not collect any personal information.

Callhome populates three reportsa telemetry report, an alert summary report, and a PowerProtect Central report. The following table lists the information that Callhome collects for the telemetry report.

Table 25. Telemetry report information

Category Type of information collected

Asset Sources DDMC instances vCenter instances SMIS instances SQL groups instances Kubernetes cluster Oracle databases Microsoft Exchange and SQL databases SAP HANA databases File Systems

Hosts information ESXi hosts ESXi cluster hosts Application hosts

DD inventory Number of DD systems DD operating system version and system ID MTree inventory Asset source ID Serial number Model DD system capacity

PowerProtect Data Manager operational inventory

Asset information (number of assets, asset groups, assets protected, unprotected) Protection policies (number of policies) Tags (number of tags and tag categories) Active protection policy details (assets and their types, objectives for each stage) Failed jobs Application agents SLA violations External proxies

Usage Amount of data that is protected

Licensing Status of the applied license

Compliance in last 24 hours FETB in compliance FETB out of compliance

Traffic Metrics API Gateway call metrics

Callhome collects details about the following objects for the PowerProtect Central report:

Protection Policies Alerts Cloud Disaster Recovery metrics

Modifying the System Settings 121

Service Level Agreement Assets Storage Systems Data targets Protection Details Compliance Details Audit logs

Configure PowerProtect Central reporting

You can enable or disable PowerProtect Central data collection for Dell EMC storage systems.

Prerequisites

Add a valid license in System Settings > License. Set up SRS in System Settings > Support > SRS.

About this task

PowerProtect Central is a no-cost SaaS/cloud-based management application that proactively monitors and measures the overall health of Dell EMC systems through intelligent, comprehensive, and predictive analytics. The data reported to PowerProtect Central includes configuration data, historical metrics and health score data.

Steps

1. Select System Settings > Support > Auto Support.

2. Click Enable Auto Support or Disable Auto Support.

3. Scroll to the end and click Accept to accept the Telemetry software terms.

4. Select Secure Remote Services and click Save.

Results

When Auto Support is enabled, PowerProtect Central reports are sent automatically. To log in to PowerProtect Central, click the Reporting menu item, or go to https://powerprotectcentral.emc.com. For more information on PowerProtect Central, refer to the PowerProtect Central Online Support site.

Set up the email server

The Email Setup area on the PowerProtect Data Manager System Settings area enables you to set SMTP email server information to send emails for resetting local user passwords and customized alert notifications.

Steps

1. Select System Settings > Support > Email Setup.

2. Populate the following fields:

a. Mail Server

The SMTP mail server.

b. Email from:

The email address at which you would like to receive the PowerProtect Data Manager autosupport email.

c. [Optional] Recipient for Test Email:

The email address to which you would like to send the PowerProtect Data Manager test email.

d. [Optional] Port:

The default port is 25. PowerProtect Data Manager supports using nondefault ports.

If the email setup is deleted, you must manually choose any nondefault port that is not in use anywhere else.

e. User Name:

The user name associated with the PowerProtect Data Manager SMTP email server.

f. Password:

122 Modifying the System Settings

The password associated with the PowerProtect Data Manager SMTP email server.

3. Click Send Test Email. PowerProtect Data Manager sends a test email.

4. Click Save.

Add Auto Support

When auto support is enabled, auto support information, telemetry reports, alert summary, and PowerProtect Central reports will be sent.

About this task

If Secure Remote Services and SMTP are both configured, this information will be sent via Secure Remote Services.

Steps

1. Select System Settings > Support > Auto Support.

The Auto Support window appears.

2. Change the Enable Auto Support option to Disabled or Enabled, and click Save.

When you enable Auto Support, select whether to receive the Auto Support communications via SRS or email server.

When you enable Auto Support, the Telemetry Software Terms page displays. Review and scroll down to the bottom of the page to accept the terms, and then click Save to save your changes.

When you disable Auto Support, PowerProtect Data Manager stops sending error and telemetry data to SRS or the SMTP server. PowerProtect Data Manager continues to send information for upgrades and other information.

NOTE: You must disable Auto Support to delete SRS.

Enable automatic upgrade package downloads

Enable upgrade packages to be downloaded automatically through SRS.

About this task

If this feature is disabled, the system alerts you when a new package is available through SRS. When the feature is enabled, the system automatically downloads available packages, and then alerts you when the package is downloaded.

Steps

1. Select System Settings > Support > Secure Remote Services.

2. Select Automatically download upgrade packages, and then click Save.

Add a log bundle

Use the following procedure to add a log bundle.

About this task

NOTE: You can add a maximum of 10 log bundles.

Steps

1. Select System Settings > Support > Logs.

2. Click Add to add a log bundle. The Add Log Bundle window appears.

3. Select the systems for the log bundle (Data Manager, VM Direct Engines, or, if Cloud DR is deployed, CDRS), set the log bundle duration, and click Save.

Modifying the System Settings 123

The Jobs window displays the progress of the log bundle creation. Also, a green banner in the UI indicates that the log bundle has successfully been created. If you want to dismiss the banner, click X.

4. To delete the log bundle, select the box to the left of log bundle and click Delete.

The Log Capacity indicates how much space (in GB) remains on the disk for logs and the percentage of the disk in use for log storage.

5. To download the log bundle, click the bundle name in the Bundle Name column.

Monitor system state and system health

In addition to the summary system health view provided in the PowerProtect Data Manager UI's Dashboard window, the System Settings > Support window provides a further breakdown of PowerProtect Data Manager system health information.

Monitor system component health

Through the Settings window, you can monitor the state of the appliance and the health of each system component.

To view the health of system components, click the icon in the top-right, select System Settings > Support, and then select System Health.

The following table provides a summary of each component state:

Table 26. Component status

Status Description

Running This state appears when the associated service or component is running with full functionality. When all components are in running state, the state of the appliance is operational.

Initializing This state appears when the component is starting. When the component successfully starts, the state changes to Running.

Maintenance This state appears when the associated service is in maintenance. In the maintenance state, components have limited functionality. Infrastructure services do not go into maintenance state. When other components are in maintenance, the appliance state is also maintenance.

Quiesce This state appears when the service that is associated with the component is stopping.

Shut down This state appears when the service has stopped.

No response This state appears when the service that is associated with the component is running, but the service is not responding.

Access the open source software package information

All open source software (OSS) package information used by PowerProtect Data Manager is stored in a common directory.

To access this information, SSH login to PowerProtect Data Manager and retrieve the OSS reports from the /usr/ local/brs/puppet/licenses directory.

124 Modifying the System Settings

Modifying the PowerProtect Data Manager virtual machine disk settings Follow the steps in this section, under the guidance and recommendations of Dell EMC Support, to expand the size of the data disk and system disk, and modify the memory configuration.

Modify the virtual machine memory configuration

Adjust the PowerProtect Data Manager virtual machine memory configuration to support changes in the protection environment.

Prerequisites

Shut down PowerProtect Data Manager and the VM Direct appliance.

Steps

1. Log in to the vSphere Web Client.

2. Right-click the appliance and select Edit Settings. The Edit Settings window appears with the Virtual Hardware button selected.

3. In the Memory field, specify the new memory value.

Ensure that the value you specify does not exceed 16 times the amount of memory the virtual machine has when powered on and is a multiple of 4 MB.

4. Click OK.

Modify the data disk size

Follow these steps to expand the size of a data disk that is single partitioned and has the log partition is on the system disk.

Steps

1. Perform the following steps from the vSphere Web Client:

a. Right-click the VM Direct appliance and select Shut Down Guest OS. b. After the power off completes, right-click the appliance and select Edit Settings.

The Edit Settings window appears with the Virtual Hardware button selected. c. Increase the provisioned size of Hard disk 2 to the desired size, and then click OK.

NOTE: You cannot decrease the provisioned size of the disk.

d. Right-click the VM Direct appliance and select Power On.

2. Perform the following steps from the appliance console, as the root user.

NOTE: If you use ssh to connect to the appliance, log in with the admin account, and then use the su command to

change to the root account.

a. Reboot the appliance by typing reboot.

b. On the GNU GRUB menu, press Esc to edit the GNU GRUB menu.

c. In the edit screen, search for the line that starts with Linux, and then add word single before the entry splash=0

The following figure provides an example of the edit screen with the updated text.

Modifying the System Settings 125

Figure 5. Editing the GNU GRUB menu

d. Press Ctrl-x to reboot into single-user mode. e. When prompted, type the password for the root account. f. Unmount the data disk, by typing umount /data01.

g. Start the partition utility, by typing parted, and then perform the following tasks:

i. Type select /dev/sdb.

ii. Type print. If you are prompted to fix issues, type fix at each prompt. The output displays the new disk size in the Size field and the current size in the table.

iii. Type resize 1 new_size. Where new_size is the value that appears in the Size field in the output of the print command.

For example, to resize the disk to 700 GB, type: resize 1 752GB iv. Type quit.

3. Reboot the VM Direct appliance by typing systemctl reboot.

4. Log in to the console as the root user.

NOTE: If you use ssh protocol to connect to the VM Direct appliance, log in with the admin account, and then use the

su command to change to the root account.

5. Grow the xfs file system by typing xfs_growfs -d /data01.

6. Confirm the new partition size by typing df -h.

Modify the system disk size

Follow these steps to expand the size of a data disk when the log partition is the last partition on the system disk.

Steps

1. Perform the following steps from the vSphere Web Client:

a. Right-click the VM Direct appliance and select Shut Down Guest OS. b. After the power off completes, right-click the appliance and select Edit Settings.

The Edit Settings window appears with the Virtual Hardware button selected. c. Increase the provisioned size of Hard disk 1 to the desired size, and then click OK.

NOTE: You cannot decrease the provisioned size of the disk.

d. Right-click the VM Direct appliance and select Power On.

2. Boot from a SuSE Linux Enterprise Server (SLES) version 12 CD.

3. Start the partition utility, by typing parted, and then perform the following tasks.

a. Type select /dev/sdx.

126 Modifying the System Settings

b. Type print. If you are prompted to fix issues, type fix at each prompt. The output displays the new disk size in the Size field and the current size in the table.

c. Type quit.

4. Reboot the VM Direct appliance by typing systemctl reboot.

5. Log in to the console as the root user.

NOTE: If you use ssh protocol to connect to the VM Direct appliance, log in with the admin account, and then use the

su command to change to the root account.

6. Grow the xfs file system by typing xfs_growfs -d /data01.

7. Confirm the new partition size by typing df -h.

Configure the DD system

Prerequisites

Before you can use DD to protect the system, use NFS to export the MTree that PowerProtect Data Manager uses on the DD system. The setup on the DD system requires that you add the PowerProtect Data Manager client with no_root_squash.

Steps

1. Use a web browser to log in to the DD System Manager as the system administrator.

2. In the Summary tab, Protocols pane, select NFS export > create export. The Create NFS Exports window appears.

3. In the Create NFS Exports window:

a. In the Export Name field, specify the name of the DD MTree. b. If you have not yet created the DD MTree, follow the prompts to create the MTree and click Close. c. In the Directory path field, specify the full directory path for DD MTree that you created. Ensure that you use the same

name for the directory. d. Click OK.

A message appears to indicate that the NFS export configuration save is in progress and then complete. e. Click Close.

Virtual networks (VLANs) PowerProtect Data Manager can separate management and backup traffic onto different virtual networks (VLANs). Virtual networks help to improve data traffic routing, security, and organization.

The default configuration routes the management traffic over the same network as backup traffic. All assets are part of the same network.

Finance

Marketing

Sales

PPDM

Data Domain

Backup control traffic Backup data traffic

Figure 6. Flat network

Modifying the System Settings 127

You can also configure virtual networks to separate management traffic from backup traffic. This configuration can also segregate traffic that originates from different networks. In that case, you can use the same virtual network for management and backup traffic, or separate virtual networks for each.

Finance

Marketing

Sales

PPDM

Data Domain

Backup control traffic

Backup data traffic

Figure 7. Virtual networks

To use virtual networks with PowerProtect Data Manager, you must configure the DD and network infrastructure before you configure the PowerProtect Data Manager or assign networks to assets.

Configuration follows a multistep workflow:

1. Configure the virtual network on the DD. 2. Add the DD as storage and name the network interface. 3. Add the virtual network to the PowerProtect Data Manager. 4. Register the assets with the PowerProtect Data Manager. 5. Create a protection policy (or edit an existing policy) and assign the preferred virtual network. 6. Optionally, assign the virtual network to individual assets. This action overrides any preferred virtual network that you may

have specified through a protection policy.

The initial steps to configure and add each virtual network are one-time events. The subsequent steps to assign virtual networks to protection policies or assets happen as required.

Configuration is nondisruptive. You can add, edit, or delete virtual networks without affecting background activities, disconnecting network interfaces, or affecting the PowerProtect Data Manager user interface.

PowerProtect Data Manager logs network changes in the audit log. Failed network changes appear in the System alerts.

Supported scenarios

PowerProtect Data Manager 19.6 supports virtual networks for the following use cases:

Virtual machine backups Database backups Exchange backups File system backups Replication Disaster recovery Cloud DR Storage Data Management

Virtual network prerequisites

Before you configure a virtual network, complete the following actions:

Register the vCenter server on which the PowerProtect Data Manager is deployed. You can verify this on the vCenter tab of the Asset Sources page.

128 Modifying the System Settings

Configure the network switch port for trunk mode. This setting allows the port to carry traffic for multiple VLANs. Enable Virtual Guest Tagging (VGT) mode on the VMware ESXi virtual network switch port for the PowerProtect Data

Manager. Configure the virtual switch port for VLAN ID 4095.

You can use a standard port group or a distributed port group. The VMware ESXi documentation provides more information.

Configure a VLAN interface for the DD through the Interfaces tab on the Hardware > Ethernet window in the DD System Manager. The DD documentation provides more information.

Dell Technologies recommends that you choose an interface name that incorporates the VLAN ID. For example, the interface name ethV1.850 for VLAN ID 850.

Add the DD as protection storage for the PowerProtect Data Manager.

PowerProtect Data Manager does not verify the network switch configurations. If the physical or virtual network switch is incorrectly configured, then virtual network configuration fails.

Configuring virtual networks

The following topics create and maintain virtual networks in PowerProtect Data Manager for use with assets on different VLANs.

PowerProtect Data Manager names each virtual network in two places: the interface to the DD system and the interface to the protected assets. These names are not required to match. However, Dell Technologies strongly recommends that you use the same network name in both locations for each virtual network. Record each network name for later use.

Dell Technologies also recommends that you choose network names that incorporate the VLAN ID. For example, sales- vlan850 for VLAN ID 850.

Adding a virtual network includes creating a pool of static IP addresses. PowerProtect Data Manager uses these addresses for the local interfaces to the virtual network and for any VM Direct Engines that you deploy on this network. Ensure that you have enough IP addresses available on each network to meet this requirement. To prepare for future expansion, you can add more IP addresses than are initially required.

Name the virtual network for the DD system

After you add the DD as protection storage, name the virtual network between the PowerProtect Data Manager and the DD system. To rename a virtual network (edit the network name), repeat these steps.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Storage. The Storage page opens.

2. On the Protection Storage tab, select the DD system, and then select Name Network. The Name Network window opens and displays a list of known network interfaces, assigned IP addresses, and link speeds.

3. Identify the interfaces for each new virtual network, and then type names for the virtual networks in the corresponding fields.

4. Click Save. The PowerProtect Data Manager stores the network names.

Add a virtual network

Configure a new virtual network for use with assets and protection policies.

About this task

Each new virtual network requires at least one IP address for a PowerProtect Data Manager network interface. Review the Number of IP addresses needed field before you supply the required static IP addresses.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Networks. The Networks page opens.

2. Click Add.

Modifying the System Settings 129

The Add Network wizard opens.

3. In the Network Name field, type the name of the new virtual network.

Dell Technologies recommends that you keep the network names consistent for each VLAN.

4. In the VLAN ID field, type the numeric value 1 through 4094 that corresponds to the underlying VLAN.

5. Provide the applicable Subnet Mask and MTU (maximum transmission unit) values for the virtual network.

Allowable MTU values range from 1500 to 9000.

6. For the Static IP Pools field, provide the indicated number of reserved IP addresses for PowerProtect Data Manager to use for communication on this virtual network.

To add values to the pool, type an IP address or range, and then click Save. To remove values from the pool, select a value from the pool, and then click Delete.

You can type each IP address separately, or you can provide an IP address range in the form 10.1.1.4-10.1.1.10.

7. Verify that the static IP address pool contains enough addresses to add the virtual network.

8. Click Next. The Add Network wizard moves to the Routes page.

9. If applicable, click Add to define any required routes.

The Add Routes page opens. Complete the following substeps:

a. Select a route type:

If you select Subnet, define the subnet in CIDR format. For example, 10.0.0.0/24. If you select Host, type the IP address.

b. Type the IP address of the default gateway through which PowerProtect Data Manager should reach the subnet or host. c. Click Add.

The Add Routes page closes. The Routes list displays the new route. d. Review the route information.

If any parameters are incorrect, select the checkbox for that route and then click Delete.

e. Repeat these substeps for any additional required routes.

10. Click Next. The Add Network wizard moves to the Summary page.

11. Verify the network configuration information, and then click Finish. The Add Network wizard closes. The Networks page displays the new network with the Initiating status.

Next steps

PowerProtect Data Manager may take a short time to configure the virtual network.

If the virtual network status changes to Failed, then a corresponding system alert contains more information about the cause of the failure. Troubleshoot the failure and then complete one of the following actions:

If the failure was caused by a configuration issue, click Edit to update the network configuration. If the failure was transient or had an external cause, and the configuration is correct, click Retry to use the same settings.

View the details of a virtual network

If the virtual network name is ambiguous or does not contain the VLAN ID, you can view the details to further identify the virtual network before making changes.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Networks. The Networks page opens.

2. Locate the row that corresponds to the appropriate virtual network.

The columns for each row indicate the associated VLAN ID and network status.

3. Click for that row.

The Details pane opens to the right.

This pane contains information about the virtual network configuration, such as the assigned IP address for the PowerProtect Data Manager backup interface to that network, and any configured routes.

130 Modifying the System Settings

4. Click X to close the details pane.

Edit a virtual network

You can change any parameter for a virtual network without deleting the network. For example, to add more IP addresses to the static IP pool.

Prerequisites

If an IP address from the static IP pool is already in use, you cannot remove the address from the pool.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Networks. The Networks page opens.

2. Locate the row that corresponds to the appropriate virtual network, and then click the radio button to select that row. The PowerProtect Data Manager enables the Edit and Delete buttons.

3. Click Edit. The Edit Network wizard opens to the Summary page.

4. Click Edit for the Configuration or Routes sections. The Edit Network wizard moves to the Configuration or Routes page.

5. Modify the appropriate network parameters, and then click Next. The Edit Network wizard moves to the Summary page.

6. Verify the network configuration information, and then click Finish.

The Edit Network wizard closes. The Networks page reflects the updated information, where applicable.

You may need to view the details for the virtual network to verify some changes.

Delete a virtual network

Although optional, Dell Technologies recommends that you delete virtual networks when they are no longer required.

Prerequisites

Unassign the virtual network from any applicable assets. Disable all VM Direct Engines that are configured to use the virtual network.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Networks. The Networks page opens.

2. Locate the row that corresponds to the appropriate virtual network, and then click the radio button to select that row. PowerProtect Data Manager enables the Edit and Delete buttons.

3. Click Delete.

4. Verify the network information, and then click OK to acknowledge the deletion warning. The PowerProtect Data Manager removes the virtual network from the list on the Networks page.

Virtual network asset assignment

Assignments identify which assets should use each virtual network. There are two methods to associate an asset with a virtual network:

By protection policy

You can configure the PowerProtect Data Manager to choose a preferred virtual network for all assets on a protection policy.

By asset

You can assign virtual networks to individual assets. This method is optional and overrides any virtual network assignment from a protection policy. Assets which are not individually assigned automatically use the preferred virtual network.

Modifying the System Settings 131

You can use this method to specify a virtual network for any asset. However, this method is especially suited to configuring assets which are exceptions to the rule. You can also split assets on the same application host across multiple virtual networks. For example, when an asset has its own network interface or belongs to another department.

Dell Technologies recommends that you assign assets to virtual networks by protection policy, where possible.

Before you assign an asset, perform the following actions:

Test connectivity from the asset host to the PowerProtect Data Manager by pinging the PowerProtect Data Manager IP address on that virtual network.

Register the asset source with the PowerProtect Data Manager. Approve the asset source.

