Contents

Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide PDF

1 of 154
1 of 154

Summary of Content for Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide PDF

PowerProtect Data Manager 19.10 Virtual Machine User Guide

August 2022 Rev. 02

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2021- 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Preface......................................................................................................................................... 8

Chapter 1: PowerProtect Data Manager for Virtual Machines Overview........................................13 PowerProtect Data Manager overview........................................................................................................................ 13 Additional information and context................................................................................................................................13 Terminology......................................................................................................................................................................... 14 Role-based security........................................................................................................................................................... 15 Firewall and port considerations.....................................................................................................................................15 PowerProtect Data Manager new deployment overview........................................................................................ 15 Access the PowerProtect Data Manager UI............................................................................................................... 16

Getting Started window............................................................................................................................................. 16

Chapter 2: Enabling Virtual Machine Protection...........................................................................18 About asset sources, assets, and protection storage............................................................................................... 18 About vCenter server asset sources and virtual assets........................................................................................... 18 Prerequisites for discovering asset sources................................................................................................................18

Discovering asset sources in a GCVE environment............................................................................................. 19 Enable an asset source..................................................................................................................................................... 19

Disable an asset source..............................................................................................................................................20 Delete an asset source...............................................................................................................................................20

Adding a vCenter Server asset source........................................................................................................................ 20 Add a VMware vCenter server................................................................................................................................. 21 Creating a dedicated vCenter user account......................................................................................................... 22 Specify the required privileges for a dedicated vCenter user account .........................................................23

VM Direct protection engine overview........................................................................................................................ 25 Requirements for an external VM Direct Engine................................................................................................. 26 Protection engine limitations.................................................................................................................................... 26 Add a VM Direct Engine.............................................................................................................................................26 Additional VM Direct actions.................................................................................................................................... 28 Transparent Snapshot Data Mover protection mechanism.............................................................................. 30

Chapter 3: Managing Virtual Machine Assets and Protection....................................................... 32 Protection policies.............................................................................................................................................................32 Additional protection policy options..............................................................................................................................32 Before you create a protection policy..........................................................................................................................32 Supported enhanced VMware topologies for virtual-machine protection.......................................................... 34 Add a protection policy for virtual-machine protection........................................................................................... 34 Managing virtual-machine backups............................................................................................................................... 41

Add and remove the credentials for virtual-machine assets............................................................................. 41 Enable or disable Changed Block Tracking (CBT)............................................................................................... 41 More options for managing virtual-machine backups.........................................................................................42 Snapshot freeze scripts and thaw scripts for virtual-machine backups........................................................42

Add a service-level agreement.......................................................................................................................................43 Add or remove assets in a protection policy.............................................................................................................. 46

Contents

Contents 3

Extended retention........................................................................................................................................................... 47 Edit the retention period for backup copies............................................................................................................... 49 Protection rules ................................................................................................................................................................ 49

Creating virtual machine tags in the vSphere Client.......................................................................................... 50 Add a protection rule..................................................................................................................................................50 Manually run a protection rule..................................................................................................................................52 Edit or delete a protection rule ...............................................................................................................................52 View assets applied to a protection rule................................................................................................................53 Change the priority of an existing protection rule ............................................................................................. 53 Configure protection rule behavior......................................................................................................................... 53

Chapter 4: Restoring Virtual Machine Data and Assets................................................................ 55 Prerequisites to restore a virtual machine.................................................................................................................. 55 View backup copies available for restore....................................................................................................................55 Restoring a virtual machine or VMDK.......................................................................................................................... 56 Restoring a virtual machine backup with the storage policy association............................................................ 57 Image-level restores......................................................................................................................................................... 57

Restore to the original virtual machine.................................................................................................................. 57 Restore individual virtual disks................................................................................................................................. 59 Restore to a new virtual machine............................................................................................................................60 Direct restore to ESXi................................................................................................................................................ 62

Instant Access virtual-machine restore....................................................................................................................... 63 Manage and monitor Instant Access sessions..................................................................................................... 65 Migrate an Instant Access session..........................................................................................................................66

File-level restores..............................................................................................................................................................66 File-level restore to the original virtual machine..................................................................................................66 File-level restore to alternate virtual machine......................................................................................................68 Virtual machine file level restore from a search.................................................................................................. 69

Restore an application-aware virtual machine backup.............................................................................................72

Chapter 5: Protecting Virtual Machines Using the Transparent Snapshot Data Mover ................ 73 Overview of transparent snapshots for virtual machine protection..................................................................... 73 VIB installation monitoring and management............................................................................................................. 73 Transparent snapshot data mover system requirements........................................................................................ 74 Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover..............................74

Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover............................................................................................................................................................... 74

Creating VMkernel ports for TSDM........................................................................................................................ 75 Virtual machine transparent snapshot unsupported features and limitations.................................................... 76 Transparent Snapshot Performance and Scalability................................................................................................. 77

Chapter 6: PowerProtect Functionality Within the vSphere Client...............................................79 PowerProtect functionality within the vSphere Client............................................................................................ 79 Overview of the PowerProtect plug-in for the vSphere Client............................................................................. 79

Prerequisites for enabling the vSphere Client PowerProtect plug-in............................................................. 81 Monitor PowerProtect Data Manager virtual machine protection copies.....................................................82 Manual PowerProtect policy backup in the vSphere Client..............................................................................82 Image-level restore of a PowerProtect backup in the vSphere Client...........................................................83 File-level restore of a PowerProtect backup in the vSphere Client............................................................... 84

4 Contents

Overview of VASA and VMware Storage Policy Based Management ................................................................ 86 Register the VASA provider for policy association............................................................................................. 86 Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy............ 87 Monitor virtual machine protection policy compliance.......................................................................................88

Chapter 7: VMware Cloud (VMC) on Amazon Web Services (AWS)..............................................89 PowerProtect Data Manager image backup and recovery..................................................................................... 89 Supported PowerProtect Data Manager and DDVE deployment configurations..............................................89 Deployment and configuration best practices and requirements..........................................................................90 Configuring the VMC-on-AWS portal.......................................................................................................................... 90 Interoperability with PowerProtect Data Manager features................................................................................... 91 vCenter server inventory requirements....................................................................................................................... 91 Creating a dedicated cloud-based vCenter user account........................................................................................91

Specify the required privileges for a dedicated cloud-based vCenter user account .................................92 Add a VM Direct Engine.................................................................................................................................................. 93 Unsupported operations .................................................................................................................................................95

Chapter 8: Azure VMware Solution (AVS) on Microsoft Azure..................................................... 96 PowerProtect Data Manager image backup and recovery..................................................................................... 96 Supported PowerProtect Data Manager and DDVE deployment configurations..............................................96 Deployment and configuration best practices and requirements.......................................................................... 97 Configuring the AVS-on-Azure portal.......................................................................................................................... 97 vCenter server inventory requirements.......................................................................................................................98 Creating a dedicated cloud-based vCenter user account.......................................................................................98

Specify the required privileges for a dedicated cloud-based vCenter user account .................................98 Add a VM Direct Engine.................................................................................................................................................100 Unsupported operations ................................................................................................................................................ 101

Chapter 9: Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)................... 102 PowerProtect Data Manager image backup and recovery................................................................................... 102 Supported PowerProtect Data Manager and DDVE deployment configurations............................................ 102 Deployment and configuration best practices and requirements........................................................................ 103 Configuring the GCVE-on-GCP portal....................................................................................................................... 103 vCenter server inventory requirements..................................................................................................................... 104

Discovering asset sources in a GCVE environment...........................................................................................104 Creating a dedicated cloud-based vCenter user account..................................................................................... 104

Specify the required privileges for a dedicated cloud-based vCenter user account ............................... 104 Add a VM Direct Engine.................................................................................................................................................106 Unsupported operations.................................................................................................................................................107

Chapter 10: Backing Up and Recovering a vCenter Server.......................................................... 109 Backing up and recovering a vCenter server........................................................................................................... 109 vCenter deployments overview................................................................................................................................... 109 Protecting an embedded PSC...................................................................................................................................... 109

Direct restore to ESXi............................................................................................................................................... 110 Protecting external deployment models...................................................................................................................... 111

vCenter server appliance with one external PSC where PSC fails................................................................. 111 vCenter server appliance is lost but the PSC remains...................................................................................... 112 vCenter server appliance with multiple PSCs where one PSC is lost but one remains............................ 112

Contents 5

vCenter server appliance remains but all PSCs fail............................................................................................112 vCenter server appliance remains but multiple PSCs fail................................................................................. 112 vCenter server appliance fails................................................................................................................................. 113

vCenter server restore workflow................................................................................................................................. 114 Platform Services Controller restore workfow......................................................................................................... 115 Additional considerations................................................................................................................................................115 Command reference........................................................................................................................................................ 116

Chapter 11: Backing Up VMware Cloud Foundation (VCF) on VxRail............................................ 117 Backing up VCF on VxRail.............................................................................................................................................. 117 VCF and VxRail overview................................................................................................................................................117 VCF components and backup methods...................................................................................................................... 118 Check VMware certification.......................................................................................................................................... 119 Backup prerequisites....................................................................................................................................................... 119 The backup script.............................................................................................................................................................119 Quick protection.............................................................................................................................................................. 120 Selective protection: SDDC and NSX-T Managers..................................................................................................121 Selective protection: vCenter servers........................................................................................................................122 Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual

machines........................................................................................................................................................................ 123 SFTP password change: SDDC and NSX-T Managers...........................................................................................124 SFTP password change: vCenter servers................................................................................................................. 124 Backup-script troubleshooting..................................................................................................................................... 125

Appendix A: Virtual Machine Best Practices and Troubleshooting...............................................127 Software and hardware requirements........................................................................................................................ 127 Scalability limits for vCenter server, VM Direct Engine, and DD systems.........................................................128 PowerProtect Data Manager resource requirements in a VMware environment............................................129 Best practices and additional considerations for the VM Direct Engine............................................................129

VM Direct Engine performance and scalability...................................................................................................129 Transport mode considerations..............................................................................................................................130 Change the limit of instant access sessions........................................................................................................ 131 Configuring a backup to support vSAN datastores............................................................................................131 Configuration checklist for common issues......................................................................................................... 131 Disable vCenter SSL certificate validation.......................................................................................................... 132 Dell EMC vProxy Agent for virtual-machine file-level restore........................................................................ 132 FLR-supported platform and OS versions for virtual machine restores.......................................................134 File-level restore and SQL restore troubleshooting and limitations.............................................................. 135 Virtual disk types supported....................................................................................................................................136 Virtual machine data change rate.......................................................................................................................... 137 VM Direct Engine data ingestion rate................................................................................................................... 137 VM Direct Engine limitations and unsupported features..................................................................................137 VM Direct Engine selection with virtual networks (VLANs)........................................................................... 140 Deploying VM Direct appliance to datastore cluster unsupported................................................................ 140