Assign a virtual network by protection policy

The following steps apply a virtual network to an existing protection policy. You can also assign a virtual network when you create a protection policy.

About this task

The Network Interface field selects the network interface for communication with the destination DD system. This network carries the backup data.

Steps

1. In the PowerProtect Data Manager, go to Protection > Protection Policies. The Protection Policies page opens.

2. Locate an existing protection policy for which you want to configure a virtual network.

3. Select the radio button for the protection policy, and then click Edit. The Edit Policy wizard opens to the Summary page.

4. In the Schedule block, click Edit. The Edit Policy wizard moves to the Schedule page.

5. Select the checkbox for the appropriate schedule.

6. In the Network Interface field, select the correct virtual network from the list.

Each list entry indicates the interface name, interface speed, and virtual network name.

If the network was not named, a combination of the interface name and VLAN ID replaces the virtual network name. For example, ethV1.850. An interface without a virtual network name behaves as if a virtual network was not configured.

7. Click Next. The Edit Policy wizard moves to the Summary page.

8. Verify the policy information, and then click Finish.

Ensure that the selected assets are part of the virtual network.

The Edit Policy wizard closes.

9. Click OK to acknowledge the update, or click Go to Jobs to monitor the update.

Assign a virtual network by asset

This procedure is optional. You can assign a virtual network for individual assets or for all assets on a particular application host.

About this task

This setting overrides the network assignment from the protection policy. If the PowerProtect Data Manager cannot use this network assignment for any reason, the setting falls back to the assignment from the protection policy.

NOTE: You cannot back up individual assets across different networks on the same protection policy and application host.

Instead, create a separate protection policy for the assets on each network.

Steps

1. In the PowerProtect Data Manager, go to Infrastructure > Assets.

132 Modifying the System Settings

The Assets page opens.

2. Locate the appropriate assets from the list on any tab.

Use the checkbox to select each asset. You can select more than one asset at a time.

3. Click More Actions > Assign Network. The Associated Assets window opens.

4. To use the virtual network for all assets on the same application host, click Include.

Otherwise, to use the virtual network for only the selected assets, click Do Not Include. Consider whether you require a separate protection policy for assets on different networks.

The Assign Network window opens.

5. Select a virtual network from the Network Label list, and then click Save.

Results

The PowerProtect Data Manager applies the network selection to the selected assets. The Network column in the list of assets for each tab now indicates the selected virtual network.

Modifying the System Settings 133

PowerProtect Functionality Within the vSphere Client

Topics:

PowerProtect functionality within the vSphere Client Overview of the PowerProtect plug-in for the vSphere Client Overview of VASA and VMware Storage Policy Based Management

PowerProtect functionality within the vSphere Client The vSphere Client integrates with PowerProtect Data Manager to provide the following functionality:

PowerProtect portletWhen adding a vCenter Server as an asset source in the PowerProtect Data Manager UI, if you enable the vSphere Plugin option, a pane for PowerProtect appears in the vSphere Client. This pane provides a subset of PowerProtect Data Manager functionality, including the availability to perform a manual backup, image-level restore and file-level restore of PowerProtect Data Manager virtual machine protection policies.

Storage policy association with a PowerProtect Data Manager virtual machine protection policyvSphere Storage APIs for Storage Awareness (VASA) leverages VMware Storage Policy Based Management (SPBM) to support data protection operations, allowing you to pair SPBM policies that are created in the vSphere Client with protection policies that are created in PowerProtect Data Manager. This association allows you to manage all virtual machine storage and protection requirements in a centralized location (the vSphere Client), instead of requiring multiple user interfaces.

Overview of the PowerProtect plug-in for the vSphere Client When adding a vCenter Server in the PowerProtect Data Manager UI, if you enable the vSphere Plugin option, a subset of the UI functionality becomes available within the vSphere Client.

The PowerProtect Data Manager portlet appears when you select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

11

134 PowerProtect Functionality Within the vSphere Client

Figure 8. PowerProtect portlet in the vSphere Client

NOTE: If you were already logged into the vSphere Client when the vCenter discovery was started in PowerProtect Data

Manager, you must log out and log back in to see the PowerProtect Data Manager UI.

If the virtual assets in the vCenter have not yet been assigned to a PowerProtect Data Manager protection policy, only the PowerProtect name displays in the portlet. Adding the virtual machine to a protection policy provides additional information, as shown in the following figure.

Figure 9. PowerProtect portlet with protected virtual machine

After you set up a virtual machine protection policy, you can perform the following PowerProtect Data Manager functionality within the vSphere Client:

View information about protection policies and information about available protection copies. Monitor in-progress backup and restore operations for the virtual machine protection policy. You can also view information

for successfully completed protection copies that are available for restore. Perform a manual backup. Perform an image-level restore (Restore to Original, Restore to New, or Instant Access). Perform a file-level restore.

Prerequisites for enabling the vSphere Client PowerProtect plug-in

To use the vSphere Client PowerProtect plug-in for backup and restore operations, complete the following tasks in the vSphere Client and the PowerProtect Data Manager UI.

Add the vCenter ServerIn the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and move the vSphere Plugin slider to the right to enable the plug-in. Add a VMware vCenter Server on page 42 provides information.

PowerProtect Functionality Within the vSphere Client 135

Add privileges for the Virtual machine power user group (if you are already an administrator, this task is optional)In the vSphere Client, go to Administration > Roles, select the Virtual Machine power user (PPDM), and then open the Edit Role window . Add the following PowerProtect Data Manager privileges:

All PowerProtect restore privileges File Level Restore to Original Instant Access Restore to New Restore to Original

Figure 10. PowerProtect privileges added for the Virtual machine power user

NOTE: If you edit the vCenter Server in the PowerProtect Data Manager UI to unregister the vSphere Plugin for

PowerProtect Data Manager, these PowerProtect Data Manager privileges are not removed from the user group.

For the virtual asset (virtual machine, cluster, host) and all its child elements, add permissions to the Virtual machine power user group that you enabled with PowerProtect Data Manager privileges. To add these permissions, select the asset in the left pane of the vSphere Client, and then click the Permissions tab.

Add a virtual machine protection policy in the PowerProtect Data Manager UI Protection > Protection Policies window to schedule a backup of the virtual machines. Add a protection policy for a virtual machine on page 56 provides information.

Monitor PowerProtect Data Manager virtual machine protection copies

You can use the Monitor tab in the vSphere Client to view PowerProtect Data Manager protection copies that are available for restore, and monitor in-progress backup and restore operations for the PowerProtect Data Manager virtual machine protection policy.

With a virtual machine selected, in the Monitor tab's navigation pane, select PowerProtect > Protection Copies to view information about completed PowerProtect Data Manager protection policy backups for this virtual machine. This view is the same as the view in the PowerProtect Data Manager UI Infrastructure window. A copy map enables you to view the available protection copies when you click on the storage icon, as described in More options for managing virtual machine backups on page 60.

To view the status of active backup and restore operations initiated from the PowerProtect Data Manager UI or the vSphere Client, click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane. You can also view this pane from the Summary window.

136 PowerProtect Functionality Within the vSphere Client

On-demand PowerProtect policy backup in the vSphere Client

You can back up one or more PowerProtect Data Manager virtual machine protection policies at any time by performing a manual (on-demand) backup in the vSphere Client.

Prerequisites

Ensure that you are logged in to the vSphere Client as an administrator. Add the Backup privilege to the Administrator group in the vSphere Client. To add the Backup privilege, complete the

following steps:

1. Select Administration > Roles. 2. Select Administrator, and then click Privileges in the right pane. 3. In the PowerProtect Backup section, select Backup.

Ensure that virtual machine assets have been added to a virtual machine protection policy. You cannot perform manual backups of unprotected virtual machines.

Steps

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter. The Summary window displays.

2. Perform a manual backup of a virtual machine protection policy by using one of the following methods:

In the left pane, right-click the virtual machine, and then select PowerProtect > Backup. Within the PowerProtect portlet, click Backup Now.

The vSphere Client starts the backup operation. A message appears indicating whether the request was processed successfully.

Results

An entry for the backup job appears in the Jobs > Protection window of the PowerProtect Data Manager UI. To view the status of operations, you can also click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane.

Image-level restore of a PowerProtect backup in the vSphere Client

You can use the vSphere Client PowerProtect plug-in to perform an image-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

About this task

Available image-level restore options in the vSphere Client include:

Restore to OriginalRestore the virtual machine to the original location on the same vCenter. Restore Individual Virtual DisksRestore selected VMDKs to the original location on the same vCenter. Restore to NewRestore the virtual machine to a new location on the original vCenter or a different vCenter. Instant AccessRestore the backup as a live virtual machine to view the backup and then determine whether you want to

do a full restore. Instant Access sessions are made available for a default period of 7 days, which can be extended.

Steps

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

2. In the Summary window, access the backup copy by using one of the following methods:

In the left pane, right-click the virtual machine, and then select PowerProtect > Restore. Within the PowerProtect portlet, click Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog appears.

PowerProtect Functionality Within the vSphere Client 137

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. On the Purpose page, select from one of the following options:

Restore Entire VMsSelect this option if you want to restore the entire virtual machine. Restore Individual Virtual DIsksSelect this option if you want to restore only specific virtual machine disks (VMDKs).

NOTE: Individual VMDKs can only be restored to the original location.

6. Click Next. If restoring entire virtual machines, the Restore Type page appears. If restoring individual VMDKs, the Select Disks page appears.

7. On the Restore Type page, select from one of the available restore types.

For Instant Access restore, review the section Instant access virtual machine restore on page 85. For Restore to New, review the section Restore to new virtual machine on page 83. For Restore to Original, review the section Restore and Overwrite original virtual machine on page 81. For Restore Individual Virtual Disks, review the section Restore individual virtual disks on page 82.

The wizard updates to display the options specific to the restore type that you selected. NOTE: Options such as vCenter, resource pool, and datastore are limited to the logged-in vSphere user's permissions,

and are not necessarily the same as a PowerProtect Data Manager administrator.

8. Click Next. The Summary page appears.

9. Review your selections and then click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Recovery > Running Activities window of the PowerProtect Data Manager UI.

Next steps

For Instant Access restores, when the virtual machine is powered on and you select the virtual machine in the left pane of the Summary window, the session information appears within the PowerProtect portlet. If you need extra time for this session, you can click Extend Session and increase session availability by up to 7 days.

File-level restore of a PowerProtect backup in the vSphere Client

You can use the PowerProtect portlet in the vSphere Client to perform a file-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

Prerequisites

Note the following before performing file-level restore in the vSphere Client:

A minimum vCenter version 6.7 U1 is required. Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore limitations on page 189. Ensure that the FLR Agent is installed on the target virtual machine by logging into the virtual machine and verifying that

the agent package is installed and the agent process is running. If the FLR Agent is not installed, the installation is initiated automatically when you start the mount.

When installing the FLR Agent on Windows virtual machines, the user must be an administrator account. When installing the FLR Agent on Linux virtual machines, the user must be the root user account. The section FLR Agent for virtual machine file-level restore on page 187 provides more information.

NOTE:

138 PowerProtect Functionality Within the vSphere Client

For file-level restores, you can only restore files:

From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

To virtual machines within the same vCenter.

About this task

Available file-level restore options in the vSphere Client include:

Restore single or multiple files to the original folder and overwrite the original files within the same virtual machine, or Restore single or multiple files to a new folder with a new name within the same virtual machine.

Steps

1. Select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter. The Summary window displays.

2. Access the backup copy by using one of the following methods:

In the left pane, right-click the virtual machine, and then select PowerProtect > File Level Restore. Within the PowerProtect portlet, click File Level Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the FLR Agent to remain on the destination virtual machine after the restore completes.

c. Click Start Mount to initiate the disk mount.

If not already installed, the FLR Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

d. Upon successful mount, click Next.

6. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: In the browse view, each directory or hard drive appears twice. Selecting an object from one location selects the

object in the duplicate location as well.

7. On the Options page, select from one of the following options:

Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original location on the original virtual machine.

Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original virtual machine.

PowerProtect Functionality Within the vSphere Client 139

8. Click Next. If performing the restore to the original virtual machine, the Summary page displays. You can go to the final step. If performing the restore to an alternate location on the original virtual machine, the Restore Location page displays.

9. On the Restore Location page:

a. Browse the folder structure of the virtual machine to select the new folder where you want to restore the objects. b. Click Next.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to the Restore Location or Files Selected rows to change the information.

b. Click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Recovery > Running Activities window of the PowerProtect Data Manager UI.

Overview of VASA and VMware Storage Policy Based Management vSphere Storage APIs for Storage Awareness (VASA) is a set of application program interfaces (APIs) that allow arrays to integrate with vCenter for management functionality. Storage Vendor Providers allow the vCenter Server to retrieve information from storage arrays, including topology, capabilities (such as native thin provisioning and deduplication), and status. The policy-based management functionality of a VASA provider helps administrators choose the appropriate storage device, and monitors and reports information about existing storage policies.

Starting in vSphere version 7.0 U1, VASA support is extended to Data Protection operations by leveraging VMware Storage Policy Based Management (SPBM). SPBM spans all storage offerings from VMware, allowing policies to provision and manage storage for any virtual machine application. The integration of PowerProtect Data Manager and SPBM allows you to:

Pair SPBM policies with protection policies, allowing you to meet virtual machine storage and protection requirements within vSphere without requiring the PowerProtect Data Manager UI for data protection operations.

Add new or existing virtual assets to an SPBM policy. You can also reassign these assets and remove them from the policy. View policy compliance status, including data protection policy information. Protect virtual machines at scale, allowing you to manage capacity resources and overcome challenges such as capacity

planning and different service level requirements.

Enabling VASA and SPBM within the vSphere Client for integration with PowerProtect Data Manager requires you to perform the following:

Register the VASA provider to allow for storage provisioning information flow between PowerProtect Data Manager and the vCenter Server.

Select the PowerProtect Data Manager storage awareness provider within the vCenter Server storage policy component creation workflow, which exposes the list of available PowerProtect Data Manager virtual machine protection policies.

Assign the PowerProtect Data Manager protection policy to an SPBM policy, which is automatically assigned to virtual machines when they are represented by an instance.

Monitor the status of storage compliancy of the virtual assets protected by these PowerProtect Data Manager policies.

Register the VASA provider for policy association

The following procedure describes how to register the VASA provider to enable PowerProtect Data Manager communication with the vCenter Server and use the provider to enable an association between a virtual machine storage policy and a PowerProtect Data Manager virtual machine protection policy.

Prerequisites

The vSphere version must be a minimum 7.0 U1.

Steps

1. In the vSphere Client, go to Menu > Hosts and Clusters.

140 PowerProtect Functionality Within the vSphere Client

2. In the left pane, select the vCenter Server, and then select the Configure tab.

3. Under Security, select Storage Providers, and then click + Add. The New Storage Provider dialog appears.

4. On the New Storage Provider dialog:

a. Specify a name for the provider. b. Specify a URL in the format https://my-ppdm.example.com:9009/vasa/version.xml, where my-

ppdm.example.com is the PowerProtect Data Manager fully qualified hostname. c. Provide PowerProtect Data Manager administrator level credentials, and then click OK.

Administrator credentials are only required for the initial login to perform the registration. Subsequent log-in attempts use certificates.

If the vCenter Server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt appears, asking if you want to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can dismiss and ignore this error.

5. Provide PowerProtect Data Manager administrator level credentials, and then click OK. The dialog updates to indicate that the registration is in progress. If the vCenter Server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt displays to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can ignore this error.

6. When the registration is complete, click OK to exit the New Storage Provider dialog. The Configure tab updates to display the new VASA provider.

Results

You can now use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

NOTE: If the provider goes offline at any point, you can select the provider in the table and click Rescan to reestablish a

connection. Also, If the provider is removed and then readded, any policies that were previously assigned to the provider are

restored.

Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy

Use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

Steps

1. In the vSphere Client, select the vCenter Server in the left pane.

2. Go to Menu > Policies and Profiles.

3. In the left pane, select VM Storage Policies, and then click Create in the right pane. The Create VM Storage Policy wizard appears.

4. Provide a name and description that helps identify this policy as a storage policy that you want to associate with a PowerProtect Data Manager protection policy, and then click Next.

5. On the Policy Structure page, select Enable host based rules, and then click Next.

6. On the Host based services page, select the Data Protection tab, and then perform the following:

a. Select Custom. b. From the Provider list, select DellEMC PowerProtect as the registered provider. c. From the PPDM Protection Policy list, select an existing PowerProtect Data Manager virtual machine protection policy

that you want to associate with this storage policy.

NOTE: Dell Technologies recommends that you use a descriptive name for the PowerProtect Data Manager virtual

machine protection policy so that the purpose is easy to identify, since the vSphere Client does not provide policy

PowerProtect Functionality Within the vSphere Client 141

details within the PowerProtect portlet. If you decide to rename the PowerProtect Data Manager policy at any

point, the association is retained since the UUID of the policy is used to create the connection.

d. Click Next.

7. Complete the storage policy details, and click Finish.

Results

The VM Storage Policies window displays the new storage policy in the table. An association is created between the PowerProtect Data Manager policy and the virtual machine storage policy, and the PowerProtect portlet in the vSphere Client updates to display the PowerProtect Data Manager protection policy. You can now perform manual backups and scheduled restores of the virtual assets in this policy.

When you assign the new storage policy to a virtual machine, that virtual machine should automatically be assigned to the associated PowerProtect Data Manager protection policy as well. Also, if you are creating a new virtual machine, you can assign a storage policy to the new virtual machine during this process.

NOTE: You can create separate storage policies for each virtual machine disk, but only the policy that is associated with the

virtual machine is used for data protection.

NOTE: If you want to remove a virtual machine from protection, assign the virtual machine to a different policy, or to the

Datastore Default policy.

Monitor virtual machine protection policy compliance

You can use the Storage Policies portlet within the vSphere Client to monitor the compliance of virtual assets in PowerProtect Data Manager virtual machine protection policies.

To access the portlet:

Select the Summary tab, or Select the Configure tab, select a virtual machine in the left pane, and then click Policies.

If a virtual asset was unassigned from the policy within PowerProtect Data Manager, the policy displays as Non-compliant.

142 PowerProtect Functionality Within the vSphere Client

Configuring VMware Cloud on Amazon Web Services

Topics:

PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS Configure the VMware Cloud on AWS web portal console Amazon AWS web portal requirements Interoperability with VMware Cloud on AWS product features vCenter server inventory requirements VMware Cloud on AWS configuration best practices Add a VM Direct Engine Protection and recovery operations Interoperability with VMware Cloud on AWS product features Unsupported operations in VMware Cloud on AWS Troubleshooting VMware Cloud on AWS

PowerProtect Data Manager image backup and recovery for VMware Cloud on AWS PowerProtect Data Manager provides image backup and restore support for VMware Cloud on Amazon Web Services (AWS).

Using PowerProtect Data Manager to protect virtual machines that are running in VMware Cloud on AWS is similar to how you protect the virtual machines in an on-premises data center. This section provides information on network configuration requirements, PowerProtect Data Manager best practices for VMware Cloud on AWS, and unsupported PowerProtect Data Manager operations for VMware Cloud on AWS.

To perform data protection and disaster recovery tasks in VMware Cloud on AWS, consider the following recommendations and requirements for the backup infrastructure deployment:

Deploy PowerProtect Data Manager in a VMware Cloud on AWS environment. Deploy the VM Direct Appliance in VMware Cloud on AWS environment. Deploy at least one VM Direct Appliance for each

SDDC cluster in the VMware Cloud on AWS. Clone backups to another DD system running either in the same AWS geographical location or in a different AWS

geographical location. This type of deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

Store backups outside of the VMware Cloud on AWS environment. For example, store backups on the Amazon AWS VPC. This type of deployment enables efficient data transfer over the fast ENI connection that is used by VMware to communicate with Amazon AWS.

Clone your backups to another DD system that is running either in the same AWS geographical location or in a different AWS geographical location. This type of deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

Configure the VMware Cloud on AWS web portal console Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and the DD appliance. All infrastructure components should be resolvable through a

12

Configuring VMware Cloud on Amazon Web Services 143

Fully Qualified Domain Name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

In the VMware Cloud on AWS web portal console, ensure that the following requirements are met:

By default, there is no external access to the vCenter Server system in the Software Defined Data Center (SDDC). You can open access to the vCenter Server system by configuring a firewall rule. To enable communication to the vCenter public IP address from the SDDC logical network, set the firewall rule in the compute gateway of VMware Cloud on AWS. If the firewall rule is not configured in the SDDC, PowerProtect Data Manager does not allow you to add the vCenter Server.

The default compute gateway firewall rules prevent all virtual machine traffic from reaching the internet. To enable the PowerProtect Data Manager virtual machine to connect to the internet, create a compute gateway firewall rule. This action enables outbound traffic on the logical network to which the PowerProtect Data Manager server virtual machine is connected.

Configure DNS to allow machines in the SDDC to resolve Fully Qualified Domain Names (FQDNs) to IP addresses belonging to the internet. If the DNS server is not configured in the SDDC, the PowerProtect Data Manager server does not allow you to add the vCenter Server by using the server's public FQDN or IP address.

It is recommended that you deploy the DD system as a virtual appliance in the Amazon Virtual Private Cloud (VPC). During the SDDC creation, connect the SDDC to an AWS account, and then select a VPC and subnet within that account.

The DD system running in the Amazon VPC must be connected to the VMware SDDC through the VMware Cloud Elastic Network Interfaces (ENIs). This action allows the SDDC, the services in the AWS VPC, and subnet in the AWS account to communicate without having to route traffic through the internet gateway.

The same ENI channel is recommended for access to DD systems.

For more information about configuring ENIs, see https://vmc.vmware.com/console/aws-link.

If DDVE is running in the Amazon VPC, configure the inbound and outbound firewall rules of the compute gateway for DD connectivity.

For detailed information on what incoming on outgoing ports need to be opened for PowerProtect-VM proxy solution, refer to the PowerProtect Data Manager Security Configuration Guide.

If using NSX-T, configure the DNS to resolve to the internal IP address of the vCenter server. Navigate to SDDC Management > Settings > vCenter FQDN and select the Private vCenter IP address so that you can directly access the management network over the built-in firewall. Additionally, ensure that you open TCP port 443 of the vCenter server in both the management gateway and the compute gateway.

Amazon AWS web portal requirements In the Amazon AWS web portal, ensure that the following requirements are met:

If a DD system is running in your Amazon VPC, configure the inbound and outbound firewall rules of your Amazon VPC security group to provide connectivity between the VMware SDDC compute gateway and DD connectivity.

If you are replicating from one DD system to another, configure the inbound rule for the security group in AWS to allow all traffic from the respective private IPs of the DD Virtual Editions running in your Amazon VPC.

If you have more than one DD instance running in AWS to perform replication, both DD systems must have the ability to ping each other using the FQDNs.

Interoperability with VMware Cloud on AWS product features VMware Cloud on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload an Compute sections in AWS.

Do not use the following non-accessible areas:

vSANdatastore datastore Management VMs folder in VMs and Templates view Mgmt-ResourcePool resource pool in Hosts and Clusters view

144 Configuring VMware Cloud on Amazon Web Services

vCenter server inventory requirements In the vCenter server inventory of your SDDC, ensure that the following requirements are met:

An internal DNS name lookup server must be running inside the vCenter inventory. This will be referenced by all the workloads running in the VMware SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter Server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server cannot resolve.

VMware Cloud on AWS configuration best practices For VMware Cloud on AWS support, ensure that the following requirements are met:

When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that correct DNS server IP points to the internal DNS server that is running in the vCenter inventory.

Ensure that both forward and reverse lookup entries in the internal DNS server are in place for all of the required components, such as PowerProtect Data Manager, VM Direct appliance, and the DDVE appliance.

If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, specify the login credentials for the cloudadmin@vmc.local

user. When configuring the VM Direct appliance in a VMware Cloud on AWS environment, ensure that you select the transport

mode as Hot Add only. VMware Cloud on AWS does not support the NBD transport mode.

Add a VM Direct Engine In the Protection Engines window, perform the following steps to deploy an external VM Direct Engine, also referred to as a VM proxy, to facilitate data movement for virtual machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct engine on page 46 and Transport mode considerations on page 169.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. Dell EMC recommends that you deploy external proxies by adding a VM Direct Engine because the embedded proxy has limited capacity for performing parallel backups. An external VM Direct Engine for VM proxy backup and recovery can also provide improved performance and reduce network bandwidth utilization by using source-side deduplication.

Steps

1. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add VM Direct Engines wizard displays.

2. On the Add VM Direct Engines page, complete the required fields, which are marked with an asterisk.

Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter Server instances, select the vCenter on which to deploy the

VM Direct Engine.

NOTE: Ensure that you do not select the internal vCenter Server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the additional VM Direct Engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries management traffic.

Configuring VMware Cloud on Amazon Web Services 145

Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether the datastores are shared, local, or NFS), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the VM Direct Engine will reside, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the VM Direct Engine.

Transport ModeSelect from Hot Add or Network Block Device (NBD) transport modes, or select Hot Add, Failback to Network Block Device to default to Hot Add mode and fail back to NBD only if Hot Add cannot be used.

NOTE: When configuring the VM Direct Engine in a VMware Cloud on AWS environment, ensure that you select Hot

Add transport mode. VMware Cloud on AWS does not support NBD transport mode.

3. Click Next. The Networks Configuration page displays.

4. On the Networks Configuration page:

The Networks Configuration page configures the virtual network (VLAN) to use for backup data. To continue without virtual network configuration, leave the Preferred Network Portgroup selection blank and then click Next.

a. From the Preferred Network Portgroup list, select a VST (Virtual Switch Tagging) or VGT (Virtual Guest Tagging) network. If you select a VGT portgroup, the list displays all virtual networks within the trunk range. If you select a VST portgroup, the list displays only the virtual network for the current VLAN ID.

b. Select one or more virtual networks from the list.

A VM Direct Engine requires an IP address from the static IP pool for each selected virtual network. If there are not enough IP addresses in a pool, the wizard prompts you to supply additional addresses for that network.

c. If required, type an available static IP address or IP address range in the Additional IP Addresses column for the indicated virtual network.

For convenience when working with multiple virtual networks, you can also use one of the Auto Expand options:

Expand Last IPThe wizard increments the host portion of the last IP address in the static IP pool. Click Apply. Same Last DigitThe wizard adds the network portion of the IP address to the specified value. Type the host

portion of the IP address and then click Apply.

The wizard updates the value in the Additional IP addresses column for each selected network. Verify the proposed IP addresses.

d. Click Next.

5. On the Summary page, review the information and then click Save. The VM Direct Engine is added to the VM Direct Engines pane. Note that it can take several minutes before the new VM Direct Engine is registered in PowerProtect Data Manager. The VM Direct Engine will also appear in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, it is used by PowerProtect Data Manager instead of the embedded VM Direct for any data protection operations involving virtual machine protection policies. If all external VM Direct Engines are unavailable, the embedded VM Direct Engine is used as a fallback to perform limited scale backups and restores. If you do not want to use an external VM Direct Engine that you have added, you can disable this engine. Additional VM Direct actions on page 48 provides more information.

Next steps

If the VM Direct Engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, you must delete the failed VM Direct Engine and then add the VM Direct Engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if the VM Direct Engine is deployed to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute- ResourcePool.

146 Configuring VMware Cloud on Amazon Web Services

Protection and recovery operations Using PowerProtect Data Manager to protect virtual machines that are running in VMware Cloud on AWS is similar to how you protect the virtual machines in an on-premises data center.

Once you complete the tasks to set up and run a virtual machine protection policy in PowerProtect Data Manager, you can perform the following PowerProtect Data Manager functionality:

In the Summary window, view information about protection policies and, if policies have been run in PowerProtect Data Manager, information about available protection copies.

In the Monitor window, actively monitor in-progress backup and restore operations for the virtual machine protection policy, and view information for successfully completed protection copies that are available for restore.

Perform a Restore to Original, Restore to New, or Instant Access restore. You can initiate a restore from the Monitor window, or by right-clicking a virtual machine and selecting PowerProtect > Restore.

Interoperability with VMware Cloud on AWS product features VMware Cloud on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload an Compute sections in AWS.

Do not use the following non-accessible areas:

vSANdatastore datastore Management VMs folder in VMs and Templates view Mgmt-ResourcePool resource pool in Hosts and Clusters view

Unsupported operations in VMware Cloud on AWS PowerProtect Data Manager image backup and restore in VMware Cloud on AWS does not currently support the following operations:

Application-consistent data protection for MS-SQL with the VM Direct appliance. File-level restore from an image-level backup. Instant access recovery of an image-level backup. Emergency restore (image-level restore directly to an ESXi host, bypassing the vCenter). Image-level backups and restores that use NBD or the NBDSSL transport mode. VM Direct appliance that is configured with dual-stack or IPv6. If a datacenter is placed inside a folder in the SDDC, image backup and restore is not supported. VM Backup and Recovery plugin (HTML5) for vSphere is not supported.

Troubleshooting VMware Cloud on AWS When restoring as new VM, the reconnect NIC option might not work correctly.

Workaround

1. Edit the settings of the restored new VM and change the network to "VM Network" and then click Apply. 2. Reopen the Edit Setting Configuration pane of the VM and then change the network to the correct NSX-T network

logical switch. 3. Click Connect.

Configuring VMware Cloud on Amazon Web Services 147

Upgrading the PowerProtect software

Topics:

Upgrading the PowerProtect software Upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6 Roadmap for upgrading PowerProtect Data Manager to the latest version

Upgrading the PowerProtect software This section provides instructions for upgrading the PowerProtect Data Manager software.

If you are upgrading PowerProtect Data Manager from version 19.2 or later to the latest version, follow the steps in Upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6 on page 148.

If you are upgrading PowerProtect Data Manager from 19.1 to the latest version, follow the steps in Roadmap for upgrading PowerProtect Data Manager to the latest version on page 151.

Upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6 Use this procedure to upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6 or to apply critical updates.

Prerequisites

NOTE: You cannot upgrade PowerProtect Data Manager version 19.1 directly to a version later than 19.3. To upgrade

PowerProtect Data Manager from version 19.1 to the latest version, follow the instructions in Roadmap for upgrading

PowerProtect Data Manager to the latest version on page 151

Download the upgrade package from Dell EMC Support Downloads and Drivers. Ensure that you have administrator credentials. Only a PowerProtect Data Manager administrator can initiate the upgrade. Check for running tasks and cancel them or allow them to complete. Disable any Protection Policies that are scheduled to run in the next few hours. For on-premise installations, take a manual snapshot of the VM in vCenter, or enable automatic snapshots. Ensure that the

vCenter hosting PowerProtect Data Manager is added as an asset source, and that the user account associated with the vCenter host has the following permissions:

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Global Manage custom attributes Set custom attributes

Global.ManageCustomFields Global.SetCustomField

Virtual Machine Snapshot Management

Create snapshot Revert to snapshot Remove snapshot Rename snapshot

VirtualMachine.State.CreateSnapshot VirtualMachine.State.RevertToSnapshot VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RenameSnapshot

For cloud-based installations, perform a backup of the AWS instance or Azure VM. The AWS and Azure documentation provides instructions.

If you are upgrading from version 19.3, ensure that you run an ad hoc DR backup operation to back up the Search Service, which is not included in the automatic DR backup that runs before the upgrade.

13

148 Upgrading the PowerProtect software

About this task

You can upgrade the system by manually downloading upgrade packages or by connecting to an SRS gateway. When PowerProtect Data Manager is licensed and you have registered the SRS gateway host with PowerProtect Data Manager, you can upgrade using SRS. When an upgrade package is available, the packages are uploaded to the SRS gateway. The appliance checks the SRS gateway once a day for available upgrade packages or you can manually check for upgrade packages.

NOTE: If SRS is configured and a critical update is available in the SRS gateway, a notification appears in the UI. You can

also download available critical updates that appear in the Support Site section of the Upgrade page.

An upgrade package can upgrade one or more of the following:

The PowerProtect Data Manager, including application agent installers stored on the PowerProtect Data Manager virtual machine

External VM DIrect appliance Kubernetes support PowerProtect Search software Remote Cloud Disaster Recovery Server

In PowerProtect Data Manager, the upgrade process automatically stops most running jobs and puts the system into maintenance mode. If server Disaster Recovery is enabled, the system performs a Server DR backup. If automatic snapshots are configured, the upgrade process creates a VM snapshot of the system. If the upgrade fails or is aborted, the system uses the snapshot to roll back to the previous state. Once the system is rolled back or upgraded successfully, the snapshot is automatically deleted.

In PowerProtect Data Manager 19.5 and later, you can check if the PowerProtect Data Manager system is ready to upgrade by running a manual precheck. Run a manual precheck on page 150 provides more information.

NOTE:

When you upgrade PowerProtect Data Manager, you are accepting the terms of the latest product EULA. If Auto Support is

enabled, you are also accepting the latest Telemetry Software Terms. It is recommended that you review the Telemetry

Software Terms and EULA terms before continuing with the upgrade.

After you upload the upgrade package, the latest EULA (in both text and PDF format) and the Telemetry Software Terms

(in PDF format) are available in the /data01/brs/upgrade/eulas folder.

Steps

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

If there are downloaded packages, PowerProtect Data Manager lists the packages in descending date order. For any package, click the down arrow next to the package name to view details about the contents.

If you have registered SRS, the UI lists the latest available PowerProtect Data Manager upgrade package in the Support Site section on the Upgrade page.

3. If you have registered SRS, in the row for the upgrade package, click Download.

If you enabled PowerProtect Data Manager to automatically download upgrade packages in System Settings > Support > Secure Remote Services, PowerProtect Data Manager downloads the upgrade package automatically.

When the download is complete, the upgrade package appears in the Packages section.

4. If you have not registered SRS and you are using the manual package download method:

a. Click Upload Package. b. Browse to the path that contains the upgrade package, select the package, and then click Open. c. Wait until the package has fully downloaded, and then click OK.

5. When the upgrade package status indicates Available, click to start the upgrade.

NOTE: In PowerProtect Data Manager versions that are earlier than 19.5, click Perform Upgrade.

The upgrade manager runs a precheck.

If a critical issue is found, the upgrade is cancelled. Fix any issues and run the precheck to ensure that the issue is fixed. If non-critical issues are found, Dell EMC recommends that you fix any issues and run the precheck before proceeding

with the upgrade.

Upgrading the PowerProtect software 149

6. Click Continue, enter the lockbox passphrase if required, and click Yes to proceed. The upgrade begins. The browser is redirected to the Upgrade Manager UI on port 14443. This action enables you to monitor upgrade progress while the PowerProtect Data Manager components are shutdown for the upgrade.

NOTE: To monitor the update status if the connection to the appliance closes, connect to https:// IP_address_appliance:14443.

The Upgrade Manager status bar enables you to abort the upgrade, if necessary.

When the upgrade completes successfully, the browser is redirected back to the main PowerProtect Data Manager UI login page.

Results

The Upgrade page indicates the status of the upgrade.

If the upgrade fails, but PowerProtect Data Manager is still running:

1. Wait for the Upgrade Manager to finish processing. 2. Click Return to Dashboard and log in to view the issue. 3. Select System Settings > Upgrade. 4. Expand the package that was installed to view the issue that caused the failure:

If one or more core upgrades fail, the status of the upgrade package indicates Failed. If all core upgrades complete, but one or more non-core components, such as vProxies and Search Cluster are still

processing, the upgrade package status indicates Installed (Core). If all core upgrades complete, but one or more non-core components, such as vProxies and Search Cluster fail to

upgrade, the upgrade package status indicates Installed With Errors. 5. Fix the issue that caused the failure and run the precheck again.

If the precheck is successful, the package status changes to Available and the upgrade can be retried.

6. Retry the upgrade.

When you retry the upgrade, PowerProtect Data Manager only retries the components that failed.

If the upgrade fails and PowerProtect Data Manager is not running:

1. Click Export Logs to download the log files for troubleshooting. 2. If an automatic snapshot was taken, click Rollback to snapshot to restore the core PowerProtect Data Manager

system to its state before the upgrade.

3. On the Upgrade page, click to delete the failed upgrade package. 4. Review the log files to determine the cause of the failure.

If you can resolve the issues manually, try the upgrade again. If you cannot resolve the issues, contact Dell EMC Support.

Run a manual precheck

For PowerProtect Data Manager versions 19.5 and later, you can run a manual precheck to check if the PowerProtect Data Manager system is ready to upgrade or to verify that any issues that caused a previous precheck to fail are now resolved.

About this task

To run a manual precheck, complete the following steps:

Steps

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

3. To upload an upgrade package:

NOTE: You can skip this step if you have already uploaded the upgrade package.

a. Click Upload Package, browse to the path that contains the upgrade package, select the package, and then click Open. b. Wait until the package status is Available, and then click OK.

150 Upgrading the PowerProtect software

Click the down arrow next to the package name to view details about the contents.

4. To run the precheck, click in the Actions column.

When the precheck is complete, a dialog box lists any areas that require attention, such as indication that the upgrade is disruptive or requires a reboot. The dialog box also includes warnings about running tasks or active sessions that should be addressed before the upgrade. Click the links that are provided to go to the management page for the active events, where you can cancel them or allow them to complete before continuing.

The dialog box also indicates if any application agents managed by PowerProtect Data Manager are not compatible with the latest version of the PowerProtect Data Manager system. Manually upgrade the application agents to the latest version before you upgrade the PowerProtect Data Manager system.

If critical issues are found, the precheck fails and the upgrade cannot proceed. If non-critical issues are found, Dell EMC recommends that you fix any issues before proceeding with the upgrade.

Roadmap for upgrading PowerProtect Data Manager to the latest version Upgrading PowerProtect Data Manager from version 19.1 to 19.6 requires that you first upgrade PowerProtect Data Manager to 19.3, and then upgrade to version 19.6.

About this task

NOTE: You cannot upgrade PowerProtect Data Manager version 19.1 directly to a version later than 19.3.

The following roadmap provides the steps required to upgrade PowerProtect Data Manager to version 19.6.

Steps

1. Upgrade PowerProtect Data Manager from version 19.1 to 19.3.

Follow the steps in Upgrade the software from PowerProtect Data Manager version 19.1 on page 151

2. Upgrade PowerProtect Data Manager from version 19.3 to 19.6.

Follow the steps in Upgrade PowerProtect Data Manager from 19.2 and later versions to version 19.6 on page 148

Upgrade the software from PowerProtect Data Manager version 19.1

You cannot upgrade PowerProtect Data Manager version 19.1 directly to a version later than 19.3. Use this procedure to upgrade from PowerProtect Data Manager version 19.1 to version 19.2 or 19.3. You can then upgrade to version 19.4 or later.

Prerequisites

Download the upgrade package from Dell EMC Support Downloads and Drivers. Ensure that you have administrator credentials. Only an administrator can initiate the upgrade. Check for running tasks and cancel them or allow them to complete. Disable any Protection Policies that are scheduled to run in the next few hours. Take a snapshot of the system: Select the PowerProtect VM in the vSphere Client, right click, and then select Snapshot >

Take snapshot. Ensure that the vCenter hosting PowerProtect Data Manager is added as an asset source, and that the user account associated with the vCenter host has the following permissions:

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Global Manage custom attributes Set custom attributes

Global.ManageCustomFields Global.SetCustomField

Virtual Machine Snapshot Management

Create snapshot Revert to snapshot

VirtualMachine.State.CreateSnapshot VirtualMachine.State.RevertToSnapshot

Upgrading the PowerProtect software 151

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Remove snapshot Rename snapshot

VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RenameSnapshot

About this task

An upgrade package can upgrade one or more of the following:

The PowerProtect Data Manager, including application agent installers stored on the PowerProtect Data Manager virtual machine

External VM DIrect appliance

NOTE:

When you upgrade PowerProtect Data Manager, you are accepting the terms of the latest product EULA. If Auto Support is

enabled, you are also accepting the latest Telemetry Software Terms. It is recommended that you review the Telemetry

Software Terms and EULA terms before continuing with the upgrade.

After you upload the upgrade package, the latest EULA (in both text and PDF format) and the Telemetry Software Terms

(in PDF format) are available in the /data01/brs/upgrade/eulas folder.

Steps

1. Log in to PowerProtect Data Manager with administrator credentials.

2. Select System Settings > Upgrade.

3. Click Upload Upgrade File, browse to the path that contains the upgrade package, select the package, and then click Open.

4. Wait until the package status is Available, and then click OK.

5. Optional: Click Perform upgrade.

A dialog box lists any areas that require attention, such as an indication that the upgrade is disruptive or requires a reboot and warnings about running tasks or active sessions that should be addressed before the upgrade. Click the links that are provided to go to the management page for the active events, where you can cancel them or allow them to complete before continuing.

NOTE: Although the upgrade can proceed even if jobs or IA sessions are active, it is not recommended.