Best practices for vCenter server backup and restore..........................................................................................140 Changing the vCenter server FQDN............................................................................................................................141

Change the vCenter server FQDN......................................................................................................................... 141 Replacing security certificates..................................................................................................................................... 142

Replacing the self-signed security certificates.................................................................................................. 142 Replace expired or changed certificates on an external server..................................................................... 142

6 Contents

Troubleshooting network setup issues....................................................................................................................... 145 Troubleshooting virtual machine backup issues....................................................................................................... 145

Backup completes with a non-quiesced snapshot warning.............................................................................145 Backup fails when names include special characters ...................................................................................... 146 Deleting vCenter asset sources or moving ESXi to another vCenter server..............................................146 Failed to lock virtual machine for backup: Another EMC vProxy operation 'Backup' is active on

VM ............................................................................................................................................................................148 Lock placed on virtual machine during backup and recovery operations continues for 24 hours if

VM Direct appliance fails..................................................................................................................................... 148 Managing command execution for VM Proxy Agent operations on Linux................................................... 148 PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates...... 148 SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in

directory"................................................................................................................................................................. 149 Troubleshooting virtual machine restore issues....................................................................................................... 149

Network connection issues after restore of virtual machine with NSX-T VDS port groups.................. 152 Troubleshooting instant access restore failures................................................................................................ 152

Troubleshoot virtual machine SQL application consistent policy issues............................................................ 152 Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log

backup...................................................................................................................................................................... 152 Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID

variable..................................................................................................................................................................... 153 Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names.......................153

Support for backup and restore of encrypted virtual machines.......................................................................... 153 Troubleshooting vSphere Plugin deployments......................................................................................................... 154

Troubleshoot vSphere Plugin deployments......................................................................................................... 154 VMware knowledge base articles and product documentation........................................................................... 154

Contents 7

As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in this document, contact Customer Support.

NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,

go to the Customer Support website.

Product naming Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the user interface has not yet been updated to reflect this change.

Language use This document might contain language that is not consistent with Dell Technologies current guidelines. Dell Technologies plans to update the document over subsequent future releases to revise the language accordingly.

This document might contain language from third-party content that is not under Dell Technologies control and is not consistent with the current guidelines for Dell Technologies own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.

Website links The website links used in this document were valid at publication time. If you find a broken link, provide feedback on the document, and a Dell employee will update the document as necessary.

Purpose This document describes how to configure and administer the Dell EMC PowerProtect Data Manager software to protect and recover data on virtual machines.

The PowerProtect Data Manager Administration and User Guide provides additional details about configuration and usage procedures.

Audience This document is intended for the virtual machine administrator who is involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager software.

Revision history The following table presents the revision history of this document.

Preface

8 Preface

Table 1. Revision history

Revision Date Description

02 August 9, 2022 Added procedure to restart virtual machine protection services after replacing security certificates.

01 March 22, 2022 Initial release of this document for PowerProtect Data Manager version 19.10.

Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided at the E-Lab Navigator.

Related documentation The following publications are available at Customer Support and provide additional information:

Table 2. Related documentation

Title Content

PowerProtect Data Manager Administration and User Guide Describes how to configure the software.

PowerProtect Data Manager Deployment Guide Describes how to deploy the software.

PowerProtect Data Manager Licensing Guide Describes how to license the software.

PowerProtect Data Manager Release Notes Contains information on new features, known limitations, environment, and system requirements for the software.

PowerProtect Data Manager Security Configuration Guide Contains security information.

PowerProtect Data Manager Amazon Web Services Deployment Guide

Describes how to deploy the software to Amazon Web Services (AWS).

PowerProtect Data Manager Azure Deployment Guide Describes how to deploy the software to Microsoft Azure.

PowerProtect Data Manager Google Cloud Platform Deployment Guide

Describes how to deploy the software to Google Cloud Platform (GCP).

PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide

Describes how to deploy Cloud Disaster Recovery (Cloud DR), protect virtual machines in the AWS or Azure cloud, and run recovery operations.

PowerProtect Data Manager Cyber Recovery User Guide Describes how to install, update, patch, and uninstall the Dell EMC PowerProtect Cyber Recovery software.

PowerProtect Data Manager File System User Guide Describes how to configure and use the software with the File System agent for file-system data protection.

PowerProtect Data Manager Kubernetes User Guide Describes how to configure and use the software to back up and restore namespaces and PVCs in a Kubernetes cluster.

PowerProtect Data Manager Microsoft Exchange Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft Exchange Server environment.

PowerProtect Data Manager Microsoft SQL Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft SQL Server environment.

PowerProtect Data Manager Oracle RMAN User Guide Describes how to configure and use the software to back up and restore the data in an Oracle Server environment.

PowerProtect Data Manager SAP HANA User Guide Describes how to configure and use the software to back up and restore the data in an SAP HANA Server environment.

Preface 9

Table 2. Related documentation (continued)

Title Content

PowerProtect Data Manager Storage Direct User Guide Describes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.

PowerProtect Data Manager Network Attached Storage User Guide

Describes how to configure and use the software to protect and recover the data on network-attached storage (NAS) shares and appliances.

PowerProtect Data Manager Virtual Machine User Guide Describes how to configure and use the software to back up and restore virtual machines and virtual-machine disks (VMDKs) in a vCenter Server environment.

VMware Cloud Foundation Disaster Recovery With PowerProtect Data Manager

Provides a detailed description of how to perform an end-to- end disaster recovery of a VMware Cloud Foundation (VCF) environment.

PowerProtect Data Manager Disaster Recovery Best Practices Guide

Provides guidance and best practices for a PowerProtect Data Manager server disaster-recovery solution.

PowerProtect Data Manager Public REST API documentation Contains the PowerProtect Data Manager APIs and includes tutorials to guide you in their use.

vRealize Automation Data Protection Extension for Data Protection Systems Installation and Administration Guide

Describes how to install, configure, and use the Dell EMC vRealize Data Protection Extension.

Typographical conventions The following type style conventions are used in this document:

Table 3. Style conventions

Formatting Description

Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for: System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Where to find product documentation The Customer Support website

10 Preface

The Community Network

Where to get support The Customer Support website provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Customer Support.

To access a product-specific page:

1. Go to the Customer Support website. 2. In the search box, type a product name, and then from the list that appears, select the product.

Knowledgebase The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:

1. Go to the Customer Support website. 2. On the Support tab, click Knowledge Base. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by

typing a product name in the search box, and then selecting the product from the list that appears.

Live chat To participate in a live interactive chat with a support agent:

1. Go to the Customer Support website. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.

Service requests To obtain in-depth help from a support agent, submit a service request. To submit a service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.

NOTE: To create a service request, you must have a valid support agreement. For details about either an account or

obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the

Service Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests. 3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network. Interactively engage with customers, partners, and certified professionals online.

Preface 11

How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPAD.Doc.Feedback@emc.com.

12 Preface

PowerProtect Data Manager for Virtual Machines Overview

Topics:

PowerProtect Data Manager overview Additional information and context Terminology Role-based security Firewall and port considerations PowerProtect Data Manager new deployment overview Access the PowerProtect Data Manager UI

PowerProtect Data Manager overview Use PowerProtect Data Manager to perform the following operations: Automate the configuration of virtual machine backup policy and protection storage settings. Create a catalog of virtual machine backups. Then, monitor that catalog data to determine if retention policies are being

adhered to. Manage the life cycle of virtual machine backups. Ensure that the backups are marked for garbage collection, based on the

rules of the retention policy.

For virtual machines, PowerProtect Data Manager provides the following benefits:

Enables the data protection team to create data paths with provisioning, automation, and scheduling to embed protection engines into the infrastructure for high-performance backup and recovery.

Enables backup administrators of large-scale environments to schedule backups for VMware virtual machines from a central location on the PowerProtect Data Manager server.

Enables governed self-service and centralized protection by: Monitoring and enforcing Service Level Objectives (SLOs) Identifying violations of Recovery Point Objectives (RPO) Setting retention locks on backups for all asset types.

Supports deploying an external VM Direct appliance to move data with the VM Direct Engine. The PowerProtect Data Manager software comes prebundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backup and restore operations when the added external proxies fail or are disabled. Dell EMC recommends that you always deploy external proxies, because the embedded proxy has limited capacity for performing parallel backups.

Supports the vRealize Automation DP extension, which enables provisioning of virtual machines with PowerProtect Data Manager protection, on-demand backup, and restore to the original or a new location. The vRealize Automation Data Protection Extension for PowerProtect Data Manager Installation and Administration Guide provides more information.

Additional information and context This guide contains content that is specific to protecting virtual machines and may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide. For example, because that information is also common to other asset types or is part of server administration.

The PowerProtect Data Manager Administration and User Guide provides important information about configuring PowerProtect Data Manager before and during use, including prerequisites such as adding protection storage and creating storage units.

1

PowerProtect Data Manager for Virtual Machines Overview 13

Terminology Familiarize yourself with the terminology for the PowerProtect Data Manager user interface and documentation.

The following table provides more information about names and terms that you should know to use PowerProtect Data Manager:

Table 4. Term list

Term Description

Application agent Application agents are installed on application or database host servers to manage protection using PowerProtect Data Manager. These agents are commonly known as DD Boost Enterprise Agents (DDBEAs) for databases and applications.

Application-aware A virtual machine protection policy that includes additional application-aware data protection for Microsoft SQL Servers. An application-aware virtual machine protection policy provides the ability to quiesce the application during virtual machine image backup to perform a full backup of Microsoft SQL Server databases. You can also schedule Microsoft SQL Server log backups for the virtual machines in the policy.

Asset Assets are objects in PowerProtect Data Manager for which you want to manage protection, including virtual machines, databases, and file systems.

Asset source Assets that PowerProtect Data Manager protects reside within asset sources, which include vCenter servers, application or database hosts, and file servers.

Cloud Tier storage Cloud Tier storage can be added to a protection storage system to expand the deduplication storage capacity onto less expensive object storage in public or private object storage clouds, including Dell EMC secure Elastic Cloud Storage appliances.

Copy A PowerProtect Data Manager copy is a point-in-time backup copy of an asset.

Copy Map The PowerProtect Data Manager Copy Map is a visual representation of backup copy locations on your protection storage and is available for all protected assets that have copies.

Discovery Discovery is an internal process that scans asset sources to find new assets to protect and scans infrastructure components to monitor their health and status.

Instant Access PowerProtect Data Manager virtual machine backup copies can be accessed, mounted, and booted directly from the protection storage targets as running virtual machines. This operation is called Instant Access. Copies can also be moved to a production VMware datastore using vMotion. PowerProtect Data Manager Virtual machine application-aware backup copies can be mounted directly from protection storage as running Microsoft SQL Server databases, which includes the ability to roll forward log backups. These Microsoft SQL Server database disks can also be moved to a production VMware datastore using vMotion.