The dialog box also lists any required certificates. Continuing indicates acceptance of the certificate.

6. Enter the Lockbox Passphrase, if required.

The upgrade begins. The browser is redirected to the Upgrade Manager UI on port 14443, which enables you to monitor upgrade progress while the PowerProtect Data Manager components are shut down for the upgrade.

NOTE: To monitor the update status if the connection to the appliance closes, connect to https:// IP_address_appliance:14443.

When the upgrade is successful, the browser is redirected back to the main PowerProtect Data Manager UI login page.

7. Log in toPowerProtect Data Manager and return to the Upgrade page to verify that the state of the upgrade is Installed.

Results

The overall package status covers critical upgrades for the PowerProtect Data Manager. Other subcomponents, such as Agents and vProxies, might still be processing or even fail, but the upgrade continues. You can view the state of each subcomponent by expanding the package that was installed.

NOTE: If the upgrade fails, you must delete the failed package before uploading a new package (or the same package) to

try again.

Next steps

If you created a manual snapshot, use the vSphere Client to delete the snapshot:

1. Right-click the appliance, and then select Manage Snapshots. 2. In the Manage Snapshots window, select the snapshot and click Delete.

152 Upgrading the PowerProtect software

NOTE: If you are planning to use Cloud DR, contact the Dell EMC Support team for assistance to enable Cloud DR failback

flow.

Upgrading the PowerProtect software 153

Configuring and Managing the PowerProtect Agent Service

Topics:

About the PowerProtect agent service Start, stop, or obtain the status of the PowerProtect agent service Register the PowerProtect agent service to a different server address Recovering the PowerProtect agent service from a disaster

About the PowerProtect agent service The PowerProtect agent service is a REST API based service that is installed by the application agent on the application host. The agent service provides services and APIs for discovery, protection, restore, instant access, and other related operations. The PowerProtect Data Manager uses the agent service to provide integrated data protection for the application assets.

This section uses to represent the PowerProtect agent service installation directory. By default, the agent service installation location is C:\Program Files\DPSAPPS\AgentService on Windows and /opt/dpsapps/agentsvc on Linux. All files that are referenced in this section are the relative paths to the agent service installation location.

The PowerProtect agent service performs the following operations:

Addon detectionAn addon integrates the application agent into the agent service. The agent service automatically detects the addons on the system for each application asset type and notifies the PowerProtect Data Manager. While multiple addons can operate with different asset types, only one agent service runs on the application host. Specific asset types can coexist on the same application host.

DiscoveryThe agent service discovers both stand-alone and clustered database servers (application systems), databases and file systems (assets), and their backup copies on the application agent host. After the initial discovery, when the agent service discovers any new application systems, assets, or copies, the agent service notifies the PowerProtect Data Manager.

Self-service configurationThe agent service can configure the application agent for self-service operations by using information that is provided by the PowerProtect Data Manager. When you add an asset to a protection policy for self- service or centralized protection, or modify the protection policy, including changing the DD Boost credentials, the PowerProtect Data Manager automatically pushes the protection configuration to the agents.

Centralized backupsThe agent service performs the centralized backups as requested by the PowerProtect Data Manager.

Centralized restoresThe agent service performs the centralized restores as requested by the PowerProtect Data Manager.

NOTE: In the current release, the centralized restores are only available for the File System agent, Microsoft SQL agent,

and Storage Direct agent.

Backup deletion and catalog cleanupThe PowerProtect Data Manager deletes the backup files directly from the protection storage when a backup expires or an explicit delete request is received and no dependent (incremental or log) backups exist. The PowerProtect Data Manager goes through the agent service to delete the catalog entries from the database vendor's catalog and the agent's local datastore.

NOTE: Deletion of any backup copies manually or through the command line is not recommended. PowerProtect Data

Manager deletes all the expired copies as needed.

The agent service is started during the agent installation by the installer. The agent service runs in the background as a service and you do not interact with it directly.

The config.yml file contains the configuration information for the agent service, including several parameter settings that you can change within the file. The config.yml file is located in the directory.

14

154 Configuring and Managing the PowerProtect Agent Service

The agent service periodically starts subprocesses to perform the discovery jobs. You can see the type and frequency of these jobs in the jobs: section of the config.yml file. The job interval unit is minutes.

The agent service maintains a datastore in the /dbs/v1 directory, which contains information about the application system, assets, and backups discovered on the system. The size of the datastore files depends on the number of applications and copies on the host. The agent service periodically creates a backup of its datastore in the /dbs/v1/backups directory, as used to recover the datastore if this datastore is lost.

NOTE: The size of each datastore backup is the same as the datastore itself. By default, a backup is created every hour. To

save space on the file system, you can reduce this datastore backup frequency for large datastores. By default, the

datastore backup is retained for one week. You can change the datastore backup frequency, retention period, and backup

location in the config.yml file.

Start, stop, or obtain the status of the PowerProtect agent service The PowerProtect agent service is started during the agent installation by the installer. If needed, you can use the appropriate procedure to start, stop, or obtain the status of the agent service.

On Linux, you can start, stop, or obtain the status of the agent service by running the register.sh script that is found in the directory.

To start the agent service:

# register.sh --start

Started agent service with PID - 1234 To stop the agent service:

# register.sh --stop

Successfully stopped agent-service. To obtain the status when the agent service is running:

# register.sh --status

Agent-service is running with PID - 1234 To obtain the status when the agent service is not running:

# register.sh --status

Agent-service is not running.

On Windows, you can start, stop, or obtain the status of the PowerProtect agent service from the Services Manager, similar to other Windows services. The name of the service in Services Manager is PowerProtect Agent Service.

Register the PowerProtect agent service to a different server address The PowerProtect agent service is registered to a particular PowerProtect Data Manager server during the agent installation by the installer. If needed, you can register the agent service to a different PowerProtect Data Manager server address.

The agent service can only be registered to a single PowerProtect Data Manager server. When you register the agent service to a new server, the agent service will automatically unregister from the previous server address.

On Linux, you can register the agent service to a different server address by running the register.sh script that is found in the directory.

Configuring and Managing the PowerProtect Agent Service 155

NOTE: The register.sh script stops the currently running agent service.

The following command prompts for the new IP address or hostname:

# register.sh

Enter the PowerProtect Data Manager IP address or hostname: 10.0.01

Warning: Changing IP of PowerProtect Server from 192.168.0.1 to 10.0.0.1

Started agent service with PID - 1234 The following command includes the new IP address on the command line:

# register.sh --ppdmServer=10.0.0.1

Warning: Changing IP of PowerProtect Server from 192.168.0.1 to 10.0.0.1

Started agent service with PID - 1234

On Windows, you can change the PowerProtect Data Manager server address by launching the agent installer and selecting the change option. Change the PowerProtect Data Manager service address from the Configuration Install Options page.

Recovering the PowerProtect agent service from a disaster You can perform self-service restores of application assets by using a file system or application agent, regardless of the state of the agent service or PowerProtect Data Manager. The information in the this section describes how to bring the agent service to an operational state to continue if a disaster occurs and the agent service datastore is lost.

The agent service periodically creates a backup of its datastore in the /dbs/v1/backups repository. If all these backups are lost, the agent service can still start. The agent service discovers all the application systems, assets, and backup copies on the system again, and notifies PowerProtect Data Manager. Depending on when the failure occurred, the agent service might not be able to find older backup copies for some asset types. As a result, the centralized deletion operations might fail when cleaning up the database vendor catalog or removing older backups that are taken before the asset is added to PowerProtect Data Manager.

By default, the agent service backs up consistent copies of its datastore files to the local disk every hour and keeps the copies for 7 days. Each time the agent service backs up the contents of the datastore, it creates a subdirectory under the /dbs/v1/backups repository. The subdirectories are named after the time the operation occurred, in the format YYYY-MM-DD_HH-MM-SS_epochTime.

By default, the datastore repository is on the local disk. To ensure that the agent service datastore and its local backups are not lost, it is recommended that you back up the datastore through file system backups. You can also change the datastore backup location to a different location that is not local to the system. To change the datastore backup location, update the values in the config.yml file.

Restore the PowerProtect Data Manager agent service datastore

Prerequisites

NOTE: Ensure that the agent service is powered off. Do not start the agent service until disaster recovery is complete.

About this task

You can restore the datastore from the datastore backup repository. If the repository is no longer on the local disk, restore the datastore from file system backups first.

To restore the datastore from a backup in the datastore backup repository, complete the following steps:

Steps

1. Move the files in the /dbs/v1 directory to a location for safe keeping.

156 Configuring and Managing the PowerProtect Agent Service

NOTE: Do not move or delete any /dbs/v1 subdirectories.

2. Select the most recent datastore backup.

The directories in the datastore backup repository are named after the time the backup was created.

3. Copy the contents of the datastore backup directory to the /dbs/v1 directory. After the copy operation is complete, the /dbs/v1 directory should contain the following files:

copies.db objects.db resources.db sessions.db

4. Start the agent service.

Configuring and Managing the PowerProtect Agent Service 157

Backup and Recovery of the vCenter Server

Topics:

Backup and recovery of the vCenter server vCenter deployments overview Protecting an embedded PSC Protecting external deployment models vCenter server restore workflow Platform Services Controller restore workfow Additional considerations Command reference

Backup and recovery of the vCenter server The following sections describe how to protect the vCenter server Appliance (VCSA) and the Platform Services Controllers (PSC). It is intended for virtual administrators who utilize the distributed model of the vCenter server and require protection of the complete vCenter server infrastructure.

vCenter deployments overview You can protect vCenter 6.5 deployments with PowerProtect Data Manager by using the vProxy appliance. The instructions in this section assume that the vCenter server and the Platform Services Controller (PSC) are deployed as virtual machines.

For the restores to complete successfully:

Ensure that these virtual machines use a fully qualified domain name (FQDN) with correct DNS resolution. Ensure that the host name of the machine is configured as an IP address. Note that if the host name is configured as an IP

address, the IP address cannot be changed.

There are mainly two types of vCenter deployments:

vCenter server Appliance/Windows Virtual Machine with an embedded PSC. vCenter server (also multiple) Appliance/Windows virtual machine with an external PSC.

This type has two sub categories:

vCenter server environment with a single external PSC. vCenter server environment with multiple PSC instances. This environment contains multiple vCenter server instances

registered with different external PSC instances that replicate their data.

Protecting an embedded PSC The following section describes backup and recovery options for protecting an embedded PSC.

Backup

You can perform a backup of an embedded PSC by using the following guidelines.

1. Create a protection policy, and then add the vCenter virtual machine to the protection policy. 2. Select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.

15

158 Backup and Recovery of the vCenter Server

Recovery

Depending on the type of failure, you can perform the virtual machine recovery by using one of the following methods.

Restore to original This method is valid only when the vCenter Server Appliance (VCSA) is intact and running, but corrupted.

Recover as a new virtual machine to a managed ESXi server (Virtual Machine Recovery). Use this method if you have completely lost your VCSA. Note that this vCenter must be registered with PowerProtect Data Manager.

Direct restore to ESXi server. Direct restore to ESXi will be the main use case.

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but this virtual machine and vCenter is now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded or an added VM Direct appliance that is registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. In the PowerProtect Data Manager UI, go to Recovery > Assets and select the Virtual Machines tab.

The Recovery window displays all of the virtual machines available for recovery.

2. Select the checkbox next to the desired virtual machine and click View Copies.

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Recovery > Asset window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the recovery completes, if desired. Power on the virtual machine when the recovery completes is selected by default.

b. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next.

To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the datastore from the Storage list.

To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore.

Backup and Recovery of the vCenter Server 159

A restore job appears with a progress bar and start time.

Protecting external deployment models Review the backup and recovery options for protecting external deployments.

Backup

You can perform a backup by using the following guidelines:

1. Create one protection policy and add the vCenter virtual machine and PSC virtual machine to the policy. This will ensure that snapshots are taken at the same time.

2. Ensure that you select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.

NOTE: Ensure that you back up all vCenter server and PSC instances at the same time

Recovery

Depending on the failure, you can perform virtual machine recovery by using one of the following methods:

Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server: Use this method of you have completely lost your VCSA. Note

that the vCenter where the VCSA resides must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server. For Emergency recovery, perform the steps specified in the section Direct restore to

ESXi on page 90.

NOTE: In the event of a complete environment failure, PSC should be restored first, followed by the vCenter server

restore.

The following scenarios provide specific instructions based on the number of vCenter server appliances and external PSCs in the environment and the extent of the failure.

vCenter server appliance(s) with one external PSC where PSC fails

Steps

1. Perform an image-level recovery of the PSC by using one of the methods indicated above, and then power ON the virtual machine.

2. Verify that all PSC services are running.

For a PSC deployed as an appliance, run the service-control --status --all command in the appliance shell.

For a PSC installed on Windows, from the Windows Start menu, select Control Panel > Administrative Tools > Services.

3. Log into the vCenter server appliance shell as root.

4. Verify that no vCenter services are running, or stop any vCenter services that are running by typing service-control --stop.

5. Run the vc-restore script to restore the vCenter virtual machines.

For a vCenter server appliance, type vcenter-restore -u psc_administrator_username -p psc_administrator_password

For a vCenter Server installed on Windows, go to C:\Program Files\VMware\vCenter Server\, and then run vcenter-restore -u psc_administrator_username -p psc_administrator_password

where psc_administrator_username is the vCenter Single Sign-On administrator user name, which must be in UPN format.

6. Verify that all vCenter services are running and the vCenter Server is started, as specified in step two.

7. Perform a log in test to the vCenter Server. If the restore was successful, the login completes successfully.

160 Backup and Recovery of the vCenter Server

vCenter server appliance is lost but the PSC remains

Steps

1. Perform an image-level recovery of the lost vCenter server by using one of the following methods, and then power ON.

Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your VCSA.

Note that this vCenter must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all services are started.

3. Perform a log in test.

vCenter server appliance with multiple PSCs where one PSC is lost, one remains

Steps

1. Repoint the vCenter instance (insert link) to one of the functional PSC in the same SSO domain.

NOTE: Log in to all vCenter servers one by one to determine which vCenter log in fails. This will be the vCenter that

requires the repoint steps.

2. Run the following command on the vCenter server appliance:

cmsso-util repoint --repoint-psc psc_fqdn_or_static_ip [--dc-port port_number] NOTE: The square brackets enclose the command options.

3. Perform a log in test on the vCenter server.

4. Deploy the new PSC and join to an active node in the same SSO and site, replacing lost ones.

5. Repoint the vCenter server to the new PSC.

vCenter server appliance remains but all PSCs fail

About this task

NOTE: In this scenario, none of the vCenter logins (SSO user) have been successful.

Steps

1. Restore the most recent PSC backup and wait for the vCenter services to start

2. Log in to the vCenter server appliance's shell as root.

3. Verify that no vCenter services are running, or stop vCenter services.

4. Run the vc-restore script to restore the VCSA (refer above for detailed steps).

NOTE: If the login test to any vCenter server appliance fails, then the restored PSC is not the PSC that the vCenter

server appliance is pointing to, in which case you may be required to perform a repoint, as described above.

5. Deploy the new PSC and join to an active node in the same SSO domain and site.

6. Repoint vCenter connections as required

vCenter server appliance remains but multiple PSCs fail

Steps

1. Restore one PSC.

2. Test the vCenter server appliance login. If the login fails, repoint the vCenter server appliance to an active PSC.

Backup and Recovery of the vCenter Server 161

3. Deploy the new PSC and join to an active node in the same SSO domain and site.

vCenter server appliance fails

About this task

NOTE: If a total failure has occurred (all PSCs and all vCenter server appliances failed), restore one PSC first before

restoring the vCenter server appliance.

Steps

1. Perform an image-level restore of the lost vCenter server by using one of the following methods, and then power ON the vCenter.

Restore to original This method is valid only when the vCenter server appliance is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your vCenter

server appliance. Note that this vCenter must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all vCenter services have started.

3. Perform a log in test.

4. If the log in test fails, then this vCenter server appliance is pointing to an inactive PSC. Repoint to an active node.

162 Backup and Recovery of the vCenter Server

vCenter server restore workflow The following diagram shows the restore workflow for a vCenter server.

Figure 11. vCenter server restore workflow

Backup and Recovery of the vCenter Server 163

Platform Services Controller restore workfow The following diagram shows the restore workflow for a Platform Services Controller (PSC).

Figure 12. PSC restore workflow

Additional considerations Review the following additional considerations when backing up and restoring the vCenter server and PSC.

Backing up the vCenter server will not save the Distributed switch (vDS) configuration as it is stored on the hosts. As a best practice, back up the vDS configuration by using a script that can be used after restoring the virtual center.

After restoring the PSC, verify that replication has been performed as designed by using the following commands to display the current replication status of a PSC and any of the replication partners of the PSC:

For VCSA, go to /usr/lib/vmware-vmdir/bin and type ./vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w Administrator_Password

For Windows, open a command prompt and type cd "%VMWARE_CIS_HOME%"\vmdird\ For the vCenter server or PSC, do not select advanced quiesce-based backup options. Selecting these options will result in

application quiescing on virtual machines, which impacts the overall environment due to stunning.

164 Backup and Recovery of the vCenter Server

The VMware vCenter server documentation, available at https://docs.vmware.com/en/VMware-vSphere/index.html, provides more information about the vCenter server and PSC.

Command reference Use the following command to start or stop services in the vCenter server/PSC, or obtain the status:

service-control -status/start/stop -all You can use other Replication topology commands, as in the following example.

Replication topology command

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u PSC_Administrator -w password

NOTE: You can replace localhost with another PSC FQDN to obtain all of the partnerships in the current vSphere

domain.

Backup and Recovery of the vCenter Server 165

Best Practices and Troubleshooting

Topics:

Scalability limits for vCenter Server, VM Direct engine and DD system Best practices and additional considerations for the VM Direct engine Recommendations and considerations when using a Kubernetes cluster Best practices for vCenter Server backup and restore Viewing the DD Boost storage unit password Change the DD Boost storage unit password Replacing expired or changed certificate on an external server Base 10 standard used for size calculations in the PowerProtect Data Manager UI Monitoring storage capacity thresholds Troubleshooting network setup issues Troubleshooting virtual machine backup issues Support for backup and restore of encrypted virtual machines Troubleshooting virtual machine restore issues Troubleshooting protection policy for DD storage unit Troubleshoot the PowerProtect agent service installation Troubleshoot the PowerProtect agent service operations Troubleshooting Kubernetes cluster issues Troubleshooting a PowerProtect Data Manager software upgrade

Scalability limits for vCenter Server, VM Direct engine and DD system The following limits have been tested successfully with PowerProtect Data Manager for the vCenter Server, the VM Direct engine and DD systems.

NOTE: These numbers are not maximum (hard) limits, but should be considered when scaling your environment.

Table 27. Scalability limits

Component Tested limits

Number of vCenter Servers supported with a single PowerProtect Data Manager server

12 NOTE: The vCenter server limit is subject to the VM Direct engines overall limit of 40 and per vCenter limit of 25. For example, using the maximum tested number of vCenter servers (12), you could add an average of 3 VM Direct engines per vCenter.

Number of external VM Direct engines supported with a single PowerProtect Data Manager server

40 NOTE: This number was tested across 10 vCenter servers (for example, 4 VM Direct per vCenter).

Number of DD systems supported per PowerProtect Data Manager server

10

Network latency between the PowerProtect Data Manager server and the VM Direct engine

200 ms

16

166 Best Practices and Troubleshooting

Table 27. Scalability limits (continued)

Component Tested limits

Network latency between the PowerProtect Data Manager server and the DD system

200 ms

Number of virtual machines per PowerProtect Data Manager server

10,000

Best practices and additional considerations for the VM Direct engine Review the following information for recommendations and best practices when adding a VM Direct protection engine in PowerProtect Data Manager.

Software and hardware requirements

The following table lists the required components for PowerProtect Data Manager and the VM Direct protection engine.

Table 28. PowerProtect Data Manager and VM Direct Engine requirements

Component Requirements

PowerProtect Data Manager with the VM Direct Engine

Version 19.6 or later

vCenter Server vSphere and ESXi versions 6.0, 6.5, 6.7, 7.0. NOTE: VMware has announced the end of general support for vSphere version 6.0. The Knowledge Base article at https://kb.vmware.com/s/article/66977 provides more information.

NOTE: Version 6.5 and later is required to perform Microsoft SQL Server application- aware protection. Also, file-level restore in the vSphere Client requires a minimum vCenter version 6.7 U1.