PowerProtect Data Manager agent

An agent that is included in PowerProtect Data Manager and installed on each application agent host server so that you can monitor and manage the application agent through PowerProtect Data Manager.

Protection policy Protection policies configure and manage the entire life cycle of backup data, which includes backup types, assets, backup start and stop times, backup devices, and backup retention.

Service-level agreement (SLA) An optional policy that you can layer on top of a protection policy. An SLA performs additional checks on protection activities to ensure that protection goals meet the standards of an organization. SLAs are made up of one or more service-level objectives.

Service-level objective (SLO) A definable rule that sets the criteria for recovery-point objectives (RPOs), encryption, and the location of backups according to company requirements.

14 PowerProtect Data Manager for Virtual Machines Overview

Role-based security PowerProtect Data Manager provides predefined user roles that control access to areas of the user interface and to protected operations. Some of the functionality in this guide is reserved for particular roles and may not be accessible from every user account.

By using the predefined roles, you can limit access to PowerProtect Data Manager and to backup data by applying the principle of least privilege.

The PowerProtect Data Manager Security Configuration Guide provides more information about user roles, including the associated privileges and the tasks that each role can perform.

Firewall and port considerations The PowerProtect Data Manager Security Configuration Guide provides more details about the port requirements. Verify the requirements between the following components:

PowerProtect Data Manager Configured DD systems VM Direct appliances (embedded and external) Web and REST API clients Callhome (SupportAssist) ESXi vCenter

PowerProtect Data Manager new deployment overview Familiarize yourself with the high-level steps required to protect virtual machines.

Steps

1. Design how to group the backups based on the storage requirements and retention policies.

The account team can help with backup storage design.

2. Deploy PowerProtect Data Manager.

The PowerProtect Data Manager Deployment Guide for the appropriate platform provides instructions. Review all prerequisites.

3. Configure PowerProtect Data Manager settings.

For example, configure additional users, identity providers, or virtual networks.

The PowerProtect Data Manager Administration and User Guide and PowerProtect Data Manager Security Configuration Guide provide instructions.

4. Add protection storage.

The PowerProtect Data Manager Administration and User Guide provides instructions.

5. Configure any required storage units.

The PowerProtect Data Manager Administration and User Guide provides instructions.

6. Deploy any required VM Direct Engine appliances.

7. Add a protection policy for groups of assets that you want to back up.

8. Add Service Level Objectives to the protection policy to verify that the protected assets meet the Service Level Agreements (SLAs).

The PowerProtect Data Manager Administration and User Guide provides instructions.

9. Perform a full backup.

Without a full backup, PowerProtect Data Manager treats the backups as partial and assumes that you are out of compliance.

PowerProtect Data Manager for Virtual Machines Overview 15

10. Monitor protection compliance in the PowerProtect Data Manager dashboard.

Access the PowerProtect Data Manager UI PowerProtect Data Manager provides a web-based UI that you can use to manage and monitor system features and settings from any location over a network.

Steps

1. From a host that has network access to the virtual appliance, use Google Chrome to connect to the appliance:

https://<appliance_hostname> NOTE: You can specify the hostname or the IP address of the appliance.

2. Log in with your username and password.

Usernames follow the format user[@domain], where domain is an optional identifier that associates the user with a particular identity provider.

For example: jsmith or administrator@test-lab.

If you do not supply a domain, the authentication service checks the default identity provider. If you supply a domain, the authentication service consults the external identity provider for that domain and determines

whether to allow the login.

When the identity provider validates the credentials, the authentication service issues a user token. The PowerProtect Data Manager UI uses the token information to authorize activities.

Unless you have changed the system configuration, the default identity provider is the local identity provider.

The PowerProtect Data Manager Security Configuration Guide provides more information about the available user roles and their associated permissions. The associated roles for an account determine what parts of the UI a user can see and use, and what operations a user can perform.

If this is your first time accessing the PowerProtect Data Manager UI, an unsigned certificate warning might appear in the web browser.

The security certificate that encrypts communication between the PowerProtect Data Manager UI and the web browser is self-signed. A self-signed certificate is signed by the web server that hosts the secure web page. There is nothing wrong with this certificate. This certificate is sufficient to establish an encrypted channel between the web browser and the server. However, it is not signed by a trusted authority.

The Getting Started page appears.

The left pane provides links to the available menu items. Expand a menu item for more options. The icons in the PowerProtect Data Manager banner provide additional options.

NOTE: If the user interface is left unattended for more than 30 minutes and times out, the login page might display with

the error 503: Unknown Error. If this occurs, dismiss the error and log in again with your username and password.

Getting Started window

The Getting Started window provides configuration options that are required when the system is first deployed.

This window appears upon first deployment of PowerProtect Data Manager and opens to this page by default until you click Skip This.

You can access the Getting Started page at any time by clicking , and then selecting Getting Started.

Table 5. PowerProtect Data Manager Getting Started menu items

Options Description

Support View and configure SupportAssist, Email Setup, AutoSupport, Logs, System Health, and Restricted Mode.

16 PowerProtect Data Manager for Virtual Machines Overview

Table 5. PowerProtect Data Manager Getting Started menu items (continued)

Options Description

Disaster Recovery Backup Configure and manage backups for disaster recovery.

VMware vCenter Opens the Infrastructure > Asset Sources window, where you can add a vCenter instance as an asset source so that virtual machine assets can be added to a protection policy.

Protect Assets Opens the Protection > Protection Policies window, where you can manage protection policy workflows for all asset types.

PowerProtect Data Manager for Virtual Machines Overview 17

Enabling Virtual Machine Protection

Topics:

About asset sources, assets, and protection storage About vCenter server asset sources and virtual assets Prerequisites for discovering asset sources Enable an asset source Adding a vCenter Server asset source VM Direct protection engine overview

About asset sources, assets, and protection storage In PowerProtect Data Manager, assets are the basic units that PowerProtect Data Manager protects. Asset sources are the mechanism that PowerProtect Data Manager uses to manage assets and communicate with the protection storage where backup copies of the assets are stored.

For virtual machines, the vCenter server is the asset source and the virtual machines are the assets. Before you can add an asset source, you must enable the source within the PowerProtect Data Manager UI.

Add and configure protection storage to use as a target for protection policies. The PowerProtect Data Manager Administration and User Guide provides instructions.

About vCenter server asset sources and virtual assets After you add a vCenter server as an asset source in PowerProtect Data Manager, an automatic discovery of VMware entity information from the vCenter server is initiated.

The virtual assets of the vCenter server appear in the Assets window of the PowerProtect Data Manager user interface under the Virtual Machine tab.

The initial vCenter server discovery identifies all ESXi clusters, hosts, and virtual machines within the vCenter server. Subsequent discoveries can be performed to identify any additional or changed VMware entities since the last discovery operation. You can also manually initiate a discovery of VMware entities at any time from the vCenter tab of the Asset Sources window by selecting a vCenter server and clicking Discover.

Upon vCenter server and virtual asset discovery, the PowerProtect Data Manager VM Direct protection engine facilitates the management of virtual assets as PowerProtect Data Manager resources for the purposes of backup and recovery. Dell EMC recommends that you also add an external VM Direct Engine in the Protection Engines window. You can protect virtual machine assets by manually adding the assets to a virtual-machine protection policy, or by creating and applying protection rules to determine which assets are included in a protection policy based on rule definitions.

Prerequisites for discovering asset sources Perform these tasks before you discover an asset source. Ensure that the PowerProtect Data Manager is deployed and configured in the environment. The PowerProtect Data

Manager deployment guides provide information. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. For a new system, enable one or more asset sources for the types of assets that you want to protect. Enable an asset

source on page 19 provides more information. Configure all asset sources with an NTP server. Before you register a Microsoft SQL Server application, ensure that the DD system has been discovered successfully. For discovery of application agents and File System asset sources:

2

18 Enabling Virtual Machine Protection

Ensure that all clocks on the application and File System hosts and PowerProtect Data Manager are time-synchronized to the local NTP server to ensure discovery of the backups.

Ensure that the application and File System hosts and the PowerProtect Data Manager network can see and resolve each other.

Ensure that port 7000 is open on the application and File System hosts. Discovery of a vCenter Server asset source excludes the following:

Virtual machines with a status of Inaccessible, Invalid, or Orphaned. The virtual machine template The shadow or standby virtual machine created by Dell EMC RecoverPoint for Virtual Machines, also referred to as the

vRPA copy.

Prior to performing the vCenter discovery, verify the status of any virtual machines that you want to discover.

Discovering asset sources in a GCVE environment

There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.

Ensure the following permissions of any GCVE-located vCenter server:

The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the

vSphere object hierarchy.

Enable an asset source An asset source must be enabled in PowerProtect Data Manager before you can add and register the asset source for the protection of assets.

About this task

Only the Administrator role can manage asset sources.

In some circumstances, the enabling of multiple asset sources is required. For example, a vCenter Server and a Kubernetes cluster asset sources must be enabled for Tanzu Kubernetes guest cluster protection.

There are other circumstances where enabling an asset source is not required, such as the following:

For application agents and other agents such as File System and Storage Direct, an asset source is enabled automatically when you register and approve the agent host. For example, if you have not enabled an Oracle asset source but have registered the application host though the API or the PowerProtect Data Manager user interface, PowerProtect Data Manager automatically enables the Oracle asset source.

When you update to the latest version of PowerProtect Data Manager from an earlier release, any asset sources that were previously enabled appear in the PowerProtect Data Manager user interface. On a new deployment, however, no asset sources are enabled by default.

Steps

1. From the PowerProtect Data Manager user interface, select Infrastructure > Asset Sources, and then click + to reveal the New Asset Source tab.

2. In the pane for the asset source that you want to add, click Enable Source. The Asset Sources window updates to display a tab for the new asset source.

Results

You can now add or approve the asset source for use in PowerProtect Data Manager. For a vCenter server, Kubernetes cluster, SMIS Server, or PowerProtect Cloud Snapshot Manager tenant, select the appropriate tab in this window and click Add. For an application host, select Infrastructure > Application Agents and click Add or Approve as required.

NOTE: Although you can add a Cloud Snapshot Manager tenant to PowerProtect Data Manager in order to view its health,

alerts, and the status of its protection, recovery, and system jobs, you cannot manage the protection of its assets from

PowerProtect Data Manager. To manage the protection of its assets, use Cloud Snapshot Manager. For more information,

see the PowerProtect Cloud Snapshot Manager Online Help.

Enabling Virtual Machine Protection 19

Disable an asset source

If you enabled an asset source that you no longer require, and the host has not been registered in PowerProtect Data Manager, perform the following steps to disable the asset source.

About this task

NOTE: An asset source cannot be disabled when one or more sources are still registered or there are backup copies of the

source assets. For example, if you registered a vCenter server and created policy backups for the vCenter virtual machines,

then you cannot disable the vCenter asset source. But if you register a vCenter server and then delete it without creating

any backups, you can disable the asset source.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab of the asset source that you want to disable. If no host registration is detected, a red Disable button appears.