Refer to VMware documentation on physical host requirements for the ESXi hosts:

ESXi 6.5 and later minimum requirements ESXi 6.0 hardware requirements

VMware Tools Install VMware Tools version 10 or later on each virtual machine by using the vSphere Client. VMware Tools adds additional backup and recovery capabilities that quiesce certain processes on the guest operating system before backup.

NOTE: Version 10.1 and later is required to perform Microsoft SQL Server application- aware protection.

PowerProtect DD systems All models of DD systems in production are supported. DD operating system (DD OS) version 6.1 or later and the DD Management Console

(DDMC). Make note of the hosts writing backups to your DD systems.

Web browser The latest version of the Google Chrome browser to access the PowerProtect Data Manager UI.

Best Practices and Troubleshooting 167

PowerProtect Data Manager resource requirements in a VMware environment

Review the following minimum system requirements for PowerProtect Data Manager in a VMware environment (ESXi server).

CPU10 CPU cores Memory18 GB RAM for PowerProtect Data Manager Seven disks with the following capacities:

Disk 1100 GB Disk 2500 GB Disks 3 and 410 GB each Disks 5 through 75 GB each

1 GB network interface card (NIC)

NOTE: If you plan to use Cloud DR, your system must also meet the following requirements:

CPU14 CPU cores

Memory22 GB

VM Direct Engine performance and scalability

The VM Direct Engine performance and scalability of depends on several factors, including the number of vCenter Servers and proxies and the number of concurrent virtual machine backups. The following table provides information on these scalability factors and maximum recommendations, in addition to concurrence recommendations for sessions created from backups using the VM Direct Engine.

The count of sessions is driven by the number of proxies and backups running through this server.

Table 29. Performance and scalability factors

Component Maximum limit

Recommended count Notes

Number of concurrent NBD + Preferred Hot Add backups per ESXi host

48 Ensure that your network has a bandwidth of 10 Gbps or higher. VMware uses Network File Copy (NFC) protocol to read VMDK using NBD transport mode. You need one VMware NFC connection for each VMDK file being backed up. The VMware Documentation provides more information on vCenter NFC session connection limits.

Concurrent VMDK backups per vCenter Server

180 Can be achieved with a combination of the number of proxies multiplied by the number of configured Hot Add sessions per VM Direct Engine.

Number of proxies per vCenter Server

25 7 A limit of 25 concurrent backup and recovery sessions.

Number of files/directories per file level recovery

200,000 File-level restore is recommended for quickly recovering a small set of files. Image-level or VMDK- level recoveries are optimized and recommended for recovering a large set of files/folders.

When you reach the limit for concurrent backup sessions, a warning message displays. The remaining sessions will be queued. You can adjust the session limits by modifying the MAX_VC_BACKUP_SESSIONS and MAX_NBD_BACKUP_SESSIONS variables in the environment file, according to the recommendations. The Knowledge Base article 543253 at https:// support.emc.com/kb/543253 provides more information.

168 Best Practices and Troubleshooting

Table 30. Proxy session limits by proxy type

Component Total number of sessions (backup and recovery) maximum

Notes

Added (External) VM Direct Engine 25

Embedded VM Direct Engine (the proxy pre-bundled with the PowerProtect Data Manager software)

4 The embedded proxy is only used as a fallback when all other proxies are disabled or in Failed state.

Virtual machine data change rate

The data change rate is the percentage of a virtual machine's data that changes between backups.

Data change rates directly impact the number of VM Direct engines required to successfully complete the backup of all required virtual machines within the backup window. A daily data change rate of 3-4% is typical in a vSphere environment. Higher data change rates will require either a longer window to complete the backup, additional VM Direct engines, or both.

VM Direct engine data ingestion rate

The VM Direct engine data ingestion rate is another parameter that directly impacts the number of VM Direct engines required to successfully complete the backup of all required virtual machines within the backup window.

By default, each VM Direct engine processes approximately 500 GB to 1TB of data per hour, subject to the deduplication and read throughput on the primary stack. A number of additional factors, however, can impact the actual data ingestion rate, including the following:

The DD system being used for data protection operations. The type of storage media used for VM Direct engine storage. Your network and/or SAN infrastructure and connectivity speed.

If data ingestion rates at your site are typically lower or higher than 500 GB per hour, you can add or delete VM Direct engines as needed. You can also shorten or lengthen the backup window. By default, each VM Direct engine is configured to handle the optimal number of concurrent VMDK backup jobs. Configuring VM Direct engines to allow fewer concurrent backup jobs per engine would typically require deploying additional VM Direct engines, but can result in more evenly distributed backup jobs among VM Direct engines.

Full (Level-0) backups typically take longer and consume more VM Direct engine resources. Therefore, large new virtual machine deployments can impact the ability to complete all required backups within the time specified for the backup window. In order to allow the system to perform these full backups without interruption, where possible ensure that you implement a phased approach for large new virtual machine deployments. If a phased deployment is not possible, and the full backups do not complete before timeout of the backup window, you can also enable automatic retry of failed backups. The section Restart a job or task automatically on page 112 provides instructions. It is recommended that an administrator user monitor such workloads to ensure that the system can handle these workloads when the demand on resources begins to decrease, and that the virtual machine backups then complete successfully.

Transport mode considerations

Review the following information for recommendations and best practices when selecting a transport mode to use for virtual machine data protection operations in PowerProtect Data Manager.

Hot Add transport mode recommended for large workloads

For workloads where full backups of large sized virtual machines or backups of virtual machines with a high data change rate are being performed, Hot Add transport mode provides improved performance over other modes. With Hot Add transport mode, a VM Direct engine must be deployed on the same ESXi host or cluster that hosts the production virtual machines. During data protection operations, VM Direct engines capable of performing Hot Add backups are recommended. The following selection criteria is used during data protection operations:

Best Practices and Troubleshooting 169

If a VM Direct engine is configured in Hot Add only mode, then this engine is used to perform Hot Add virtual machine backups. If one or more virtual machines are busy, then the backup is queued until the virtual machine is available.

If a virtual machine is in a cluster where the VM Direct engine is not configured in Hot Add mode, or the VM Direct engine with Hot Add mode configured is disabled or in a failed state, then PowerProtect Data Manager selects a VM Direct engine within the cluster that can perform data protection operations in NBD mode. VM Direct engines with Hot Add mode configured that are not in the cluster are not used.

VM Direct engines that are configured in NBD only mode, or in Hot Add mode with failback to NBD, are used to perform NBD virtual machine backups. If the VM Direct engines that are configured in NBD mode are busy, then the backup is queued until one of these engines is available.

If there is no VM Direct engine that is configured in NBD mode, or the VM Direct engine with NBD mode configured is disabled or in a failed state, then the PowerProtect Data Manager embedded VM Direct engine is used to perform the NBD backup.

Other transport mode recommendations

Review the following additional transport mode recommendations:

Use Hot Add mode for faster backups and restores and less exposure to network routing, firewall, and SSL certificate issues. To support Hot Add mode, deploy the VM Direct Engine on an ESXi host that has a path to the storage that holds the target virtual disks for backup.

NOTE: Hot Add mode requires VMware hardware version 7 or later. Ensure all virtual machines that you want to back

up are using Virtual Machine hardware version 7 or later.

In order for backup and recovery operations to use Hot Add mode on a VMware Virtual Volume (vVol) datastore, the VM Direct proxy should reside on the same vVol as the virtual machine.

If you have vFlash-enabled disks and are using Hot Add transport mode, ensure that you configure the vFlash resource for the VM Direct host with sufficient resources (greater than or equal to the virtual machine resources), or migrate the VM Direct Engine to a host with vFlash already configured. Otherwise, backup of any vFlash-enabled disks fails with the error VDDK Error: 13: You do not have access rights to this file and the error on the vCenter server The available virtual flash resource '0' MB ('0' bytes) is not sufficient for the requested operation.

For sites that contain many virtual machines that do not support Hot Add requirements, Network Block Device (NBD) transport mode is used. This mode can cause congestion on the ESXi host management network. Plan your backup network carefully for large scale NBD installs, for example, consider configuring one of the following options:

Setting up Management network redundancy. Setting up backup network to ESXi for NBD. Setting up storage heartbeats.

See https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmw-vsphere-high-availability- whitepaper.pdf for more information.

If performing NBD backups, ensure that your network has a bandwidth of 10 Gbps or higher.

Virtual disk types supported

When planning your protection policies, ensure that PowerProtect Data Manager supports the disk types that you use in the environment.

PowerProtect Data Manager does not support the following disk types:

First Class Disks Independent (persistent and nonpersistent) RDM Independent - Virtual Compatibility Mode RDM Physical Compatibility Mode

Additionally, Dell EMC recommends to avoid deploying VMs with IDE virtual disks, which degrades backup performance. Use SCSI virtual disks instead whenever possible. Note that you cannot use Hot Add mode with IDE Virtual disks. Backup of IDE Virtual disks is performed using NBD mode.

170 Best Practices and Troubleshooting

Changing the limit of instant access sessions

For DD OS versions 6.1 and higher, PowerProtect Data Manager uses the limit that the DD storage appliance reports, and manages concurrent instant access sessions based on the reported limit.

DD OS versions earlier than 6.1 do not support the limit that is reported by the DD storage appliance. For DD OS versions earlier than 6.1, PowerProtect Data Manager supports up to 32 concurrent instant access sessions per DD storage appliance.

You can change the limit by modifying a configuration file to override the default value. Note that sessions that exceed the maximum concurrent sessions that are supported are canceled and retried. To change the number of concurrent sessions manually to match the capability of the underlying storage appliance, perform the following steps.

1. Log in to PowerProtect Data Manager as an admin or root user. 2. Create a file named vmdm_recovery.properties in the /usr/local/brs/lib/vmdm/config/ directory.

3. Change the parameter value to override the default value. For example:

vmdm.recovery.queue.ia_session_allowance=32 4. Run vmdm stop and then vmdm start to restart the vmdm service.

NOTE: Ensure that no other VM operations are running, such as protection and recovery.

Configure a backup to support vSAN datastores

Backup and recovery functionality is supported for vSAN virtual machines.

About this task

When performing backups or restores of virtual machines residing on vSAN datastores, it is highly recommended to deploy the VM Direct appliance on a vSAN datastore. A VM Direct appliance deployed on any one vSAN datastore can be used for backing up virtual machines from other vSAN or non-vSAN datastores by using Hot Add or nbdssl transport modes, as applicable.

Disable vCenter SSL certificate validation

If the vCenter's SSL certificate cannot be trusted automatically, a dialog box appears when adding the vCenter Server as an asset source in the PowerProtect Data Manager UI, requesting certificate approval. It is highly recommended that you do not disable certificate enforcement.

If disabling of the SSL certificate is required, you can perform the following procedure.

CAUTION: These steps should only be performed if you are very familiar with certificate handling and the issues

that can arise from disabling a certificate.

1. Create the following files (and file contents) in the /home/admin directory on the PowerProtect Data Manager appliance:

A file named cbs_vmware_connection.properties with the line cbs.vmware_connection.ignore_vcenter_certificate=true A file named vmdm_vmware_connection.properties with the line vmdm.vmware_connection.ignore_vcenter_cert=true A file named .vmdm_discovery.properties with the line vmdm.discovery.ignore_vcenter_cert=true

NOTE: Note the period at the start of this file.

2. Run cbs stop to stop the cbs service, and then cbs start to restart the service.

3. Run vmdm stop to stop the vmdm service, and then vmdm start to restart the service.

4. Perform a test to determine if SSL certificate disabling was successful by adding a vCenter Server using the vCenter's IP address (if the SSL certificate uses FQDN), and then verify that the asset source was added and virtual machine discovery was successful.

Best Practices and Troubleshooting 171

Configuration checklist for common issues

The following configuration checklist provides best practices and troubleshooting tips that might help resolve some common issues.

Basic configuration

Review the following basic configuration requirements:

Synchronize system time between vCenter and ESX/ESXi/vSphere. Assign IPs carefully do not reuse any IP addresses. Use Fully Qualified Domain Names (FQDNs) where possible. For any network related issue, confirm that forward and reverse DNS lookups work for each host in the datazone.

Virtual machine configuration

Review the following virtual machine configuration requirements:

Ensure that the virtual machine has access to and name resolution for the DD system. Ensure that the virtual machine firewall has port rules for the DD system. For application-aware backups, ensure that Microsoft SQL Server instances are enabled for data protection using a SYSTEM

account, as described in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager for Microsoft Application Agent SQL Server User Guide.

VM Direct Engine selection with virtual networks (VLANs)

PowerProtect Data Manager typically selects a VM Direct engine by accounting for availability, transport mode settings, and engine load. This selection optimizes data throughput.

When you configure virtual networks for PowerProtect Data Manager and VM Direct engines to isolate backup traffic, you can define routes to the DD system interface for each virtual network. The routes that you configure can influence VM Direct engine selection. PowerProtect Data Manager ensures that the selected engine has a network interface that can send traffic for a specific virtual network to the DD system.

Recommendations and considerations when using a Kubernetes cluster Review the following information that is related to the deployment, configuration, and use of the Kubernetes cluster as an asset source in PowerProtect Data Manager:

NodePort service requires port 30095

PowerProtect Data Manager creates a NodePort service on the Kubernetes cluster to download logs from the powerprotect-k8s-controller pod. The NodePort is opened on port 30095. Ensure that this port is not blocked by any firewalls between the PowerProtect Data Manager appliance and the Kubernetes cluster. For a Kubernetes cluster in a public cloud, refer to your cloud provider's documentation for instructions on opening this port.

By default, PowerProtect Data Manager connects to the node on which the powerprotect-k8s-controller pod is running to download the log.

172 Best Practices and Troubleshooting

Add line to custom-ports file when not using port 443 or 6443 for Kubernetes API server

If a Kubernetes API server listens on a port other than 443 or 6443, an update is required to the PowerProtect Data Manager firewall to allow outgoing communication on the port being used. Before you add the Kubernetes cluster as an asset source, perform the following steps to ensure that the port is open:

1. Log in to PowerProtect Data Manager, and change the user to root.

2. Add a line to the file /etc/sysconfig/scripts/custom-ports that includes the port number that you want to open.

3. Run the command service SuSEfirewall2 restart.

This procedure should be performed after a PowerProtect Data Manager upgrade, restart, or server disaster recovery.

Log locations for Kubernetes asset backup and restore operations and pod networking

All session logs for Kubernetes asset backup and restore operations are pulled into the /var/log/brs/cndm/k8s folder on the PowerProtect Data Manager host. If you cannot locate the logs in this location, ensure that the PowerProtect Data Manager NodePort service port 30095 is not blocked by firewall and is reachable from all of the Kubernetes worker and master nodes. If using Calico pod networking, ensure that the cluster CIDR block matches the Calico CIDR block.

PVC parallel backup and restore performance considerations

To throttle system performance, PowerProtect Data Manager supports only five parallel namespace backups and two parallel namespace restores per Kubernetes cluster. PVCs within a namespace are backed up and restored sequentially.

You can queue up to 50 namespace backups across protection policies in PowerProtect Data Manager.

Overhead of PowerProtect Data Manager components on Kubernetes cluster

At any time during backup, the typical footprint of PowerProtect Data Manager components (Velero, PowerProtect Conroller, cProxy) is less than 2 GB RAM Memory and 4 CPU cores, and such usage is not sustained and visible only during the backup window.

The following resource limits are defined on the PowerProtect PODs, which are part of the PowerProtect Data Manager stack:

Velero maximum resource usage: 1 CPU core, 256 MiB memory PowerProtect Controller maximum resource usage: 1 CPU core, 256 MiB memory PowerProtect cProxy pods (maximum of 5 per cluster): Each cProxy pod typically consumes less than 300 MB memory and

less than 0.8 CPU cores. These are created and terminated within the backup job.

Only Persistent Volumes with VolumeMode Filesystem supported

Backup and recovery of Kubernetes cluster assets in PowerProtect Data Manager is only supported for Persistent Volumes with the VolumeMode Filesystem.

Objects using PVC scaled down before a restore starts

When restoring a PVC to the original namespace or an existing namespace, if PowerProtect Data Manager detects that the PVC is being used by a Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet or Replication Controller, it scales down any objects using the PVC, and deletes the daemonSet and any Pods using PVCs before performing the restore.

Upon completion of the PVC restore, any objects that were scaled down are scaled back up, and any objects that were deleted are recreated. Ensure that you shut down any Kubernetes jobs that are actively using a PVC before running a restore.

Best Practices and Troubleshooting 173

NOTE: If PowerProtect Data Manager is unable to reset the configuration changes due to a controller crash, it is

recommended to delete the Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet, or Replication Controller from the

namespace, and then perform a Restore to Original again on the same namespace.

Best practices for vCenter Server backup and restore Review the following recommendations and best practices when planning a vCenter Server backup and restore.

NOTE: Backups will not save Distributed switch configurations.

It is recommended to schedule the backup of the vCenter Server when the load on the vCenter Server is low, such as during off-hours, to minimize the impact of vCenter virtual machine snapshot creation and snapshot commit processing overhead.

Ensure that there are no underlying storage problems that might result in long stun times. Keep the vCenter virtual machine and all of its component virtual machines in one single isolated protection policy. The

protection policy should not be shared with any other virtual machines. This is to ensure that the backup times of all vCenter Server component virtual machines are as close to each other as possible.

Ensure that the backup start time of the vCenter Server does not overlap with any operations for other protected virtual machines being managed by this vCenter so that there is no impact on other protected virtual machines during snapshot creation and snapshot commit of the vCenter virtual machine.

If the vCenter Server and Platform Services Controller instances fail at the same time, you must first restore the Platform Services Controller and then the vCenter Server instances.

Viewing the DD Boost storage unit password PowerProtect Data Manager provides a script to retrieve the password of a DD Boost unit that is configured as a backup target.

Prerequisites

This process requires the name of the DD MTree where the DD Boost storage unit resides.

Steps

1. SSH to the PowerProtect Data Manager appliance as the admin user.

2. Navigate to the /usr/local/brs/puppet/scripts directory.

3. Obtain the DD Boost storage unit password by typing the following command:

./get_dd_mtree_credential.py PLC-PROTECTION-1551667983302

Change the DD Boost storage unit password When a storage unit is created on a DD system for a PowerProtect Data Manager protection policy, PowerProtect Data Manager automatically generates a DD Boost username and password for the new storage unit. You can change this password from the PowerProtect Data Manager UI. The change synchronizes automatically with the DD system. To change the password, perform the following steps:

Prerequisites

Before making a password change, verify that recent backup operations completed successfully by checking the backup status history in the Jobs window. You can also perform a new backup of the protection policy.

About this task

It is recommended that you change passwords periodically for security purposes.

Steps

1. In the PowerProtect Data Manager UI, go to Infrastructure > Storage. The Storage window opens.

174 Best Practices and Troubleshooting

2. On the Protection Storage tab, select the DD system where the DD Boost storage unit resides, and then select Manage Storage Units.

The Storage Units window opens and lists the storage units that have been created on the DD system.

3. Select one or more storage units from the list for which you would like to change the password, and click Update Password.

NOTE: You can only update the password for storage units that are managed by the protection policy. If a storage unit

is not managed by the protection policy, the Update Password button is disabled.

The Update Password for Storage Unit(s) dialog box opens.

4. In the Update Password for Storage Unit(s) dialog box:

If you want PowerProtect Data Manager to automatically create a password for the storage unit(s):

Ensure that Automatically generate a new password is selected. Click Save.

If you selected multiple storage units, PowerProtect Data Manager creates a unique password for each storage unit.

If you want to create your own password:

Select Enter a new password. In the Password field, enter the new password for the storage unit(s) according to the password policy:

Must be between 16 and 20 characters in length. At least one numeric character (0-9) At least one uppercase character (A-Z) At least one lowercase character (a-z) At least one of the following special characters:

(\~!@#$%^&*()+={}|:";<>?[]-_.,^'/)

A maximum of 3 consecutive identical characters. Click Save.

If you selected multiple storage units, PowerProtect Data Manager uses the same password for each storage unit.

To modify the PowerProtect Data Manager password policy, complete the following steps:

a. Use SSH to log in to PowerProtect Data Manager with administrator credentials. b. Locate the password policy file:

/usr/local/brs/lib/cbs/config/datadomain_password_policy.properties c. Modify the password policy.

NOTE: Ensure that the modified password policy complies with the DD password policy.

d. Run cbs restart to restart the cbs service.

e. Verify that the cbs service started successfully.

When the cbs service successfully starts, the modified password policy takes effect.

The DD Boost storage unit password is updated and is synchronized automatically with the DD system.

5. Go to the Jobs window to monitor the progress of the password change operation.

6. Perform another backup of the protection policy and verify that the backup completes successfully.

Replacing expired or changed certificate on an external server Use this procedure to replace certificates on the external server (for example, a DD, LDAPS, or vCenter server) that have expired or changed.

About this task

If a certificate on the external server has expired or been changed, connection to the server fails with the following error:

Best Practices and Troubleshooting 175

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX Perform the following steps using cURL or any REST API client, such as Postman.

Steps

1. Log in to the external server as an administrator:

POST https://server hostname:REST port number/api/v2/login Provide the following request payload in JSON format:

{ "username": "username", "password": "password" }

where username is the PowerProtect Data Manager user with the admin role assigned, and password is the password for this user.

NOTE: Add the following header key with your REST call request:

'Content-type: application/json'

The response returns the following information:

{ "access_token": "token_type": "expires_in": "jti": "scope": "refresh_token": }

Copy the access_token value from the response above. This value will be required in the header key Authorization for all the REST calls in subsequent steps.

2. On the REST API client, run the following to obtain the old or expired external server certificate:

GET https://server hostname:REST port number/api/v2/certificates NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns a list of certificate entries, each containing the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "type": }]

NOTE: Make note of the host, port and type of each certificate, as this information will be required in Step 4. If you

supply incorrect information in Step 4, requests that use these external hosts might fail.

3. On the REST API client, delete the old or expired external server certificate from the PowerProtect Data Manager datastore, using the ID obtained from the response in step 2:

DELETE https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Ensure that you delete only the external server certificate that you want to remove.

176 Best Practices and Troubleshooting

4. On the REST API client, obtain the new certificate from the external server, using the host, port, and type obtained from the response in step 2:

GET https://server hostname:REST port number/api/v2/certificates? host=host&port=port&type=type

NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "UNKNOWN", "type": }]

5. On the REST API client, accept the new certificate, using the ID obtained in the response from step 4:

PUT https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Also, copy the response payload from step 4 in JSON format and change the state from "UNKNOWN" to "ACCEPTED".

6. On the REST API client, verify that the new certificate has been accepted, using the ID obtained in the response from step 4:

GET https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

If the certificate was accepted, the response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "ACCEPTED", "type": }]

Base 10 standard used for size calculations in the PowerProtect Data Manager UI For size calculations (for example, asset size, the available space on storage systems), the PowerProtect Data Manager UI uses the Base 10 standard, which specifies the size in MB, GB, and TB.

Other components, however, might use the Base 2 standard, which specifies the size in MiB, GiB, and TiB. When there is a discrepancy in reported size, use the UI to obtain the most correct information.

Best Practices and Troubleshooting 177

Monitoring storage capacity thresholds PowerProtect Data Manager periodically monitors DD system usage and reports alerts when the system reaches two capacity thresholds. As a best practice, check for these alerts and respond before the system exhausts storage capacity.

At 80% capacity, PowerProtect Data Manager generates a weekly warning alert. At this threshold, you should develop a strategy to add capacity or move protection policies to another storage target. Managing Protection Policies on page 52 provides more information about moving policies.

At 95% capacity, PowerProtect Data Manager generates a daily critical alert. At this threshold, capacity exhaustion is imminent.

Changing the capacity alerting thresholds requires contacting Support.

Troubleshooting network setup issues vCenter registration and proxy deployment fails if the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network.

PowerProtect Data Manager uses an internal private Docker network. If the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network, or if some data sources have already been deployed within the private network, PowerProtect Data Manager fails to protect the data sources.

To resolve this issue, deploy the PowerProtect Data Manager server and other data sources in a different network. If you cannot modify the deployed network, run a script tool within PowerProtect Data Manager to switch the private Docker network to a different network.

To switch the private Docker network to a different network:

1. SSH into PowerProtect Data Manager: Log in with OS admin credentials, and then use the su command to become root. 2. Modify the Docker network by running the following command:

/usr/local/brs/puppet/scripts/docker_network_switch.sh subnet gateway Where:

subnet describes the new network in the format 172.25.0.0/24 gateway is the gateway for the private network. For example: 172.25.0.1

Ensure that you specify a subnet and gateway that is not in use.

Troubleshooting virtual machine backup issues This section provides information about issues related to virtual machine backup operations with the VM Direct protection engine.

VM Direct Engine limitations and unsupported features

Review the following limitations and unsupported features related to the VM Direct Engine.

VMware limitations by vSphere version

VMware limitations for vSphere 6.0 and later versions are available at https://configmax.vmware.com/home. For vSphere 5.5, go to https://www.vmware.com/pdf/vsphere5/r55/vsphere-55-configuration-maximums.pdf.

VM Direct Engine configuration settings cannot be modified after adding the VM Direct Engine

After adding a VM Direct Engine, the only field you can modify is the Transport Mode. Any other configuration changes require you to delete and then re-add the VM Direct Engine. Additional VM Direct actions on page 48 provides more information.

178 Best Practices and Troubleshooting

VMware Distributed Resource Scheduler cluster support limitations

The PowerProtect Data Manager server is supported in a VMware Distributed Resource Scheduler (DRS) cluster, with the following considerations:

During backup of a virtual machine, host-vmotion or storage-vmotion is not permitted on the virtual machine. The option to migrate will be disabled in the vSphere Client UI.

If the VM Direct proxy is in use for a backup or restore with Hot Add disks attached, then storage-vmotion of the vProxy is not permitted during these operations.

Error when changing configuration of many virtual machines at the same time

When configuring or unconfiguring many virtual machines (300 or more) in a protection policy, an error message might display indicating that the request is too large. You can click OK and proceed, but system performance will be impacted due to the size of the request. As a best practice, it is recommended to use protection rules to automatically determine which assets are assigned to protection policies when the assets are discovered.

Thin provisioning not preserved during NFS datastore recovery

When backing up thin-provisioned virtual machines or disks for virtual machines on NFS datastores, an NFS datastore recovery does not preserve thin provisioning. VMware knowledge base article 2137818 at https://kb.vmware.com/kb/2137818 provides more information.

NFC log level settings

To assist with I/O performance analysis, set the NFC log level in the VM Direct proxy configuration file to its highest value, for example, vixDiskLib.nfc.LogLevel=4. Setting the log level in the server for NFC asynchronous I/O is not required. You can then run the VDDK sample code and evaluate I/O performance by examining the vddk.log and the vpxa log file.

NOTE: Virtual Machines with very high I/O might stall during consolidation due to the ESXi forced operation called

synchronous consolidate. Plan your backups of such Virtual Machines according to the amount of workload on the Virtual

Machine.

xxx

xxx.

Limitations to SQL Server application consistent data protection

Review the SQL Server application-consistent protection support limitations in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager for Microsoft Application Agent SQL Server User Guide.

Network configuration settings are not restored with virtual machine after recovery of a vApp backup

Network configuration settings are not backed up with the virtual machine as part of a vApp backup. As a result, when you restore a vApp backup, you must manually reconfigure the network settings.

VM Direct Engine configured with dual stack is not supported

The VM Direct Engine does not support dual stack (IPv4 and IPv6) addressing. If you want to run backups and restores using the VM Direct Engine, use IPv4 only addressing.

Best Practices and Troubleshooting 179

Virtual machine alert "VM MAC conflict" may appear after successful recovery of virtual machine

After performing a successful recovery of a virtual machine through vCenter version 6, an alert may appear indicating a "VM MAC conflict" for the recovered virtual machine, even though the new virtual machine will have a different and unique MAC address. You must manually acknowledge the alert or clear the alert after resolving the MAC address conflict. Note that this alert can be triggered even when the MAC address conflict is resolved.

The VMware release notes at https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u2-release- notes.html provide more information.

Protection fails for virtual machine name containing { or }

A PowerProtect Data Manager virtual machine protection policy fails to back up virtual machines that contain the special characters { or } in the name. This limitation exists with vSphere versions previous to 6.7. If you do not have vSphere 6.7 or later installed, avoid using these two characters in virtual machine names.

Datastore names cannot contain special characters

Using special characters in datastore names can cause problems with the VM Direct Engine, such as failed backups and restores. Special characters include the following: % & * $ # @ ! \ / : * ? " < > | ;, and so on.

Hot Add backups fail when datacenter names contain special characters

Virtual machine backups fail when the datacenter name contains special characters and the transport mode specified for VM Direct backups is Hot Add only. Avoid using special characters in the datacenter name, for example, "Datacenter_#2@3", or specify Hotadd with fallback to Network Block Device for the transport mode.

Hot Add backups fail when virtual machine protection policy configured with Virtual Flash Read Cache value

When using Hot Add transport mode for a virtual machine protection policy, the backup fails with the following error if configured with the Virtual Flash Read Cache (vFRC) value:

"Backup has FAILED. Failed to backup virtual disk \"Hard disk \". Failed to initialize Block Reader. Failed to open source VMDK \ / \": VDDK Error: 13: You do not have access rights to this file. (500)".

Backups fail for resource pools recreated with the same name as deleted pool

When you delete a resource pool in vCenter and then recreate a resource pool with the same name, backups fail. Re-configure the protection group with the newly created resource pool.

DD Boost over fibre channel not supported

PowerProtect Data Manager does not support DD Boost over fibre channel (DFC).

SAN transport mode not supported

PowerProtect Data Manager supports only the Hot Add and NBD transport modes. The Hot Add mode is the default transport mode. For a protection policy, you can specify to use only Hot Add mode, only NBD mode, or Hot Add mode with fallback to NBD of Hot Add is not available.

180 Best Practices and Troubleshooting

Specify NBD for datastores if VM Direct should use NBD mode only

For a VM Direct Engine that will only use NBD transport mode, you must also specify the datastores for which you want the proxy to perform only NBD backups to ensure that any backups of virtual machines running on these datastores are always performed using NBD mode. This also ensures that the same NBD-only proxies are never used for backups of virtual machines residing on any other datastores.

Backup of individual folders within a virtual machine is not supported

PowerProtect Data Manager only supports image-level backup and disk-level backup. You cannot perform backups of individual folders within the virtual machine.

I/O contention when all Virtual Machines on a single data store

I/O contention may occur during snapshot creation and backup read operations when all Virtual Machines reside on a single datastore.

VMware snapshot for backup is not supported for independent disks

When using independent disks you cannot perform VMware snapshot for backup.

Deleting vCenter asset sources or moving ESXi to another vCenter

When you delete a vCenter Server asset source from PowerProtect Data Manager without removing any vProxy/Search Nodes that the vCenter is hosting, the Nodes will become non-operational and move into Failed status upon the next health check. As a result, PowerProtect Data Manager upgrades will fail. This issue also occurs when you move the ESXi hosting the vProxy/ Search Nodes from one vCenter to another vCenter.

To correct this issue, you can perform one of the following actions:

Manually delete the vProxy/Search Nodes. The section Delete vProxy/Search Nodes when vCenter Server asset source is no longer required on page 181 provides the required steps.

Return the vProxy/Search Nodes to an Operational/Ready state using the vproxymgmt and infranodemgmt tools. Choose this action if you want to add the vCenter again, or you want to add the vCenter that the ESXi has been moved to. The section Return vProxy/Search Nodes to operational state when re-adding vCenter on page 182 provides the required steps.

Delete vProxy/Search Nodes when vCenter Server asset source is no longer required

Perform the following procedure when you delete a vCenter server as an asset source in PowerProtect Data Manager and you will not be re-adding the vCenter:

About this task

NOTE: Manual cleanup of the virtual machine for the vProxy/Search Node has to be performed from the vCenter Server.

Steps

1. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 2. For vProxy removal:

a. Obtain the list of vProxies that require removal by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any vProxy that needs to be deleted. c. Use the vproxymgmt tool to delete vProxies by running /opt/emc/vmdirect/bin/vproxymgmt delete -

vproxy_id ProxyID

Best Practices and Troubleshooting 181

3. For Search Node removal:

a. Obtain the list of Search Nodes that require removal by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search Node that needs to be deleted. c. Use the infranodemgmt tool to delete Search Nodes by running /opt/emc/vmdirect/bin/infranodemgmt

delete -node_id NodeID 4. In the PowerProtect Data Manager UI, ensure that any sessions have been removed for both the vProxy/Search Node.

Return vProxy/Search Nodes to operational state when re-adding vCenter

When you want to re-add a vCenter that you deleted from PowerProtect Data Manager, or you want to add a vCenter that an ESXi has been moved to, perform the following procedure in order to return the vProxy/Search Nodes to an Operational/Ready state.

Steps

1. Re-add the deleted vCenter as an asset source in the PowerProtect Data Manager UI, or note the name of the new vCenter where the ESXi has been moved.

2. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 3. For vProxy updates:

a. Obtain the list of vProxies that require updating by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any vProxy that needs to be updated. c. Use the vproxymgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/vproxymgmt

modify -vcenter_hostname vCenter-FQDN -vproxy_id ProxyID 4. For Search Node updates:

a. Obtain the list of Search Nodes that require updating by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search Node that needs to be updated. c. Use the infranodemgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/infranodemgmt

modify -vcenter_hostname vCenter-FQDN -node_id NodeID 5. In the PowerProtect Data Manager UI, ensure that any sessions for the vProxy/Search Node and Cluster have changed to

Operational/Ready state.

Managing command execution for VM Direct Agent operations on Linux

The VM Direct Agent automatically creates a PAM service file named vproxyra in the /etc/pam.d system directory, if the file does not already exist.

This file, which enables you to manage command execution through the VM Direct Agent, is modeled on the corresponding vmtoolsd file. The settings in this file permit command execution by any user who is able to perform VM Direct operations on the guest virtual machine. A system administrator can further modify this file to specify which users can perform VM Direct Agent operations, for example, file-level restore and SQL application-aware protection. For more information on the configuration of PAM service files, see the system documentation for your specific guest virtual machine operating system.

SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"

SQL Server application-consistent virtual machine backups might fail with the following error when the disk.EnableUUID variable for the virtual machine is set to False.

Unable to find VSS metadata files in directory C:\Program Files\DPSAPPS\MSVMAPPAGENT\tmp \VSSMetadata.xxxx. To resolve this issue, ensure that the disk.EnableUUID variable for the virtual machines included in an SQL Server application- consistent backup is set to True.

182 Best Practices and Troubleshooting

SQL Server application-aware backup displays an error about disk.EnableUUID variable

Issue

A SQL Server application-aware virtual machine backup succeeds but displays the following error when the disk.EnableUUID variable for the virtual machine is set to TRUE:

VM ' ' configuration parameter 'disk.EnableUUID' cannot be evaluated. Map item 'disk.EnableUUID' not found. (1071)

Workaround

After you set the disk.EnableUUID variable to TRUE, reboot the virtual machine.

Failed to lock Virtual Machine for backup: Another EMC VM Direct operation 'Backup' is active on VM

This error message appears when a backup fails for a virtual machine or when a previous backup of the virtual machine was abruptly ended and the VM annotation string was not cleared.

To resolve this issue, clear the annotation string value for the virtual machine.

1. Connect to the vCenter server and navigate Home > Inventory > Hosts and Clusters. 2. Select the virtual machine, and then select the Summary tab. 3. Clear the value that appears in the EMC Proxy Session field.

Backup fails when names include special characters

When spaces or special characters are included in the virtual machine name, datastore, folder, or datacenter names, the .vmx file is not included in the backup.

The VM Direct appliance does not back up objects that include the following special characters (format: character/escape sequence):

& %26 + %2B / %2F = %3D ? %3F % %25 \ %5C ~ %7E ] %5D

Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails

During VM Direct backup and recovery operations, a lock is placed on the virtual machine. If a VM Direct appliance failure occurs during one of these sessions, the lock is extended to a period of 24 hours, during which full backups and transaction log backups will fail with the following error until the lock is manually released:

Cannot lock VM 'W2K8R2-SQL-2014' (vm-522): Another EMC vProxy operation 'Backup' is active on VM vm-522.

Best Practices and Troubleshooting 183

Workaround

To manually release the lock on the virtual machine:

1. Open the vSphere Web Client. 2. Select the virtual machine and select Summary. 3. Select Custom attribute and click Edit. 4. Remove the attribute EMC VM Direct Session.

Trailing spaces not supported in SQL database names

Due to a VSS limitation, you cannot use trailing spaces within the names of SQL databases protected by an application- consistent data protection policy.

SQL databases skipped during virtual machine transaction log backup

When an advanced application-consistent policy is enabled with transaction log backup, the msvmagent_appbackup.exe program evaluates databases to determine if transaction log backup is appropriate.

If transaction log backup is not appropriate for a database, the database will automatically be skipped. Databases are skipped for the following reasons:

Table 31. SQL Skipped Database Cases and Descriptions

Case Description

Database has been restored

When a database has been restored, this database will be skipped during transaction log backup because there is no Backup Promotion.

System Database System databases are automatically skipped for transaction log backup.

Database State Database is not in a state that allows backup. For example, the database is in the NORECOVERY state.

Recovery Model Database is in SIMPLE recovery model, which does not support transaction log backup

Other Backup Product

Most recent backup for the database was performed by a different backup product.

New Database Database was created after most recent full backup.

Backup Failure Database was in state to allow backup, backup was attempted, but backup failed.

All skipped databases will be backed up as part of the next full backup. Also, a skipped database will not result in msvmagent_appbackup.exe failure. The only instance in which msvmagent_appbackup.exe would potentially fail is if all databases failed to back up.

The msvmagent_appbackup.exe program generates a history report of the databases, if the database backup status was success/skipped/failed, and a reason if they were skipped or failed if applicable. This history report is visible in the action logs for the VM Direct Engine, which are available as part of the appbackup logs.

NOTE: For SQL virtual machine application-consistent data protection, the SQL and operating system versions follow the

NMM support matrix available at http://compatibilityguide.emc.com:8080/CompGuideApp/.

Accessing Knowledge Base Articles

Additional troubleshooting information is available through the Featured VMware Documentation Sets website at https:// www.vmware.com/support/pubs/. Select Support > Search Knowledge Base.

184 Best Practices and Troubleshooting

Support for backup and restore of encrypted virtual machines Backup and restore of encrypted virtual machines is supported in PowerProtect Data Manager 19.5, with the following limitations:

Restoring encrypted virtual machines to a different vCenter Server is not supported. You must perform the restore to the original virtual machine or a new virtual machine in the same vCenter.

Restoring an encrypted virtual machine backup to a new virtual machine in the original vCenter Server will restore the virtual machine disks (VMDKs) in clear text if the VMDKs are not encrypted. The article "Virtual Machine Encryption" at https:// docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-E6C5CE29-CD1D-4555-859C- A0492E7CB45D.html provides more information about manually changing the virtual machine policy to enable encryption of VMDKs.

In order to use Hot Add transport mode, all VM proxies with access to the encrypted virtual machines datastore must be encrypted as well. For example, if encrypted virtual machines reside in an ESXi cluster, all VM proxies deployed on the cluster must also be encrypted.

Troubleshooting virtual machine restore issues The following topics provide information on troubleshooting virtual machine restore failures.

Virtual machine protection copy does not display under available copies

If a virtual machine protection copy does not display under the available copies in PowerProtect Data Manager, verify the following:

Ensure that protection of the virtual machine completed successfully. Check that the desired copy has not expired according to the PowerProtect Data Manager protection policy.

Virtual machine restore fails with name resolution error

A virtual machine restore might fail with the following error due to network issues between the DD system and PowerProtect Data Manager or the vCenter/ESXi:

com.emc.brs.vmdm.http.HttpsConnector - null: Temporary failure in name resolution java.net.UnknownHostException : null: Temporary failure in name resolution

Ensure that you have proper name resolution between the DD system and PowerProtect Data Manager /vCenter/ESX.

DD NFS share not removed after restore to original

The DD NFS share might not be removed after a successful virtual machine restore to original. When this occurs, the restore hangs and the following DD NFS clients appear enabled in the DD system.

Figure 13. DD NFS clients still enabled after restore

If you encounter this issue, you can wait 24 hours for PowerProtect Data Manager to clean up the DD NFS shares, or you can stop the restore and clean up the DD NFS clients manually by performing the following steps:

1. Restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

2. Clean up DD NFS clients by typing nfs del .

3. In the vSphere Client's Configuration tab, manually unmount the EMC-vProxy-vm-qa-xxxxx DDNFS datastore that is mounted on the ESXi host.