2. Click Disable.

Results

PowerProtect Data Manager removes the tab for this asset source.

Delete an asset source

If you want to remove an asset source that you no longer require, perform the following steps to delete the asset source in the PowerProtect Data Manager UI.

About this task

Only the Administrator role can manage the asset sources.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab for the type of asset source that you want to delete.

2. Select the asset source name in the asset source list, and then click Delete.

3. At the warning prompt that appears, click Continue. The asset source is deleted from the list.

Results

PowerProtect Data Manager removes the specified asset source in the Asset Sources window.

For all asset sources except the vCenter Server, any associated assets that are protected by the protection policy are removed from the protection policy and their status is changed to deleted. These assets can be deleted automatically or manually. The PowerProtect Data Manager Administration and User Guide provides details on how to remove assets from PowerProtect Data Manager.

The copies of assets from the asset source are retained (not deleted). You can delete the copies from the copies page, if required.

Adding a vCenter Server asset source After you register a vCenter server with PowerProtect Data Manager, you can use the Asset Sources window in the PowerProtect Data Manager user interface to add a vCenter Server asset source to the PowerProtect Data Manager environment.

Adding a vCenter Server asset source is required if you want to schedule a backup through PowerProtect Data Manager.

20 Enabling Virtual Machine Protection

Add a VMware vCenter server

Perform the following steps to add a vCenter server as an asset source in the PowerProtect Data Manager UI for virtual machine protection and Tanzu Kubernetes guest cluster protection.

Prerequisites

Ensure that the asset source is enabled. Enable an asset source on page 19 provides instructions. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. By default, PowerProtect Data Manager enforces SSL certificates during communication with vCenter server. If a certificate

appears and you trust the certificate, click Verify.

The SSL certificate enforcement requires that the common name (cn) of the x509 certificate on the vCenter server matches the hostname of the vCenter URL. The common name of the x509 certificate is typically the vCenter server fully qualified domain name (FQDN), but it could be the vCenter server IP address. You can inspect the vCenter server SSL certificate to determine whether the x509 common name is an FQDN or IP. When creating an asset source resource, in order to pass SSL certificate enforcement, the asset source resource hostname must match the common name of the x509 certificate on the vCenter server.

NOTE: It is recommended that you do not disable certificate enforcement. If disabling the certificate is required,

carefully review the instructions in the section Disable vCenter SSL certificate validation on page 132.

Steps

1. From the left navigation pane, select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the vCenter tab.

3. Click Add. The Add vCenter dialog displays.

4. Specify the source attributes:

a. In the Name field, specify the vCenter server name. b. In the Address field, specify the fully qualified domain name (FQDN) or the IP address.

NOTE: For a vCenter server, it is recommended that you use the FQDN instead of the IP address.

c. In the Port field, specify the port for communication if you are not using the default port, 443.

5. Under Host Credentials, choose an existing entry from the list to use for the vCenter user credentials. Alternatively, you can click Add from this list to add new credentials, and then click Save.

NOTE: Ensure that you specify the credentials for a user whose role is defined at the vCenter level, as opposed to being

restricted to a lower-level container object in the vSphere object hierarchy.

6. If you want to make a subset of the PowerProtect Data Manager UI functionality available within the vSphere Client, select vSphere Plugin.

Available functionality includes: The monitoring of active virtual machine/VMDK protection policies, and Restore options such as Restore to Original, Restore to New, and Instant Access.

NOTE: You can unregister the vSphere plug-in at any time by clearing vSphere Plugin.

7. By default, the vCenter discovery occurs automatically after adding the vCenter server, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, move the Schedule Discovery slider to the right, and then specify a time.

8. If there is no hosting vCenter server and you want to make this the vCenter server that hosts PowerProtect Data Manager, select Add as hosting vCenter server. If a vCenter server has already been added as the hosting vCenter server, this option will be greyed out.

The PowerProtect Data Manager Administration and User Guide provides more information about adding a host vCenter server and specifying the PowerProtect Data Manager host.

9. If the vCenter server SSL certificate cannot be trusted automatically, a dialog box appears requesting certificate approval. Review the certificate, and then click Verify.

10. Click Save.

Enabling Virtual Machine Protection 21

The vCenter server information that you entered now appears as an entry in a table on the Asset Sources window. You can click the magnifying glass icon next to the entry to view more details, such as the next scheduled discovery, the number of assets within the vCenter server, and whether the vSphere Plugin is enabled.

NOTE: Although PowerProtect Data Manager automatically synchronizes with the vCenter server under most

circumstances, certain conditions might require you to initiate a manual discovery.

After discovery, PowerProtect Data Manager starts an incremental discovery in the background periodically to keep updating PowerProtect Data Manager with vCenter changes. You can always do an on-demand discovery.

NOTE: When you add a host with existing virtual machines to PowerProtect Data Manager, or read a host with virtual

machines that was removed from one vCenter and added to another, an incremental discovery does not discover these

virtual machine assets. Wait for the next scheduled full discovery, or initiate a discovery within the PowerProtect Data

Manager UI.

11. Optionally, you can set warning and failure thresholds for the available space on the datastore. Setting these thresholds enables you to check if enough storage space is available in the datastore to save the snapshot of the virtual machine during the backup process. The backup completes with a warning in the logs if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Warning Threshold. The backup fails if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Failure Threshold. To add Datastore Free Space Warning and Failure Thresholds:

a. Click the gear icon to open the vCenter Settings dialog. b. Type a percentage value to indicate when a warning message should display due to low datastore free space. c. Type a percentage value to indicate when a virtual machine backup failure should occur due to low datastore free space. d. Click Save.

NOTE: Datastore free space thresholds are disabled by default.

12. Select Infrastructure > Assets.

The Assets window appears.

13. If not already selected, click the Virtual Machine tab.

Results

Upon a successful discovery of the vCenter asset source, the virtual machine assets in the vCenter server display in the Infrastructure > Assets window.

You can modify the details for the vCenter asset source by selecting the vCenter server in the Infrastructure > Asset Sources window and clicking Edit. You cannot, however, clear the Add as hosting vCenter checkbox when editing an asset source if this vCenter server has already been added as the hosting vCenter server. For this operation, use the Hosting vCenter window, as described in the PowerProtect Data Manager Administration and User Guide section for specifying the PowerProtect Data Manager host.

NOTE: Discovery time is based on networking bandwidth. The resources that are discovered and the resources that

are performing the discovery impact performance each time that you initiate a discovery process. It might appear that

PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.

Next steps

Add a VM Direct appliance to facilitate data movement, and then create virtual machine protection policies to back up these assets. The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that external proxies be deployed since the embedded VM Direct Engine has limited capacity for performing backup streams. To add a VM Direct Engine, select Infrastructure > Protection Engines.

Creating a dedicated vCenter user account

It is recommended that you set up a separate vCenter user account at the root level that is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

22 Enabling Virtual Machine Protection

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose role is defined at the vCenter level and not restricted to a lower level container object in the vSphere object hierarchy.

vSphere permissions to support discovery of distributed vCenter deployments

In some circumstances, you might be required to create a scoped vSphere service account that has visibility to the local workload.

For example, if your local and remote environment was similar to the following:

Datacenters in multiple geographic locations A local PowerProtect Data Manager instance that is protecting virtual machines in one location

Adding a user account that is scoped to some local sets of assets through vSphere permissions, or using an existing account which has permissions to local objects, ensures that discovery does not fail due to induced latencies that can occur during the discovery of remote workloads through the vCenter Server.

It is recommended to work with a virtual administrator within your organization to configure this service account so that the vSphere account added to PowerProtect Data Manager has its account permissions adjusted on the vCenter to resources that are mapped to the same site as the PowerProtect Data Manager instance.

NOTE: When adding or configuring this user account, note the following:

Each vCenter Server can only be added once to each PowerProtect Data Manager instance. This behavior is common to

PowerProtect Data Manager.

Setting up a user account with permissions to some remote virtual machines in addition to local ones, although possible,

is not recommended.

Specify the required privileges for a dedicated vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering PowerProtect Data Manager in a cloud environment, see Specify the

required privileges for a dedicated cloud-based vCenter user account on page 92. For the additional privileges required

when using the Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine crash-consistent

data protection, see Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data

Mover on page 74.

Table 6. Minimum required vCenter user account privileges

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.AddDisk', 'Cryptographer.Access', 'Cryptographer.Migrate', 'Cryptographer.RegisterVM', 'Datastore.Rename', 'Datastore.Move', 'Datastore.Delete', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement',

Cryptographic operations

Add disk Direct Access Migrate

NOTE: This privilege applies only to virtual machines enabled with Microsoft virtualization-based security (VBS) or Virtual Trusted Platform Module (vTPM).

Register VM

Datastore Allocate space

Enabling Virtual Machine Protection 23

Table 6. Minimum required vCenter user account privileges (continued)

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

Browse datastore Configure datastore Low level file operations Move datastore Remove datastore Remove file Rename datastore

'Datastore.AllocateSpace', 'Datastore.Config', 'Extension.Register', 'Extension.Unregister', 'Extension.Update', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'Global.Licenses', 'Global.Settings', 'Global.DisableMethods', 'Global.EnableMethods', 'Host.Config.Storage', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Config', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.Update', 'StorageProfile.View', 'Task.Create', 'Task.Update', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac

Extension Register extension Unregister extension Update extension

Folder Create folder

Global Cancel task Disable methods Enable methods Licenses Log event Manage custom attributes Set custom attribute Settings

Host Configuration > Storage partition configuration

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network Configure

Profile-driven storage

(for SPBM policy restore)

Profile-driven storage update Profile-driven storage view

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

Tasks Create task Update task

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device

24 Enabling Virtual Machine Protection

Table 6. Minimum required vCenter user account privileges (continued)

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot', )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction Guest operating system management by

VIX API Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

VM Direct protection engine overview The VM Direct protection engine provides two functions within PowerProtect Data Manager:

A virtual machine data protection solutionDeploy a VM Direct Engine in the vSphere environment to perform virtual machine snapshot backups, which improves performance and reduces network bandwidth utilization by using the protection storage source-side deduplication.

Enabling Virtual Machine Protection 25

A Tanzu Kubernetes guest cluster data protection solutionDeploy a VM Direct Engine in the vSphere environment for protection of vSphere CSI-based persistent volumes, for which it is required to use a VM Proxy instead of the cProxy, for the management and transfer of backup data.

The VM Direct protection engine is enabled after you add a vCenter server in the Asset Sources window, and allows you to collect VMware entity information from the vCenter server and save VMware virtual machines and Tanzu Kubernetes guest cluster namespaces and PVCs as PowerProtect Data Manager resources for the purposes of backup and recovery.

To view statistics for the VM Direct Engine, manage and monitor VM Direct appliances, and add an external VM Direct appliance to facilitate data movement, select Infrastructure > Protection Engines. Add a VM Direct Engine on page 26 provides more information.