Best Practices and Troubleshooting 185

Virtual machine restore fails with error due to VM Direct corruption

A virtual machine restore might fail with the following error due to corruption of the VM Direct Engine that is running in PowerProtect Data Manager:

com.emc.dpsg.vproxy.client.VProxyManager - Error(createSession): javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

Ensure that the vproxyd service is running in PowerProtect Data Manager by typing the following command.

ps xa | grep vproxy Ensure that the vproxy rpm is installed as expected in PowerProtect Data Manager by typing the following command.

rpm -qa | grep vProxy When logged in as the root user, restart the vproxyd service on PowerProtect Data Manager by typing the following command.

systemctl restart vproxyd

Virtual machine restore fails with error "User UserEARA does not have proper privileges"

A virtual machine restore fails with the error "User UserEARA does not have proper privileges" when the user does not have adequate privileges to perform the restore operation.

Ensure that the PowerProtect Data Manager user performing the restore belongs to System Tenant and has the Export and Recovery Admin role.

Virtual machine restore fails when the previous restore of this virtual machine is in progress or did not complete

A virtual machine restore fails with the following error if the previous restore operation for the same virtual machine is still in progress or did not complete successfully:

Error : There is another running restore operation that conflicts with this request.

If the previous restore operation for this virtual machine is still in progress, monitor the progress in PowerProtect Data Manager until the restore completes. If the virtual machine restore is complete but the task stops responding, then you must manually cancel the restore in PowerProtect Data Manager by restarting the VMDM service. You can restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

Troubleshooting instant access restore failures

An instant access restore consists of two stages. First, a virtual machine is made available in the UI as an instant access virtual machine without moving the virtual machine to permanent storage. Second, storage vMotion is initiated to migrate the virtual machine to permanent storage.

If at any point during the migration a restore failure occurs, the instant access session is not automatically removed until after the expiration period for an instant access virtual machine restore, which is 7 days by default. This behavior is intentional for the following reasons:

To avoid data loss, since changes might have been made to the virtual machine during that time To provide you with the opportunity to fix the issue (for example, to free up space on the restore destination or choose a

different datastore) and then take the appropriate action

When the cause of the failure is determined and/or fixed, you can use the Instant Access Sessions window of the UI to retry the migration, or save the data and delete the instant access virtual machine, as required. The section Manage and monitor Instant Access Sessions provides detailed information about these actions.

186 Best Practices and Troubleshooting

FLR Agent for virtual machine file-level restore

The VM Direct FLR Agent is required for file-level restore operations and is installed automatically on the target virtual machine when you initiate a file-level restore and provide the virtual machine credentials.

The FLR Agent installation on Linux virtual machines requires that you use the root account. If non-root credentials are provided for the target virtual machine, the FLR Agent installation fails, even if this user has privileges similar to a root user. Once the FLR Agent installation is completed by a root user, you can perform file-level restore operations as a non-root user.

FLR Agent installation on Windows virtual machines requires that you use administrative privileges. If the provided credentials for the target virtual machine do not have administrative privileges, the FLR Agent installation fails.

On Windows, to perform a file-level restore using a non-administrator user, ensure that the FLR Agent is already installed on the target machine using administrative privileges. Otherwise, ensure that an administrative user is specified, and click OK.

On Linux, to perform a file-level restore using a non-root user, ensure that the FLR Agent has already been installed on the target virtual machine using the root user account. Otherwise, ensure that you are using a supported platform and the root user is specified, and click OK. For Linux, file-level restore is only supported on Red Hat Enterprise Linux versions 6.x, 7.x and 8.x, and SuSE Linux Enterprise Server versions 11 and 12.

NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab

Navigator, available at https://elabnavigator.emc.com/eln/modernHomeDataProtection.

FLR Agent installation on Windows virtual machines with User Account Control enabled

Performing the FLR Agent installation on User Account Control (UAC) enabled Windows virtual machine requires you to either provide the credentials of the administrator user, or to disable UAC during the FLR Agent installation and then re-enable upon completion.

On Windows versions 7, 8, and 10, the administrator account is disabled by default. To enable the account, complete the following steps:

1. To activate the account, open a command prompt in administrative mode, and then type net user administrator / active: yes.

2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.

3. In the User Accounts pane, right-click the user and select Properties, and then clear the Account is disabled option.

To disable UAC during the FLR Agent installation and then re-enable on completion of the installation, complete the following steps:

1. Initiate a file-level restore to launch the FLR Agent installation window. The FLR Agent installation is automatically started during a mount operation if it is not already installed on the destination virtual machine.

2. In the FLR Agent installation window, select the Keep VM Direct FLR on target virtual machine option. 3. Open regedit and change the EnableLUA registry key value at HKLM\SOFTWARE\Microsoft\Windows

\CurrentVersion\Policies\System to 0x00000000. By default, this is set to 1.

4. Proceed with the FLR Agent installation. 5. Open regedit and reset the EnableLUA registry key to the previous value to re-enable UAC.

Updating the Microsoft Application Agent and FLR Agent software

The Microsoft Application Agent and FLR Agent software required to perform SQL application-aware data protection and file-level restore operations will be automatically updated on the target virtual machine by the VM Direct appliance during the file-level restore operation. The VM Direct appliance detects the available software on the client and updates the Agent software with the new version of software from its repository. If the update does not occur automatically, contact a Dell EMC technical support professional for a procedure to update the VM Direct software repository with the latest version of the Agent software packages.

Best Practices and Troubleshooting 187

Supported platform and OS versions for virtual machine file-level restore

File-level restore is only supported for the following platforms and operating system versions.

Platforms/operating systems are qualified for file-level restore support using the default file system for these platforms:

NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab

Navigator, available at https://elabnavigator.emc.com/eln/modernHomeDataProtection.

RedHat Enterprise Linux versions 6.x, 7.x, and 8.x SuSE Linux Enterprise Server versions 11.x and 12.x Debian version 9.1 Ubuntu version 17.10 CentOS version 7.2 Oracle Enterprise Linux version 7.2 Windows 7, 8, 10, Server 2008, 2012, 2016 (all 64-bit platforms and R2, where applicable) for FAT, and NTFS.

Support for Debian or Ubuntu operating system

VM Direct file-level restore is supported on the Debian/Ubuntu operating system. To configure the Debian or Ubuntu guest operating system for file-level restore, perform the following steps.

About this task

NOTE: File-level restore is not supported on Debian/Ubuntu ext4 file systems.

Steps

1. Log in to the system console as a non-root user.

2. Run the sudo passwd root command.

Enter the new password twice to set a password for the root account.

3. Run the sudo passwd -u root command to unlock the root account.

4. Specify the root user credentials in the Dell EMC Data Protection Restore Client and proceed to complete the file-level restore operation at least once.

While performing the file-level restore operation for the first time, remember to select Keep FLR agent.

5. After performing the above steps at least once, you can revert the root account to the locked state and use non-root account for future file-level restore requests. Non-root user can lock the root account with the sudo passwd -l root command.

Operating system utilities required for file-level restore

On Linux and Windows, the installed operating system must include several standard utilities in order to use file-level restore. Depending on the target operating system for restore and the types of disks or file systems in use, some of these standard utilities, however, may not be included.

The following utilities and programs may be required for performing file-level restore.

On Windows:

msiexec.exe diskpart.exe cmd.exe

On Linux:

blkid udevadm readlink rpm

188 Best Practices and Troubleshooting

bash

NOTE: On Linux LVM, LVM2 rpm version 2.02.117 or later is required. Also, additional binaries required on Linux LVM

include dmsetup, lvm, and vgimportclone.

File-level restore and SQL restore limitations

This section provides a list of limitations that apply to file-level restore and individual SQL database and instance restore.

Consider the following:

The VM Direct FLR Agent is installed automatically on the target virtual machine for file-level restore when a disk mount operation is initiated. However, if the user does not have sufficient administrator privileges, the mount fails and the FLR Agent is not installed. Ensure that the user performing file-level restore is a system administrator. Note that adding a user to the Administrators group does not grant this user sufficient privileges to perform this operation.

When performing a file-level restore, VMDKs fail to mount with the following error if the FLR Agent service is not running on the target virtual machine: "Cannot connect to vProxy Agent: dial tcp <127.0.0.1: : connectex: No connection could be made because the target machine actively refused it."

If you no longer require the VM Direct FLR Agent on the target virtual machine, the agent must be properly uninstalled. If you manually delete VM Direct FLR Agent files instead of uninstalling the agent, and at some point reinstall the agent, subsequent mount attempts to perform restores will fail.

To uninstall the VM Direct FLR Agent on Linux:

1. Execute the following command: /opt/emc/vproxyra/bin/preremove.sh.

2. Uninstall FLR agent package by running rpm -e emc-vProxy-FLRAgent.

3. If the uninstall fails due to a broken installation or other issue, you can force removal of the package by running rpm -e --force emc-vProxy-FLRAgent.

To uninstall the VM Direct FLR Agent on Windows:

1. Select Control Panel > Programs > Programs and Features. 2. Locate EMC VM Direct FLR. 3. Right-click the program and select Uninstall.

When a file-level restore or SQL restore operation is in progress on a virtual machine, no other backup or recovery operation can be performed on this virtual machine. Wait until the file-level restore session completes before starting any other operation on the virtual machine.

Clean up from a suspended or cancelled mount operation requires a restart of the virtual machine before you can initiate a new mount for the file-level restore.

When you enable Admin Approval Mode (AAM) on the operating system for a virtual machine (for example, by setting Registry/FilterAdministratorToken to 1), the administrator user cannot perform a file-level restore to the end user's profile, and an error displays indicating "Unable to browse destination." For any user account control (UAC) interactions, the administrator must wait for the mount operation to complete, and then access the backup folders located at C:\Program Files (x86)\EMC\vProxy FLR Agent\flr\mountpoints by logging into the guest virtual machine using Windows Explorer or a command prompt.

When you perform file-level restore on Windows 2012 R2 virtual machines, the volumes listed under the virtual machine display as "unknown." File-restore operations are not impacted by this issue.

When you perform file-level restore on Ubuntu/Debian platforms, you must enable the root account in the operating system. By default, the root account will be in locked state.

You can only restore files and/or folders from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

You must install VMware Tools version 10 or later. For best results, ensure that all virtual machines run the latest available version of VMware Tools. Older versions are known to cause failures when you perform browse actions during file-level restore or SQL retore operations.

You can perform file-level restore across vCenters as long as the vCenters are configured in PowerProtect Data Manager, and the source and target virtual machine have the same guest operating system. For example, Linux to Linux, or Windows to Windows.

File-level restore does not support the following virtual disk configurations:

LVM thin provisioning Unformatted disks FAT16 file systems FAT32 file systems Extended partitions (Types: 05h, 0Fh, 85h, C5h, D5h)

Best Practices and Troubleshooting 189

Two or more virtual disks mapped to single partition Encrypted partitions Compressed partitions

File-level restore of virtual machines with Windows dynamic disks is supported with the following limitations:

The restore can only be performed when recovering to a virtual machine different from the original. Also, this virtual machine cannot be a clone of the original.

The restore can only be performed by virtual machine administrator users. If Windows virtual machines were created by cloning or deploying the same template, then all of these Windows virtual

machines may end up using the same GUID on their dynamic volumes. File-level restore does not restore or browse symbolic links. File-level restore of Windows 8, Windows Server 2012 and Windows Server 2016 virtual machines is not supported on the

following file systems:

Deduplicated NTFS Resilient File System (ReFS) EFI bootloader

Troubleshooting protection policy for DD storage unit

When adding a protection policy in PowerProtect Data Manager, creation of a storage unit on the selected DD system fails if you reach the maximum MTree and Users count on the DD system. PowerProtect Data Manager enables you to finish adding the protection policy without the storage unit. However, if you subsequently run a backup of this protection policy, the backup process is suspended indefinitely with no error message.

To continue backup operations on this device, you must perform a cleanup on the DD system.

Troubleshoot the PowerProtect agent service installation The PowerProtect agent service installation might fail with the following error message:

Service 'PowerProtect Agent Service' (AgentService) could not be installed. Verify that you have sufficient privileges to install system services.

Possible causes of the installation failure are as follows:

The installation was attempted on a passive node of a Failover Cluster Instance (FCI). The installation was canceled and a rollback left some stale entries of PowerProtect agent services.

As a workaround, clean up the PowerProtect agent service entries, and retry the installation.

Troubleshoot the PowerProtect agent service operations To troubleshoot the agent service operations, you can check the agent service log file OpAgentSvc- .log, which is created in \logs on Windows and /logs on Linux. To modify the log level and retention of temporary files, you can modify specific parameter settings in the config.yml file.

About this task

To modify the log level and retention of temporary files, you can perform the following steps.

Steps

1. Stop the agent service by using the appropriate procedure from the preceding topic.

190 Best Practices and Troubleshooting

2. Open the config.yml file in an editor.

3. Modify the log-level settings in the following parameters, as required:

NOTE: These parameters are listed in order of decreasing number of messages in the debug information output. The

default log-level is INFO.

DEBUG INFO WARNING ERROR CRITICAL

4. To retain the temporary files, set the keepTempFiles parameter to True in the config.yml file.

NOTE: The agent service and application agent communicate through the temporary files, which are typically deleted

after use but can be useful for troubleshooting purposes. Do not leave the keepTempFiles parameter set to True

permanently, or the temporary files can use excessive space on the file system.

5. Start the agent service by using the appropriate procedure from the preceding topic.

Troubleshooting Kubernetes cluster issues Review the following information that is related to troubleshooting issues with the Kubernetes cluster in PowerProtect Data Manager:

Only native Kubernetes resources are supported for protection in PowerProtect Data Manager

PowerProtect Data Manager supports protection of native Kubernetes resources only. If a namespace contains any Kubernetes distribution-specific resource or any other kind of custom resource, backup and recovery operations might fail. Therefore, ensure that you do not include such namespaces in PowerProtect Data Manager Kubernetes protection policies.

Application pods might not appear in running state after restore when restoring to a new namespace with a different name

When performing a Kubernetes restore to a new namespace that has a different name than the namespace the backup copy was created from, the application pods might not appear in running state after restore in some scenarios. For example, this can occur if the application has environment variables or other configuration elements that adhere to the namespace from which the backup copy was created, such as variables that point to services using FQDN in the form my-svc.my- namespace.svc.cluster-domain.example or headless services using FQDN in the form pod-name.my-headless- svc.my-namespace.svc.cluster-domain.example.

If this issue occurs, manually edit the deployments after the restore.

Backups of persistent volumes on FCD fail when VMware CSI driver and storageclass are installed after Kubernetes cluster asset source is added

The PowerProtect controller configures itself and Velero for the protection of persistent volumes on first class disks (FCDs) if the controller detects a storage class with the VMware CSI provisioner csi.vsphere.vmware.com. If the VMware CSI driver and storageclass are installed after the Kubernetes cluster is added as an asset source to PowerProtect Data Manager, FCD backups fail with an error indicating failed to create backup job.

To resolve this issue, restart the PowerProtect controller by running the following commands:

kubectl get pod -n powerprotect kubectl delete pod pod name obtained above -n powerprotect

Best Practices and Troubleshooting 191

ApplicationTemplate considerations when performing Kubernetes cluster disaster recovery

When performing a Kubernetes cluster disaster recovery, if any changes were made to ApplicationTemplate, the Kubernetes administrator will need to recreate the ApplicationTemplate in the PowerProtect Data Manager namespace.

The section Disaster recovery considerations on page 203 provides more information.

Pods in pending state due to missing PVC cause namespace backups to fail

If a Kubernetes namespace contains a pod that is in pending state because the pod references a PVC that is not present, the backup of that namespace will fail.

To resolve this issue, perform one of the following:

Create the missing PVC, or Delete the pod if it is no longer required.

Troubleshooting Velero or Controller pod failures

The PowerProtect Data Manager Velero or Controller pod might fail to start, for example, due to a deployment failure or a bad image URI. If one of these pods fails to start, an alert appears indicating that the pod is not running on the cluster.

If the PowerProtect Data Manager Controller pod is not running, run the following command:

kubectl describe pod -n powerprotect If the PowerProtect Data Manager Velero pod is not running, run the following command:

kubectl describe pod -n velero-ppdm Errors or events in the command output enable you to determine why the failure occurred.

Verify CSI driver functioning properly if "Failed to create Proxy Pods" error appears during restore

If the restore fails with the error Failed to create Proxy Pods. Creating Pod exceeds safeguard limit of 10 minutes, verify that the CSI driver is functioning properly and is able to dynamically provision volumes.

Add alternate storage class mapping if mismatch between original cluster and target cluster for restore

When restoring to a different cluster, the storage class of the target cluster might not have the same name and underlying storage provider as the original cluster of the namespace backup. If there is a mismatch, then the restore fails.

To add an alternate storage class mapping:

1. Create a ConfigMap ppdm-controller-storage-class-mapping in the PowerProtect namespace on the target cluster for the restore.

2. In the data section of the ConfigMap, add a storage class mapping in the following format:

: For example, if all PVCs that were backed up using the storage class csi-hostpath-sc will be restored to a cluster using the storage class xio-csi-sc, type:

csi-hostpath-sc: xio-csi-sc

NOTE: Restore of a First Class Disk (FCD) backup to a cluster with a storage class that is not FCD-based is not supported.

192 Best Practices and Troubleshooting

Data protection operations for high availability Kubernetes cluster might fail when API server not configured to send ROOT certificate

If the Kubernetes cluster is set up in high availability mode and the Kubernetes API server is not configured to send the ROOT certificate as part of the TLS communication setup, backup and restore operations might fail with the following error:

javax.net.ssl.SSLHandshakeExcept ion: sun.security.validator.Validator Exception: PKIX path building failed: sun.security.provider.certpath.S unCertPathBuilderException: unable to find valid certification path to requested target To resolve the error, perform the following steps:

1. Copy the root certificate of the Kubernetes cluster to the PowerProtect Data Manager server. 2. As an administrator on the PowerProtect Data Manager server, import the certificate to the PowerProtect Data Manager

trust store by running the following command:

ppdmtool -importcert -alias certificate alias -file file with certificate -type BASE64| PEM

Where:

i or importcert imports the certificate.

a or alias certificate alias is used to specify the alias of the certificate.

f or file file with certificate is used to specify the file with the certificate.

t or type BASE64|PEM is used to specify the certificate type. The default type is PEM.

NOTE: Since the root certificate is in PEM format, this command should not require the type input.

Sample command to import certificate to PowerProtect Data Manager trust store

ppdmtool -importcert -alias apiserver.xyz.com -file root-certificate

Kubernetes cluster on Amazon Elastic Kubernetes Service certificate considerations

Running a Kubernetes cluster on Amazon Elastic Kubernetes Service (EKS) requires you to manually copy the cluster root certificate authority and import to the PowerProtect Data Manager trust store. Perform the following steps:

1. From the Kubernetes node, retrieve the cluster root certificate by running the following command:

aws eks describe-cluster --region region --name Kubernetes cluster name --query "cluster.certificateAuthority.data" --output certificate file name

2. Copy the certificate to the PowerProtect Data Manager server. 3. As an administrator on the PowerProtect Data Manager server, import the certificate to the PowerProtect Data Manager

trust store by running the following command:

ppdmtool -importcert -alias certificate alias -file file with certificate -type BASE64| PEM

Where:

i or importcert imports the certificate.

a or alias certificate alias is used to specify the alias of the certificate.

f or file file with certificate is used to specify the file with the certificate.

t or type BASE64|PEM is used to specify the certificate type. The default type is PEM.

NOTE: Since the root certificate is a text file, specify BASE64 format for the type input, as shown in the following

example.

Sample command to import certificate to PowerProtect Data Manager trust store

ppdmtool -i -a eks.ap-south-1.amazonaws.com -f aws-certificate.txt -t BASE64

Best Practices and Troubleshooting 193

Removing PowerProtect Data Manager components from a Kubernetes cluster

Review the following sections if you need to remove PowerProtect Data Manager components from the Kubernetes cluster:

Remove PowerProtect Data Manager components

Run the following commands to remove the PowerProtect Data Manager components:

kubectl delete crd -l app.kubernetes.io/part-of=powerprotect.dell.com kubectl delete clusterrolebinding powerprotect:cluster-role-binding kubectl delete namespace powerprotect

Remove Velero components

Run the following commands to remove the Velero components:

kubectl delete crd -l component=velero kubectl delete clusterrolebinding velero kubectl delete namespace velero-ppdm

Remove images from cluster nodes

Run the following commands to remove the Docker Hub images from the cluster nodes:

On the worker nodes, run sudo docker image ls To remove any images that return powerprotect-cproxy, powerprotect-k8s-controller, powerprotect-

velero-dd, or velero, run sudo docker image remove IMAGEID

Troubleshooting a PowerProtect Data Manager software upgrade Review the following information related to upgrading the PowerProtect Data Manager software.

Mounting a read-only file system results in failed upgrade

If you mount a read-only file system under the /home/admin or /home/sysadmin directories on the PowerProtect Data Manager node, the upgrade cannot complete successfully. Ensure that you remove read-only file system mounts before upgrading PowerProtect Data Manager.

Managing certificates after upgrading from versions earlier than PowerProtect Data Manager version 19.1

Use this procedure to ensure that certificates existing on the pre-upgrade system also exist on the post-upgrade system.

Prerequisites

Ensure that you update any expired certificates on external systems to valid certificates.

Steps

1. Log in to the PowerProtect Data Manager operating system with administrator credentials.

194 Best Practices and Troubleshooting

2. Run the upgrade command:

/usr/local/brs/lib/secretsmgr/bin/secretsmgr-tls-upgrade

The system displays the external system certificates.

3. Verify each certificate as trusted or untrusted: At the prompt for each certificate, type Y to accept.

Any other character rejects the certificate. Expired certificates are automatically rejected.

Best Practices and Troubleshooting 195

Application-Consistent Database Backups in Kubernetes

Topics:

About application-consistent database backups in Kubernetes Obtain and deploy the CLI package About application templates Deploy application templates Perform application-consistent backups Verify application-consistent backups Disaster recovery considerations Granular-level recovery considerations Log truncation considerations

About application-consistent database backups in Kubernetes The PowerProtect Data Manager supports agentless, application-consistent backups of database applications that reside in Kubernetes pods. The existing infrastructure handles database backups, no pod compute resources are required.

Application-consistent backups occur when the database application is informed of a pending backup. The database completes all pending transactions and operations, while typically queuing new requests. This process places the database in a quiescent state of relative inactivity where the backup represents a true snapshot of the application. This backup now captures items that would have otherwise been stored only in memory. After the snapshot, the application resumes normal functionality. In most environments, the snapshot operation is instantaneous, so downtime is minimal.

These backups are agentless, in that the PowerProtect Data Manager can take a snapshot of containers without the need for software installation in the database application environment. That snapshot is then backed up using the normal procedures for the Kubernetes environment.

The PowerProtect Data Manager provides a standardized way to quiesce a supported database, back up the data from that database, and then return the database to operation. Application templates serve as a bridge between a specific database environment and the Kubernetes backup architecture for the PowerProtect Data Manager. Depending on the differences between database environments, each deployment may require a different configuration file.

Supported database applications

Supported applications include:

MySQL, in the following configurations:

Standalone deployment in one pod. Cluster (primary/secondary) deployment with multiple StatefulSets or ReplicaSets. For example, through Helm.

MongoDB, without shards. PostgreSQL, in the following configurations:

Standalone deployment in one pod. Cluster (primary/secondary) deployment with multiple StatefulSets. For example, through Helm.

Cassandra, without shards.

Because data syncs from the primary pods to secondary pods, the PowerProtect Data Manager backs up secondary pods first.

A

196 Application-Consistent Database Backups in Kubernetes

NOTE: This guide uses primary and secondary terminology. Some databases may use other terms, such as source and

replica, primary and replica, or master and standby.

Prerequisites

The application-consistent database backup functions assume that you have met the following prerequisites:

You must set labels on pods during the deployment process. The database application deploys with a known label on every associated pod, which is required to configure the application template.

The default template for PostgreSQL requires the presence of psql in the PostgreSQL container.

Obtain and deploy the CLI package The CLI package contains the control commands for application template functionality, readme files, and some examples.

About this task

The CLI package exists on the PowerProtect Data Manager host at /usr/local/brs/lib/cndm/misc/ppdmctl.tar.gz and is part of the PowerProtect Data Manager deployment. There is no separate download for the CLI package.

All application-consistent database backup CLI commands run on the host where the Kubernetes administrator runs control commands, not on the PowerProtect Data Manager host.

Steps

1. The backup administrator uses SCP or another file transfer utility to download the CLI package from the PowerProtect Data Manager host to a local system.

2. The backup administrator provides the CLI package to the Kubernetes administrator.

The Kubernetes administrator completes the remaining steps in this task.

3. Extract the CLI package on the local system.

4. Use SCP or another file transfer utility to copy the CLI package files from the local system to the Kubernetes cluster.

You can also copy the package to any host where the Kubernetes administrator can use the kubectl or equivalent tools to manage the Kubernetes cluster.

Place the CLI package files in a directory that is part of the system path ($PATH) or add the directory to the system path if necessary.

5. Log in to the Kubernetes cluster.

6. Change directory to the location where you uploaded the CLI package files.

7. Make the CLI utility executable by typing the following command:

chmod +x ppdmctl 8. Ensure that the $HOME/.kube directory contains a copy of the Kubernetes cluster config file.

Alternatively, you can add the --kubeconfig parameter to every CLI command to specify the path to the config file.

About application templates Application templates translate the specific configuration details and required interface steps for each database application deployment to the standard PowerProtect Data Manager backup functionality for Kubernetes.

CAUTION: Do not create more than one template with the same label and the same namespace. In this

circumstance, only the last-deployed template takes effect, which may cause undesirable results.

Application templates are typically deployed from customizable YAML files that come with the CLI package. When complete, the application template contains the following items:

AppLabel corresponds to the label that you applied to each pod during deployment. The label identifies all pods that belong to the indicated database application. Labels can contain multiple key-value pairs in a comma-separated list.

Application-Consistent Database Backups in Kubernetes 197

If more than one instance of each database application exists in the same namespace, two application templates are required. In this case, each application must use different values for AppLabel.

For example, the label app=mysql matches the template with any pod which has a label that takes the form of a key named app and the value mysql.

Type identifies the type of database application inside the pod or pods.

AppActions matches a prescribed action or filter to a resource type, such as pods.

The next topics explain application actions in more detail.

You can deploy application templates to the PowerProtect namespace or to a specific user-defined namespace. Using a template in the PowerProtect namespace applies the template to all other namespaces. This result can include namespaces where you may not have credentials to run some user-supplied commands or where the expected context may differ from the real context. If you deploy a template to the PowerProtect namespace, that template can use only the default hook actions that are described in a subsequent topic.

When you require specific user-supplied commands for a database application, create an application template for each namespace. Templates in specific namespaces override any behavior that would come from a template of the same name in the PowerProtect namespace.

Default application templates

When you deploy application templates without specifying custom values in a YAML file, the deployment uses values from the default configuration files.

For example, the default MySQL application template supports both stand-alone and cluster instances of MySQL, with a single StatefulSet. In this StatefulSet, the primary pod has index 0. Secondary pods have an index that ranges from 1 to n-1, where n is the number of replicas.

The default MongoDB template supports only stand-alone instances, with similar StatefulSet pod parameters.

Application template example

The following example illustrates the syntax for a MySQL database:

apiVersion: "powerprotect.dell.com/v1beta1" kind: ApplicationTemplate metadata: name: ClusteredMySQLTemplate namespace: examplenamespace spec: type: "MYSQL" enable: true appLabel: "app=mysql" appActions: Pod: preHook: command: '["/bin/sh", "-c", "mysql -uroot -p$MYSQL_ROOT_PASSWORD -e \"FLUSH TABLES WITH READ LOCK; FLUSH LOGS;SELECT SLEEP(100);\" >/tmp/quiesce.log 2>&1 & for i in 1..10; do sleep 1; mysql -uroot -p$MYSQL_ROOT_PASSWORD -e \"SHOW PROCESSLIST\" | grep \"SLEEP(100)\" > /tmp/sleep.pid ; if [ $? -eq 0 ]; then exit 0; fi; done; exit 1"]' postHook: command: '["/bin/sh", "-c", "SLEEPPID=`cut -f1 /tmp/sleep.pid` ; mysql - uroot -p$MYSQL_ROOT_PASSWORD -e \"KILL $SLEEPPID\" ; rm /tmp/sleep.pid"]' StatefulSet: selectors: - selectorTerms: - field: "Labels" selectorExpression: "app=mysql" - field: "Name" selectorExpression: ".*-[1-9][0-9]*$"' # Secondary pods with index > 0 - selectorTerms: - field: "Labels" selectorExpression: "app=mysql" - field: "Name" selectorExpression: ".*-0$"' # Primary pod index 0

198 Application-Consistent Database Backups in Kubernetes

After you obtain and extract the CLI package, you can find more sample templates in the examples directory.

YAML configuration files

The YAML configuration files form the core of each application template. These files serve as user-configurable inputs to the process of deploying application templates for namespaces.

The YAML files help you quickly deploy application templates with similar properties by reusing the same YAML file for multiple databases across different namespaces. The CLI package comes with sample configuration files for each supported type of database application. You can copy and then customize these files for your environment.

Each sample from the CLI package contains examples of different application actions, such as selectors that filter by name and by regular expression. The CLI package also comes with a readme file for additional information, including the expected environment variables for each default deployment. Different application types may use different terminology.

The samples explicitly spell out the quiesce and unquiesce command strings, they do not use the default commands that are described in a subsequent topic. This method is normal for templates that are deployed to a specific namespace. If you intend to create a template for deployment to the PowerProtect namespace, you must replace the command strings with the default commands.

You can start building your own command strings by copying the samples and customizing as necessary to change the values. Customization can include changing the location of the lock file, changing the sleep counts, and so forth. You are responsible for any changes to the default command strings.

Application actions

The application template defines actions that the PowerProtect Data Manager automatically performs on discovered resources, including ways to order the actions into a sequence.

Each action is associated with a supported resource type:

Pod defines actions that happen at the pod level. Each application template must have actions for pods that specify how to quiesce and unquiesce the database application inside. Templates for stand-alone applications usually contain only pod- level actions.

StatefulSet and ReplicaSet define actions that happen at the cluster level. This level typically contains the selectors that allow the PowerProtect Data Manager to back up pods in the correct order, before the template applies actions at the pod level.

Pod actions

When the template matches with a pod, there are two available actions:

preHook Provides a command or sequence of commands that quiesce the database application and write its data to disk in preparation for the backup.

postHook Provides a command or sequence of commands that unquiesce the database application and restore normal operation.

MySQL application templates come with default values for these actions: DefaultMySQLQuiesce and DefaultMySQLUnquiesce.

MongoDB application templates come with default values for these actions: DefaultMongoDBQuiesce and DefaultMongoDBUnquiesce.

PostgreSQL application templates come with default values for these actions: DefaultPostgresqlQuiesce and DefaultPostgresqlUnquiesce.

For PostgreSQL, the prehook action does not quiesce the database. Rather, the action places the database into hot backup mode. Similarly, the posthook action removes the database from hot backup mode.

Cassandra application templates come with a default value for these actions: DefaultCassandraFlush.

For Cassandra, the prehook action flushes the database to disk. The database provides neither explicit quiescing during the prehook, nor a corresponding unquiesce command for a posthook action.

Application-Consistent Database Backups in Kubernetes 199

These default values are reserved keywords in the YAML file. Creating an application template from the YAML file replaces these keywords with relatively safe and standard sequences that quiesce and unquiesce supported database applications, where applicable.

The other parameters that are associated with these default values are:

Timeout defaults to 30 s.

Container defaults to the first container in the pod.

OnError defaults to Fail. The possible values are Fail and Continue.

You can replace these default hooks with sequences of commands that are specific to the database application environment. All values other than the defaults are treated as commands to run.

You can also replace the default parameters with new values, such as the name of a different container or a longer timeout.

Example

An application template applies to a MySQL database that resides in a pod. The following template fragment provides custom commands for quiescing and unquiescing the database.

Pod: preHook: command: "[\"/bin/sh\", \"-c\", \"mysql -uroot -p$MYSQL_ROOT_PASSWORD -e \\ \"FLUSH TABLES WITH READ LOCK; FLUSH LOGS;SELECT SLEEP(100);\\\" >/tmp/quiesce.log 2>&1 & for i in 1..10; do sleep 1; mysql -root -p$MYSQL_ROOT_PASSWORD -e \\\"SHOW PROCESSLIST\\\" | grep \\\"SLEEP(100)\\\" > /tmp/sleep.pid ; if [ $? -eq 0 ]; then exit 0; fi; done; exit 1\"]" postHook: command: "[\"/bin/sh\", \"-c\", \"SLEEPPID=`cut -f1 /tmp/sleep.pid` ; mysql - uroot -p$MYSQL_ROOT_PASSWORD -e \\\"KILL $SLEEPPID\\\" ; rm /tmp/sleep.pid\"]"

Selectors

Selectors are an array of criteria that match resources which belong to the database application. For example, if the action is associated with a StatefulSet, then the selectors describe how to match the pods within the StatefulSet.

Selectors can have multiple logical terms, which are logically combined with AND statements to match resources. Logical terms can match on the Labels, Annotations, or Name fields, and provide filter expressions.

Labels and annotations support key-value pair matching. Names support regular-expression matching.

The selector order serializes the actions on each resource. For pods, the selector order controls the order in which each pod is backed up.

Before deploying the application template, verify that your key-value pairs and regular expressions correctly match all pods and select the pods in the correct order.

Example

An application template applies to a MySQL cluster with one StatefulSet. The application label is a key-value pair that is named app with the value mysql. The following selectors match:

A primary pod with a name that contains the suffix "-0". Secondary pods with names that contain suffixes that start at "-1" and increment.

Remember that secondary pods are backed up before the primary pod.

StatefulSet: selectors: - selectorTerms: - field: "Labels" selectorExpression: "app=mysql" - field: "Name" selectorExpression: ".*-[1-9][0-9]*$" - selectorTerms: - field: "Labels" selectorExpression: "app=mysql"

200 Application-Consistent Database Backups in Kubernetes

- field: "Name" selectorExpression: ".*-0$"

Deploy application templates You can deploy application templates from customized source YAML files or from the default YAML files.

Prerequisites

Obtain and deploy the CLI package. If required, copy and customize a source YAML file for the appropriate database environment.

Even where the default templates contain actions for cluster instances of supported databases, the default deployment command creates a template for a single-instance database. For supported cluster databases, use the --inputfile parameter to specify a YAML file. This YAML file can be one of the examples.

About this task

This task uses the following placeholders:

template-type is one of the following values: mysqltemplate, mongodbtemplate, postgrestemplate, or cassandratemplate

db-type is one of the following values: mysql, mongodb, postgresql, or cassandra user-namespace is a specific namespace file is the name of a customized YAML file, where applicable

Steps

1. Log in to the Kubernetes cluster.

2. To deploy a default application template for a specific namespace, type the following command:

ppdmctl template create template-type --type=db-type --namespace=user-namespace For example:

a. To deploy a default MySQL application template for a specific namespace, type the following command:

ppdmctl template create mysqltemplate --type=mysql --namespace=user-namespace b. To deploy a default MySQL application template for the PowerProtect namespace, which applies to all namespaces, type

the following command:

ppdmctl template create mysqltemplate --type=mysql --namespace=powerprotect 3. To deploy an application template from a customized YAML file, type the following command:

ppdmctl template create template-type --type=db-type --namespace=user-namespace -- inputfile=file.yaml

4. To list the application templates for a specific namespace, type the following command:

kubectl get applicationtemplate --namespace=user-namespace 5. To edit an application template in a specific namespace, type one of the following commands:

kubectl edit applicationtemplate template-type --namespace=user-namespace For example:

kubectl edit applicationtemplate mysqltemplate --namespace=powerprotect

Perform application-consistent backups After you deploy application templates, the agentless nature of the backups means that no special steps are required to perform an application-consistent database backup.

The PowerProtect Data Manager infrastructure detects the presence of a deployed template and follows the template instructions when backing up the namespace to which the database application belongs.

Application-Consistent Database Backups in Kubernetes 201

Managing Protection Policies on page 52 provides more information about configuring protection policies for Kubernetes namespace protection.

For example, you can perform a manual backup of the Kubernetes protection policy and then verify that the resulting backup is application-consistent.

Verify application-consistent backups After you back up a database application, you can verify that the application template is correctly configured and that the backup type is application-consistent.

About this task

If at least one template selector matched a resource in the namespace, the PowerProtect Data Manager marks a copy as Application Consistent. For example, if a namespace has ten pods and one pod matched the template selector rules, the entire copy is marked as Application Consistent.

However, you can verify how many resources matched the template and ensure that this number matches your expectations for the template rules.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets or Recovery > Assets.

Assets that have copies are listed.

2. Locate the assets that are protected by Kubernetes protection policies.

3. Select an application-consistent database application and click View copies.

The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.

4. Click a child node.

When you click a child node, the right pane displays information about the copy, such as the creation time, consistency level, size, and so forth.

5. Verify that the consistency level for the copy is Application Consistent.

Without the presence of an application template in the namespace, the consistency level is Crash Consistent.

Now you can verify the number of volumes that matched the template.

6. From the PowerProtect Data Manager UI, select Jobs > Protection and sort by Completed status.

The Jobs window appears.

7. Locate a job that corresponds to a Kubernetes protection policy which protects the database application.

8. Click the magnifying glass icon in the Details column next to the job name.

The Details pane appears on the right, with a Task Summary at the bottom.

9. Next to Task Summary, click the link that indicates the total number of tasks.

A new window opens to display a list of all tasks for the job and details for each task.

10. Click the magnifying glass icon in the Details column next to the individual task, and then complete the following steps:

11. On the Steps tab, review the summary information, which describes the task activity.

12. Click to expand the step and view additional information.

The PowerProtect Data Manager provides a summary of the protection task.

13. In the task result section, locate the applications parameter.

The applications parameter indicates how many PVCs matched the template selector rules.

Because the relationship between pods and PVCs is not necessarily one to one, this result is not the number of pods which matched the rules. The PowerProtect Data Manager cannot identify which specific volumes matched the rules. However, you can verify that the number of volumes aligns with your expectations for the contents of the namespace.

If the number of volumes is incorrect, review the template and ensure that the selector expressions match all pods.

202 Application-Consistent Database Backups in Kubernetes

Disaster recovery considerations Remember that application templates can be deployed to the PowerProtect namespace or to a user-defined namespace. The application template is a required component for working with application-consistent database backups.

When backing up a user-defined namespace, the PowerProtect Data Manager also backs up the application template from the user-defined namespace. The template is thus preserved if a disaster strikes.

However, application templates in the PowerProtect namespace are not backed up and are not automatically preserved. If you deploy an application template to the PowerProtect namespace, you must manually copy or back up these templates yourself. This manual copy preserves the template source in the event of disaster.

After the disaster, complete the following tasks:

1. Recover the Kubernetes cluster through the normal disaster-recovery procedure. 2. Manually restore the templates to the Kubernetes cluster. 3. Redeploy the templates from the backup to the PowerProtect namespace.

Granular-level recovery considerations Granular-level recovery (GLR) consists of recovering only a subset of the database or namespace. The PowerProtect Data Manager application-consistent database backups in Kubernetes do not support GLR.

However, to achieve the effect of GLR, complete the following steps:

1. Restore from the selected database backup to a new instance. This step restores the entire database to the new namespace.

2. Connect to the new database. Use database application commands to dump the required portion of the database to a local file.

3. Use any appropriate method to move the local file to the original database instance. 4. Connect to the original database. Use database application commands to import the contents of the dump file into the

original database. This step reverts the selected portion of the original database to match the contents of the backup. 5. Delete the new database instance.

Log truncation considerations MySQL generates binary log files in the MySQL persistent volume claim (PVC) when you perform application-consistent backups and restores. These log files follow the naming convention mysql-bin.xxx and are part of the MySQL application log.

You may have a requirement to truncate these log files for management purposes. However, these files contain both application-consistent information and other customer-specific information. The PowerProtect Data Manager cannot intercept the customer-specific portions of the log, nor determine where to truncate around this information.

Instead, you must review the database log files and decide where to manually truncate the log, if appropriate. Dell EMC recommends that you ma

Manualsnet FAQs

If you want to find out how the 19.6 Dell works, you can view and download the Dell PowerProtect 19.6 Data Manager Administration And User Guide on the Manualsnet website.

Yes, we have the Administration And User Guide for Dell 19.6 as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Administration And User Guide should include all the details that are needed to use a Dell 19.6. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell PowerProtect 19.6 Data Manager Administration And User Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell PowerProtect 19.6 Data Manager Administration And User Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell PowerProtect 19.6 Data Manager Administration And User Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell PowerProtect 19.6 Data Manager Administration And User Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.6 Data Manager Administration And User Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.