NOTE: In the VM Direct Engines pane, VMs Protected refers to the number of assets protected by PowerProtect Data

Manager. This count does not indicate that all the virtual machines have been protected successfully. To determine the

success or failure of asset protection, use the Jobs window.

When you add an external VM Direct appliance, the VM Direct Engines pane provides the following information:

The VM Direct appliance IP address, name, gateway, DNS, network, and build version. This information is useful for troubleshooting network issues.

The vCenter and ESXi server hostnames. The VM Direct appliance status (green check mark if the VM Direct appliance is ready, red x if the appliance is not fully

operational). The status includes a short explanation to help you troubleshoot the VM Direct Engine if the VM Direct appliance is not in a fully operational state.

The transport mode that you selected when adding the VM Direct appliance (Hot Add, Network Block Device, or the default setting Hot Add, Failback to Network Block Device).

Requirements for an external VM Direct Engine

When adding an external VM Direct Engine, note the following system requirements:

CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket) Memory: 8 GB RAM Disks: 2 disks (59 GB and 98 GB) Internet Protocol: IPv4 only SCSI controller: maximum of 4 NIC: One vmxnet3 NIC with one port

Protection engine limitations

Observe the following points when planning and working with protection engines: Deploy protection engines with fully qualified domain names (FQDNs) or IP addresses only. Short names are no longer

supported. Existing protection engines which were deployed with short names are deprecated. A future release will require you to delete and redeploy these protection engine with FQDNs or IP addresses instead.

When you deploy protection engines with FQDNs, each FQDN must have a DNS record. Protection engines are part of server disaster recovery backups. However, the disaster-recovery process does not

automatically redeploy protection engines.

Add a VM Direct Engine

Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies, Kubernetes cluster protection policies that require a VM proxy instead of the cProxy, and network attached storage (NAS) protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine on page 26, Transport mode considerations on page 130, and Protection engine limitations on page 26.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

26 Enabling Virtual Machine Protection

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. Dell Technologies recommends that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct Engine has limited capacity for backup streams. The embedded VM Direct Engine is not supported for VMware Cloud on AWS operations.

An external VM Direct Engine is not required for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism. For these policies, the embedded VM Direct Engine is sufficient.

NOTE: Cloud-based OVA deployments of PowerProtect Data Manager do not support the configuration of data-traffic

routing or VLANs. Those deployments skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy

the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. On the Networks Configuration page:

If this is a cloud-based OVA deployment of PowerProtect Data Manager, click Next and proceed to step 7.

The Networks Configuration page configures the virtual network (VLAN) to use for Data traffic. To continue without virtual network configuration, leave the Preferred Network Portgroup selection blank and then click Next.

a. From the Preferred Network Portgroup list, select a VST (Virtual Switch Tagging) or VGT (Virtual Guest Tagging) network. If you select a VGT portgroup, the list displays all virtual networks within the trunk range. If you select a VST portgroup, the list displays only the virtual network for the current VLAN ID.

b. Select one or more virtual networks from the list.

A protection engine requires an IP address from the static IP pool for each selected virtual network. If there are not enough IP addresses in a pool, the wizard prompts you to supply additional addresses for that network.

Ensure that the selected virtual networks support a traffic type that is compatible with protection engines. The PowerProtect Data Manager Administration and User Guide provides more information about traffic types.

c. If required, type an available static IP address or IP address range in the Additional IP Addresses column for the indicated virtual network.

For convenience when working with multiple virtual networks, you can also use one of the Auto Expand options:

Expand Last IPThe wizard increments the host portion of the last IP address in the static IP pool. Click Apply.

Enabling Virtual Machine Protection 27

Same Last DigitThe wizard adds the network portion of the IP address to the specified value. Type the host portion of the IP address and then click Apply.

The wizard updates the value in the Additional IP addresses column for each selected network. Verify the proposed IP addresses.

d. Click Next.

6. When adding a VM Direct Engine for Kubernetes guest cluster protection, add a second network interface card (NIC) if the PowerProtect controller pod running in the guest cluster cannot reach the vProxy on the primary network. Provide information for the second NIC, and then click Next.

7. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct Engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct Engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions on page 28 provides more information.

NOTE: The external VM Direct Engine is always required for VMware Cloud on AWS operations, Kubernetes cluster

protection policies that require a VM Proxy instead of the cProxy, and NAS protection policies. If no external VM Direct

Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute- ResourcePool.

Additional VM Direct actions

For additional VM Direct actions, such as enabling, disabling, redeploying, or deleting the VM Direct Engine, or changing the network configuration, use the Protection Engines window in the PowerProtect Data Manager UI. To throttle the capacity of a VM Direct Engine, use a command-line tool on PowerProtect Data Manager.

To get external VM Direct Engine credentials, see the procedure in the PowerProtect Data Manager Security Configuration Guide.

Disable a VM Direct Engine

You can disable an added VM Direct Engine that you do not currently require for virtual machine backup and recovery. To disable a VM Direct Engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to disable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable.

NOTE: A disabled VM Direct Engine is not used for any new protection activities, and is not automatically updated during a

PowerProtect Data Manager update.

28 Enabling Virtual Machine Protection

Delete a VM Direct Engine

When you disable a VM Direct Engine, the Delete button is enabled. If you no longer require the VM Direct Engine, perform the following steps to delete the engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to remove from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable. 4. Click Delete.

Enable a disabled VM Direct Engine

When you want to make a disabled VM Direct Engine available again for running new protection activities, perform the following steps to re-enable the VM Direct Engine.

1. On the Protection Engines window, select the VM Direct Engine that you want to re-enable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Enable.

NOTE: If a PowerProtect Data Manager version update occurred while the VM Direct Engine was disabled, a manual

redeployment of the VM Direct Engine is also required.

Redeploy a VM Direct Engine

If a PowerProtect Data Manager software update occurred while a VM Direct Engine was disabled, or an automatic update of the VM Direct Engine did not occur due to network inaccessibility or an environment error, the Redeploy option enables you to manually update the VM Direct Engine to the version currently in use with the PowerProtect Data Manager software. Perform the following steps to manually redeploy the VM Direct Engine.

1. On the Protection Engines window, select the VM Direct Engine that you want to redeploy from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. If the VM Direct Engine is not yet enabled, select Enable from the menu. 4. When the VM Direct Engine is enabled, select Redeploy from the menu.

The VM Direct Engine is redeployed with its previous configuration details.

Update the DNS or gateway during redeployment

Optionally, if you want to update the vProxy DNS and/or gateway during the VM Direct Engine redeployment, you can use one of the following commands:

To update both the gateway and DNS, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IPv4 address -updateGateway Gateway IPv4 address

To update the gateway only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateGateway Gateway IPv4 address

To update DNS only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IPv4 address

Edit the network configuration for a VM Direct Engine

The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

For example, if VM Direct Engine deployment failed because of a virtual network configuration problem, you can update the configuration to add additional IP addresses to the static IP pool. You can also add the VM Direct Engine to a virtual network in the same VGT port group.

Perform the following steps to change the network configuration:

1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane.

Enabling Virtual Machine Protection 29

2. Click Edit.

3. Virtual networks with a warning symbol ( ) beside the network name require attention and review. For example, if you changed the network configuration, the configured traffic types may not support VM Direct Engines. Clear any interfaces which no longer apply to the VM Direct Engine.

Select the row that corresponds to the virtual network with the configuration error, or the virtual network to which you want to add the VM Direct Engine.

4. Type an available static IP address or IP address range in the Additional IP Addresses column. 5. Click Next. 6. On the Summary page, verify the network settings, and then click Next.

To change other network configuration settings, delete the VM Direct Engine and then deploy a new VM Direct Engine.

Throttle the capacity of a VM Direct Engine

In performance-limited environments, you can use a command-line tool on PowerProtect Data Manager to reduce the maximum capacity of a VM Direct Engine.

The default value for VM Configured Capacity Units of an external VM Direct Engine is 100. The minimum value is 4. A VM Direct Engine can backup one disk with 4 units of capacity at a time.

Perform these steps to throttle the capacity of a VM Direct Engine:

1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Type: source /opt/emc/vmdirect/unit/vmdirect.env 3. To view the list of every VM Direct Engine and its ID, type: /opt/emc/vmdirect/bin/vproxymgmt get -list 4. To change the capacity of a VM Direct Engine, type (once per engine): /opt/emc/vmdirect/bin/vproxymgmt

modify -vproxy_id [VProxy ID] -capacity [percentage] 5. To verify the change in VM Configured Capacity Units, type: /opt/emc/vmdirect/bin/vproxymgmt get -list

Transparent Snapshot Data Mover protection mechanism

The Protection Engines window in the PowerProtect Data Manager UI includes a pane for Transparent Snapshot Data Movers. Introduced in PowerProtect Data Manager 19.9, Transparent Snapshot Data Mover (TSDM) is a protection mechanism for data movement during virtual machine protection operations. Previously, the only protection mechanism available in PowerProtect Data Manager for virtual machine protection was the VMware vStorage API for Data Protection (VADP).

A vSphere Installation Bundle (VIB) is included with the software deployment and update packages for PowerProtect Data Manager 19.9 and later to facilitate the use of TSDM, and is enabled at the vCenter level upon the PowerProtect Data Manager deployment or update. The VIB installation occurs automatically at the cluster level when a virtual machine protection policy is created, with no requirement to restart the ESXi hosts or put the hosts into maintenance mode. Any new virtual machine protection policies use TSDM as the default protection mechanism instead of VADP when the version of vCenter or ESXi server that hosts the virtual machines is a minimum version of 7.0 U3c.

The Transparent Snapshot Data Movers pane provides a hierarchy view of the vCenter Server asset sources that have been added in PowerProtect Data Manager. Use this view to determine if the vCenter or ESXi server is enabled for VIB management, and if the hosts have the VIB installed or are eligible for VIB installation. A vSphere host cluster can have one of the following statuses:

InstalledThe VIB installation on this vSphere host is completed, and TSDM is enabled as the default protection mechanism for the virtual machines on the vSphere host.

Ready for installThe vSphere host requirements for VIB installation have been met, and the installation will proceed automatically on the vSphere host when a virtual machine running on the cluster is added to a protection policy.

Ready for upgradeThis status displays when the VIB is installed on the vSphere host and PowerProtect Data Manager is upgraded, but the VIB is being managed manually. In this case, the VIB will not be upgraded automatically on the vSphere host.

Not eligibleThe vSphere host does not meet the requirements for VIB installation. When TSDM cannot be used, the VADP protection mechanism is used for virtual machine protection operations on this host.

FailedThe VIB installation on the vSphere host did not complete successfully. The Jobs window provides more information about the issue that caused the failure.

Use the filter icon in the status column to display only vSphere hosts with a certain status. For example, you can choose to display only hosts that are ready for VIB installation or upgrade.

30 Enabling Virtual Machine Protection

When the VIB installation is started, the Protection Engines window updates to display the progress. Also, an entry for the job Performing Host Configuration (vib_install) appears in the Jobs window.

NOTE: Any virtual machine assets that were added to a virtual machine protection policy in PowerProtect Data Manager

19.8 and earlier currently use the VADP protection mechanism. After the VIB installation on the vSphere host that contains

these virtual assets, you can migrate these assets to the TSDM protection mechanism. Migrating assets to use the

Transparent Snapshot Data Mover on page 31 provides more information.

Disable or re-enable VIB on an ESXi host

In the PowerProtect Data Manager UI, you can disable VIB management on a vCenter server to prevent automatic installation or update of the VIB on the ESXi host. To disable VIB management on the vCenter server:

1. Go to Infrastructure > Protection Engines, and then select the Transparent Snapshot Data Movers pane. 2. Hover over the Enabled icon to the right of the vCenter server, and then click Disable.

To re-enable VIB management on a vCenter server that currently has the VIB disabled:

1. Hover over the icon to the right of the host, and then click Enable.

If a VIB installation or update is required, the status indicates Ready for install or Ready for upgrade. 2. Select the checkbox next to this host and click Install to manually perform the VIB install or update, or wait for the

automatic VIB installation. 3. When performing a manual VIB installation, if one or more of the selections are not eligible or the VIB is already installed, a

dialog appears. Click OK to proceed.

Migrating assets to use the Transparent Snapshot Data Mover

Transparent Snapshot Data Mover (TSDM) is the recommended protection mechanism for environments with vCenter or ESXi version 7.0 U3c or later deployed, and is the default protection mechanism used for virtual machine assets protected by virtual machine crash-consistent policies in PowerProtect Data Manager 19.9 or later, provided that the policy is configured with the following options:

Exclude swap files from backup is off. Enable guest file system quiescing is off.

For existing virtual machine crash-consistent policies created with PowerProtect Data Manager version 19.8 and earlier, modifying the policy options to meet these requirements will migrate virtual machines on vSphere version 7.0 U3c and later clusters managed by a vCenter server running version 7.0 U3c or later to use the TSDM protection mechanism.

You can also migrate virtual machine assets from the VADP protection mechanism to the TSDM protection mechanism by using the Infrastructure > Assets window of the PowerProtect Data Manager UI.

Before migrating assets to use TSDM, the vSphere Installation Bundle (VIB) is required. This installation occurs automatically, unless the use of TSDM is disabled on the vCenter server asset source. Go to Infrastructure > Protection Engines, select the Transparent Snapshot Data Movers pane, and verify that the VIB is enabled on the vCenter server. You can also expand the vCenter hierarchy view to confirm that the VIB installation has occurred on the vSphere hosts. Transparent Snapshot Data Mover protection mechanism on page 30 provides more information.

Migrate asset protection mechanism from VADP to TSDM

To migrate VADP virtual machine assets to use TSDM in the PowerProtect Data Manager UI:

1. Go to Infrastructure > Assets and select the Virtual Machine tab. 2. Filter the view to display the Protection Mechanism column. 3. Select one or more virtual machine assets with the VADP protection mechanism. 4. Select More Actions > Protection Mechanism > Migrate to TSDM.

Migrating assets to use the TSDM protection mechanism forces a new, full backup of these assets. This backup may take several minutes.

Enabling Virtual Machine Protection 31

Managing Virtual Machine Assets and Protection

Topics:

Protection policies Additional protection policy options Before you create a protection policy Supported enhanced VMware topologies for virtual-machine protection Add a protection policy for virtual-machine protection Managing virtual-machine backups Add a service-level agreement Add or remove assets in a protection policy Extended retention Edit the retention period for backup copies Protection rules

Protection policies Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each policy type has its own set of user objectives.

Users with the Administrator role can create protection policies for VMware virtual machines. For other policy types, including specific applications within VMware virtual machines, refer to the user guide for the specific agent or application agent.

Additional protection policy options This chapter contains content that is specific to protecting virtual machines.

The PowerProtect Data Manager Administration and User Guide provides other important information about configuring settings and available actions that apply to all protection policies. These topics include cloud tiering, manual backups, extended retention, and service level agreements.

This guide may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide.

Before you create a protection policy Consider the following best practices before creating a protection policy. An asset can be protected by only one policy at a time. Assets can be moved from one policy to another policy based on the

priority of protection rules. In cases where protection rules result in assets moving from one policy to another, any assets that were manually selected for inclusion in the policy, however, will not be moved to a different policy.

NOTE: If a SQL Server is hosted on a virtual machine, you can protect the SQL database with an application-consistent

backup without interfering with the SQL agent-based backup.

When creating a policy, limit the number of database assets within the policy to under 500 and stagger the start time of replication policies to avoid potential replication failures.

Before adding replication to a protection policy, ensure that you add remote protection storage as the replication location. The PowerProtect Data Manager Administration and User Guide provides instructions about adding protection storage.

3

32 Managing Virtual Machine Assets and Protection

Before you perform any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.

Understanding backup terminology and managing backup frequency

When scheduling backups in a protection policy, be aware of the following: Different backup policy types can use different terminology to describe available backup levels. This terminology can differ

not only between policy types, but also from traditional terminology. To avoid high CPU usage that can lead to failure issues, do not schedule backups more often than recommended.

Refer to the following table to understand the different backup levels provided by each protection policy and to manage backup frequencies.

Table 7. Backup terminology and frequency

Protection-policy backup types

Available backup levels

Description Equivalent traditional terminology

Minimum frequency recommendation

VMware application-aware

Full Backs up all the blocks. Full Monthly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

VMware crash- consistent

Full Backs up all the blocks. Full Monthly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

Log Backs up the transaction logs. 30 minutes

NOTE: In some situations, a full backup might be performed even though a synthetic-full backup was scheduled. Possible

reasons for this include, but are not limited to, the following:

There is no existing full backup.

The size of a volume has changed.

There has been a file path change.

The asset host has been rebooted.

Managing Virtual Machine Assets and Protection 33

Supported enhanced VMware topologies for virtual- machine protection PowerProtect Data Manager provides protection for clustered ESXi server storage, networking, and enterprise management. Understanding what topologies are supported in these environments aids in the design of your network infrastructure.

Supported enhanced topologies

Supported topologies of clustered ESXi server storage, networking, and enterprise management include the following:

vSAN operations NSX-T port groups Enhanced Link Mode vCenter servers

For more information see the E-Lab Navigator.

vSAN operations

Standard clusters, stretched clusters, two-node clusters, and HCI Mesh datastores support the following operations:

Backing up and restoring virtual machines Search Engines VM Direct Engines HA failover of Search Engines and VM Direct Engines Post-failover protection

NSX-T port groups

PowerProtect Data Manager supports the use of NSX-T with up to 2,000 port groups. These can be default VDS port groups or N-VDS port groups, and they support the following components:

PowerProtect Data Manager servers VM Direct Engines Search nodes Workload virtual machines

Enhanced Link Mode vCenter servers

Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers (PSCs). PowerProtect Data Manager supports the protection of workload virtual machines running inside Enhanced Linked Mode vCenter servers. This protection also applies during and after any vMotion operation of the virtual machines.

To support virtual machine protection workflows for vCenter servers that are in Enhanced Linked Mode, PowerProtect Data Manager requires you to add all of the linked vCenter servers as asset sources, and also to install the PowerProtect vSphere Plugin on all of these vCenter servers.

Add a protection policy for virtual-machine protection A protection policy enables you to select a specific group of assets that you want to back up and replicate. Perform the following steps to create a virtual-machine protection policy in the PowerProtect Data Manager UI.

Prerequisites

Dell Technologies recommends distributing virtual-machine asset protection workloads over multiple ESXi hosts so that you do not exceed the ESXi Network Block Device (NBD) session limit. If the limit is reached, you can manage the workload by deploying an external VM Direct Engine on the host or cluster using Hot Add transport mode. Also, Dell Technologies

34 Managing Virtual Machine Assets and Protection

recommends during policy configuration to assign virtual machines to a protection policy based on logical grouping to allow for better scheduling of backups. Grouping helps avoid resource contention and creates more organized logs for review.

To create application-aware protection policies for virtual machines, ensure that:

You manually update the VMX configuration parameter disk.EnableUUID to True by using the vSphere Web Client. The vSphere version that you are running uses a supported version of VMware Tools. Software compatibility information for

the PowerProtect Data Manager software is provided in the E-Lab Navigator. The virtual machine has direct access to the DD client. The virtual machine uses SCSI disks only, and the number of available SCSI slots matches at least the number of disks. The Windows account that is used for the protection policy is limited to the local system Administrator or the domain

Administrator. This user requires both Microsoft Windows administrative rights and Microsoft SQL Server login and sysadmin rights.

SQL configuration support is limited to Microsoft SQL Server stand-alone instances and a Microsoft SQL Server Always On availability group (AAG) configured with file share witness. Unsupported configurations include Microsoft SQL Server failover cluster instances that are configured with shared drives, and Microsoft SQL Server cluster-less AAG configurations.

For Microsoft SQL Server AAG configurations, the database administrator specifies the AAG backup preferences for backup in the Microsoft SQL Server Management Studio (SSMS). These preferences control which AAG node is selected as the preferred node when you perform a transaction log backup of AAG databases.

vCenter 7.0 U1 or later is required to protect virtual machines that use virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM).

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy. The PowerProtect Data Manager Administration and User Guide provides more information.

The PowerProtect Data Manager Administration and User Guide provides more information about working with storage units, including applicable limitations and security considerations.

Before performing any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.

About this task

For virtual-machine protection policies, data is moved using one of two types of protection mechanisms:

Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual-machine policies when the following requirements are met: vCenter or ESXi version 7.0 U3c or later is deployed in the environment. Clear the Exclude swap files from backup and Enable guest file system quiescing checkboxes when adding or

editing the protection policy. VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware

virtual-machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.

The section Transparent Snapshot Data Mover protection mechanism on page 30 provides more information about TSDM.

Steps

1. From the left navigation pane, select Protection > Protection Policies.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

NameType a descriptive name for the protection policy. DescriptionType a description for the policy. TypeSelect Virtual Machine, which includes protection for SQL application-aware virtual machines.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

Crash ConsistentSelect this type for point-in-time backup of virtual machines. Application AwareFor virtual machines with a SQL application installed, select this type to quiesce the application to

perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection-policy level or the virtual-machine asset level. When you provide the credentials at both levels, the virtual-machine asset credentials override the policy credentials.

Managing Virtual Machine Assets and Protection 35

ExclusionSelect this type if there are virtual-machine assets within the protection policy that you plan to exclude from data protection operations.

By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is appropriate for backups. If the file system cannot be quiesced on the first attempt, the snapshot and backup are performed without quiescing.

VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.

5. On the Assets page, select the assets for inclusion in this policy by choosing one of the following options from the list:

View by HostThis option enables you to view all assets within a specific host, and then select individual assets or a group of assets at a host or container level for policy inclusion. For example: Select a stand-alone host to include all assets under this host.

NOTE: If you select a host in a cluster, no assets are selected. For a host in a cluster, ensure that you select the

cluster or other containers (for example, a resource pool or vApp) under the cluster host.

Expand the tree and select a container level in the vCenter hierarchy (for example, the data center, cluster, host, or resource pool) to include all assets under that level. If assets at any level are protected by another policy, a label with the name of that policy appears next to the level.

NOTE: VMs created by the vSphere Cluster Service (vCLS) are managed by VMware, and do not require

PowerProtect Data Manager protection. Even when selected as part of a container, they are automatically

excluded from protection. The vmdm-discovery.log provides a list of vCLS VMs that are excluded from

protection.

When you select a container level in the View by Host view, a protection rule is automatically created to ensure that these container level selections will be retained, even if changes occur from movements within the vSphere environment or the names of resource pools or folders change. This rule is managed by the PowerProtect Data Manager system, and cannot be modified. The rule will also be updated automatically if you make changes to container selections when editing the policy, or when assets are moved into or out of a selected container.

To view this rule after policy creation, go to Protection > Protection Rules. The name in the Protection Rule Name column for this new rule matches the policy name.

If this new rule results in an overlap of protection with an existing rule, you can resolve these conflicts by changing the policy protection rule priority in the Selection Overlap page. Step 7 on page 37 provides more information.

NOTE: The behavior of automatic rule creation that allows assets to move into or out of policies can only

be modified in the REST API. After updating from a previous release, if View by Host is not visible you can

enable this view by manually changing the /api/v2/common-settings/DYNAMIC_FILTER_SETTING. The

PowerProtect Data Manager Public REST API documentation provides instructions.

Expand the tree and select individual assets within containers.

When you select individual assets within this view, these selections are considered static, and no protection rule is automatically created. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

View Asset TableThis option enables you to view all unprotected assets in the vCenter server within a table, and then select individual unprotected assets that you want to back up as part of this protection policy. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

When you select a virtual-machine asset in this view, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of these assets. To dismiss the dialog for other selections, select the check box and click OK.

Both views provide additional information about the virtual machines, such as any currently associated tags, protection rules, and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add. If the virtual machines that you want to protect are not listed, use the Search box to search by asset name.

NOTE: When you configure a virtual-machine application-aware protection policy to protect a Microsoft SQL Server

Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure

proper protection. Failure to do so might result in missed transaction log backups.

For the virtual-machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.

6. Optionally, if you want to exclude nonproduction VMDKs such as network shares or test disks from a protection policy:

36 Managing Virtual Machine Assets and Protection

a. Select the virtual-machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from

the protection policy.

7. Click Next.

If any virtual objects or assets that were selected in the previous page overlap with assets that are already protected by another policy, the Selection Overlap page appears. Overlap can occur, for example, when two policies (the new policy and an existing policy) use the View by Host view for asset selection by container level.

a. To switch protection of any virtual objects listed in the Protection Priority Overlap table from an existing policy, update the Policy Priority field to a level equal to or higher than the other policy currently protecting these objects. The lower the value, the higher the priority. For example, 1 is the highest priority. When you change this value, the priority of the rule that is associated with this policy is also changed.

b. To switch protection of any assets that are listed in the Asset Protection Overlap table to this policy, select the checkbox next to one or more assets. Selecting these assets for inclusion in this policy removes the assets from the other policy.

When you change the priority or the selected assets, the protection rule is updated automatically.

8. Click Next. The Objectives page appears.

9. On the Objectives page, select a policy-level Service Level Agreement (SLA) from the Set Policy Level SLA list, or select Add to open the Add Service Level Agreement wizard and create a policy-level SLA.

Add a service-level agreement on page 43 provides instructions.

10. Click Add under Primary Backup. The Add Primary Backup dialog appears.

11. On the Schedules pane of the Add Primary Backup dialog:

a. Specify the following fields to schedule the synthetic full backup of this protection policy:

Create a Synthetic Full...Specify how often to create a synthetic full backup. A Synthetic Full backs up only the changed blocks since the last backup to create a new full backup.

Retain ForSpecify the retention period for the synthetic full backup.

You can extend the retention period for the latest primary backup copy by using the Extend Retention schedule. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can apply extended retention to keep the full backups taken on Mondays for 10 weeks. Step 14 on page 38 provides instructions.

NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For

example, the synthetic full or transaction log backups are chained to their base full backup. The backups do not

expire until the last backup in the chain expires. This ensures that all synthetic full and transaction log backups

are recoverable until they have all expired.

Start and EndFor the activity window, specify a time of day to start the synthetic full backup, and a time of day after which backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

b. Click Add Backup if you want to periodically force a full (level 0) backup, and then specify the following fields to schedule the full backup of this protection policy:

NOTE: When you select this option, the backup chain is reset.

Create a Full...Specify whether you want to create a weekly or monthly full backup. Repeat onDepending on the frequency of the full backup schedule, specify the day of the week or the date of the

month for the full backup. Retain ForSpecify the retention period for the full backup. This can be the same value as the synthetic full backup

schedule, or a different value. Start and EndFor the activity window, specify a time of day to start the full backup, and a time of day after which

backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

c. For virtual-machine application-aware protection policies, click Add Backup to create a log backup, and then specify the following fields:

Managing Virtual Machine Assets and Protection 37

Create a Log...For application-aware protection policies, specify the interval in minutes for log generation. NOTE: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences

for a transaction log backup in the Microsoft SQL Server Management Studio.

Retain ForSpecify the retention period for the log backup. This can be the same retention value that is specified for the synthetic full or full schedule, or a different value.

NOTE: Setting a shorter retention period for log backups than the full backup can result in data loss and the

inability to restore point-in-time copies.

Start and EndFor the activity window, specify a time of day to start the log backup, and a time of day after which log backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

12. On the Target pane of the Add Primary Backup dialog, specify the following fields:

a. Storage NameSelect a backup destination from the list of existing protection storage systems, or select Add to add a system and complete the details in the Storage Target window.

NOTE: The Space field indicates the total amount of space, and the percentage of available space, on the

protection storage system.

b. Storage UnitSelect whether this protection policy should use a New storage unit on the selected protection storage system, or select an existing storage unit from the list. Hover over a storage unit to view the full name and statistics for available capacity and total capacity, for example, testvmplc-ppdm-daily-123ab (300 GB/1 TB) When you select New, a new storage unit in the format policy name host name unique identifier is created in the storage system upon policy completion. For example, testvmplc-ppdm-daily-123cd.

c. Network InterfaceSelect a network interface from the list, if applicable. d. Retention LockMove the Retention Lock slider to the right to enable retention locking for these backups on the

selected system. PowerProtect Data Manager uses Governance mode for retention locking, which means that the lock can be reverted at any time if necessary. Moving the Retention Lock slider on or off applies to the current backup copy only, and does not impact the retention lock setting for existing backup copies.

NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are

not assigned a default retention lock period. If you enable Retention Lock for a replicated backup, ensure that you

set the Retain For field in the Add Replication backup schedule dialog to a minimum number of 14 days so that the

replicated backup does not expire before the primary backup.

e. SLASelect an existing service level agreement that you want to apply to this schedule from the list, or select Add to create an SLA within the Add Service Level Agreement wizard.

Add a service-level agreement on page 43 provides instructions.

13. Click Save to save your changes and return to the Objectives page.

The Objectives page updates to display the name and location of the target storage system under Primary Backup.

NOTE: After completing a backup schedule, you can change any schedule details by clicking Edit next to the schedule.

14. Optionally, extend the retention period for the latest primary backup copy:

Extended retention on page 47 provides more information about Extend Retention functionality.

a. Click Extend Retention next to Primary Backup. An entry for Extend Retention is created below Primary Backup. b. Under Extend Retention, click Add. The Add Extended Retention dialog appears. c. Retain the next scheduled full copy every...Specify a weekly, monthly, or yearly recurrence for the extended

retention backup schedule. d. Repeat onDepending on the frequency of the full backup schedule, specify the day of the week, the date of the

month, or the date of the year that the extended retention backup will occur. e. Retain ForSpecify the retention period for the backup. You can retain an extended retention backup for a maximum of

70 years. f. Click Save to save your changes and return to the Objectives page.

15. Optionally, replicate the full and synthetic full backups to a remote storage system:

a. Click Replicate next to Primary Backup or Extend Retention. An entry for Replicate is created to the right of the primary or extended retention backup schedule.

38 Managing Virtual Machine Assets and Protection

NOTE: PowerProtect Data Manager supports replicating an extended retention backup only if the primary backup

already has one or more replication stages. Also, for replication of an extended retention backup, you can only select

the protection storage systems that are used by the replication stages based on the primary stage.

For example, if there are six systems available (DD001-DD006), and the primary backup is on DD0001:

Replicate1 based on the primary backup is replicated to DD002.

Replicate2 based on the primary backup is replicated to DD003.

Extended retention backup is backed up to DD001.

Replicate3 based on the extended retention backup must be replicated to DD002 or DD003.

b. Under Replicate, click Add. The Add Replication dialog appears.

NOTE: To enable replication, ensure that you add remote protection storage as the replication location. The

PowerProtect Data Manager Administration and User Guide provides detailed instructions about adding remote

protection storage.

c. Complete the schedule details in the Add Replication dialog, and then click Save to save your changes and return to the Objectives page.

The schedule frequency can be every day, week, month, or x hours for replication of the primary backup, and every day, week, month, year, or x hours for replication of the extended retention backup. For daily, weekly, and monthly schedules, the numeric value cannot be modified. For hourly, however, you can edit the numeric value. For example, if you set Create a Full backup every 4 hours, you can set a value of anywhere 1 to 12 hours.

All replication copies of the primary backup schedule will use the same retention period, and by default, this retention period is inherited from the Retain For value of the synthetic full backup schedule. To specify a different retention period for all the replication copies of this primary backup schedule, click Edit, change the value in the Retain For field, and then click Save. This retention period is applied to all the replicated copies (synthetic full and full) of this primary backup schedule.

When creating multiple replication copies of the same protection policy, Dell Technologies recommends selecting a different storage system for each copy.

16. Optionally, to move backups from DD storage to Cloud Tier, add a Cloud stage for the primary, replication, or extended retention schedule:

a. Click Cloud Tier next to Primary Backup or Extend Retention or, if adding a Cloud stage for a replication schedule that you have added, click Cloud Tier under Replicate. An entry for Cloud Tier is created to the right of the primary or extended retention backup schedule, or below the replication schedule.

b. Under the entry for Cloud Tier, click Add. The Add Cloud Tier Backup dialog appears, with summary schedule information for the parent node to indicate whether you are adding this Cloud Tier stage for the primary backup schedule, the extended retention backup schedule, or the replication schedule.

c. Complete the schedule details in the Add Cloud Tier Backup dialog, and then click Save to save your changes and return to the Objectives page.

The PowerProtect Data Manager Administration and User Guide provides detailed instructions for adding a Cloud stage for a primary, replication, or extended retention schedule.

NOTE: In order to move a backup or replica to Cloud Tier, schedules must have a retention time of 14 days or more.

Also, discovery of protection storage that is configured with a Cloud unit is required.

17. Optionally, if Cloud Disaster Recovery is configured in the Infrastructure > Storage window, you can add a Cloud DR stage for virtual-machine protection policies:

a. Click Cloud DR next to Primary Backup or Extend Retention or, if adding a Cloud stage for a replication schedule that you have added, click Cloud DR under Replicate. An entry for Cloud DR is created to the right of the primary or extended retention backup schedule, or below the replication schedule.

b. Under the entry for Cloud DR, click Add. The Add Cloud DR Backup dialog appears, with summary schedule information for the parent node to indicate whether you are adding this Cloud DR stage for the primary backup schedule, the extended retention backup schedule, or the replication schedule.

c. Complete the schedule details in the Add Cloud DR Backup dialog, and then click Save to save your changes and return to the Objectives page.

The PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide provides detailed instructions for adding a Cloud DR stage for a primary, replication, or extended retention schedule.

Managing Virtual Machine Assets and Protection 39

18. Click Next. The Options page appears.

19. On the Options page:

a. For Optimize For, select from one of the following backup optimization modes:

PerformanceOptimize for backup and replication speed. Selecting this mode results in more storage consumption. CapacityOptimize for backup size. Selecting this mode results in less storage consumption, but backups take

longer to complete.

NOTE: Changing the optimization mode after the first backup of the protection policy forces the next backup to

be a full backup, and results in increased storage capacity usage due to differences in how each mode uses data

deduplication. This increase continues until all backups performed using the previous optimization mode expire and

have been deleted.

b. Exclude swap files from backupSelect to exclude the C:\swapfile.sys, C:\pagefile.sys, and C: \hiberfil.sys swap and memory files of Microsoft Windows virtual machines, in the virtual-machine backup. By default, this checkbox is cleared.

When using the Transparent Snapshot Data Mover protection mechanism, do not select the Exclude swap files from backup checkbox.

NOTE: Including swap and memory files in a backup unnecessarily increases the size of the backup and the time

to RTO during recovery. These files are rebuilt by the Microsoft Windows operating system upon restart, and not

required for recovery.

c. Enable indexing for file search and restoreSelect to enable indexing. This option is visible only upon activating the search cluster node.

d. Enable guest file system quiescingSelect to enable VMware Tools to quiesce the file system during crash- consistent virtual-machine backups.

When using the Transparent Snapshot Data Mover protection mechanism, do not select the Enable guest file system quiescing checkbox.

20. Click Next. The Summary page appears.

21. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.

For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine that is included with PowerProtect Data Manager. Subsequent backups are performed according to the schedule specified.

NOTE: If the target virtual-machine datastore for backup is running low on free space and the datastore free space

threshold is configured in vCenter Settings, a warning message appears or a backup failure occurs. When the

Datastore Free Space Warning Threshold is reached, the backup proceeds with a warning message in the logs.

When the Datastore Free Space Failure Threshold is reached, the backup fails.

To check the warning and failure threshold values, select Infrastructure > Asset Sources and click the vCenter tab.

Click the gear icon to open the vCenter Settings dialog.

22. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

40 Managing Virtual Machine Assets and Protection

Managing virtual-machine backups The following sections describe the options that are available for virtual-machine assets that are backed up as part of a protection policy.

Add and remove the credentials for virtual-machine assets

You can optionally add and remove the credentials for multiple virtual-machine assets simultaneously in the PowerProtect Data Manager UI. With previous versions, you could add and remove the credentials for one virtual-machine asset at a time.

About this task

NOTE: The asset-level credentials take precedence over policy-level credentials for virtual machines. Asset-level

credentials have the highest precedence. Virtual machines do not support the asset source-level (host) credentials.

Use the following procedure to add or remove one or more credentials for virtual-machine assets.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets, and then click the Virtual Machine tab. A list of discovered virtual machine assets displays.

2. Select one or more assets by clicking the checkbox next to each required asset name.

3. Select More Actions > Set Credential.

4. In the Set Credential dialog box, add or remove the credentials for the selected virtual-machine assets:

To add the credentials for the assets, select the appropriate value from the drop-down list in the Credential field:

To create new credentials, select Create New.

In the Add Credentials dialog box that appears, specify the required field values and then click Save. To add existing credentials, select the credentials name from the credentials list.

To remove the credentials for the assets, select Remove Credentials.

5. Click Save in the Set Credential dialog box.

Results

After you add the credentials by using these steps, the asset-level credentials are used for the selected assets during the virtual-machine centralized backups, overriding the policy-level credentials.

Enable or disable Changed Block Tracking (CBT)

The Changed Block Tracking (CBT) feature is used to identify areas of the virtual-machine backup that have changed since the last backup and only process those changed areas during the next backup. CBT is enabled by default.

About this task

To set Changed Block Tracking (CBT) for virtual machines, complete the following steps:

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. From the Assets window, select the Virtual Machine tab. If a policy has been assigned, the virtual-machine assets that have been discovered in the vCenter server display, along with the associated protection policy.

3. Select one or more virtual-machine assets from the list, and click More Actions > Changed Block Tracking.

The Changed Block Tracking dialog box appears.

4. Clear the check box to disable CBT, or select the check box to enable CBT.

If there are high change rates on the virtual machine, CBT can sometimes cause backups to take longer than expected. If the backups are taking too long to complete, you can disable CBT for virtual machines. Also, if you encounter an issue with CBT, you can disable it on the virtual machine.

Managing Virtual Machine Assets and Protection 41

NOTE: If CBT is enabled in PowerProtect Data Manager but is disabled in VMware vSphere, PowerProtect Data

Manager tries to back up the virtual machine with CBT enabled. If PowerProtect Data Manager cannot enable CBT, the

backup completes with a warning that indicates CBT data is not available.

5. Click Save.

NOTE: When CBT is disabled for a virtual machine, subsequent backups no longer use CBT.

More options for managing virtual-machine backups

After you create a virtual-machine protection policy, additional options become available for virtual-machine assets that are backed up as part of the policy.

To access these options:

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets. 2. From the Assets window, select the Virtual Machine tab.

If a policy has been assigned, the virtual-machine assets that have been discovered in the vCenter server display, along with the associated protection policy.

NOTE: You can click the link in the Disk Excluded column next to a virtual-machine asset to view VMDKs that have

been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion from this window. To

change the disks that are excluded for a protected asset, select the policy from the Protection Policies window and

click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the VM icon, for example, DD. The table in the right pane lists the backup copies.

Depending on whether the asset is retention locked, you can perform the following functions from this window:

Edit the retention period of backup copies to extend or shorten the amount of time that backups are retainedSelect one or more backup copies from the table and click Edit Retention. To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, or months after the backup is performed, select Retention Value. For

example, you could specify that backups expire after 6 months.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

Delete a backup copyIf you no longer require a copy and the retention lock is not enabled, select the copy from the table and click Delete.

Snapshot freeze scripts and thaw scripts for virtual-machine backups

You can use custom scripts to back up a Windows or Linux virtual machine which runs an application that PowerProtect Data Manager does not directly support. These scripts run before and after the snapshot to place the virtual machine and application into a state where you can perform a backup.

NOTE: Use of these scripts is not supported for virtual machines with the Transparent Snapshot Data Mover (TSDM)

protection mechanism enabled.

Table 8. Script descriptions and related terms

Script Related terms Description

Freeze Quiesce Pre-freeze This script runs before the snapshot initialization to quiesce the virtual machine and place the application in a frozen state. Quiescing ensures that the data within the guest file system is in a consistent state that is appropriate for backups.

42 Managing Virtual Machine Assets and Protection

Table 8. Script descriptions and related terms (continued)

Script Related terms Description

Thaw Unquiesce Post-thaw This script runs after the snapshot finalization to unquiesce the virtual machine, thaw the application, and then return the virtual machine to normal operation.

PowerProtect Data Manager uses the VMware Tools package to quiesce the virtual machine. The VMware documentation provides more information. Before you deploy the freeze and thaw scripts, install the latest version of the VMware Tools package on the virtual machine.

The freeze and thaw scripts are specific to each application. If the freeze script returns a nonzero exit code, snapshot creation fails.

After you create your custom scripts, deploy the scripts to the correct location on the virtual machine, as specified in the following tables.

Table 9. Script locations for Windows virtual machines

ESXi version Freeze script location Thaw script location

ESXi 6.5 or later C:\Program Files\VMware\VMware Tools\backupScripts.d\

All scripts are invoked in ascending alphabetical order with freeze as the first argument.

C:\Program Files\VMware\VMware Tools\backupScripts.d\

All scripts are invoked in descending alphabetical order with thaw or freezeFail as the first argument.

Table 10. Script locations for Linux virtual machines

ESXi version Freeze script location Thaw script location

ESXi 6.5 or later /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script

For Linux virtual machines, set the script ownership and permissions after you deploy the scripts:

sudo chown root:root /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script sudo chmod 0700 /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script

Add a service-level agreement SLA Compliance in the PowerProtect Data Manager UI enables you to add a service-level agreement (SLA) that identifies your service-level objectives (SLOs). You use the SLOs to verify that your protected assets are meeting the service-level agreements (SLAs).

About this task

NOTE: When you create an SLA for Cloud Tier, you can include only full backups in the SLA.

Steps

1. From the PowerProtect Data Manager UI, select Protection > SLA Compliance.

The SLA Compliance window appears.

2. Click Add or, if the assets that you want to apply the SLA to are listed, select these assets and then click Add.

The Add Service Level Agreement wizard appears.

3. Select the type of SLA that you want to add, and then click Next. Policy. If you choose this type, go to step 4. Backup. If you choose this type, go to step 5. Extended Retention. If you choose this type, go to step 6. Replication. If you choose this type, go to step 7. Cloud Tier. If you choose this type, go to step 8.

Managing Virtual Machine Assets and Protection 43

You can select only one type of Service Level Agreement.

4. If you selected Policy, specify the following fields regarding the purpose of the new Policy SLA:

a. The SLA Name. b. If applicable, select Minimum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. c. If applicable, select Maximum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. d. If applicable, select Available Location and select the applicable locations. To add a location, click Add Location.

Options include the following: InInclude locations of all copies in the SLO locations. Selecting this option does not require every SLO location to

have a copy. Must InInclude locations of all copies in the SLO locations. Selecting this option requires every SLO location to

have at least one copy. ExcludeLocations of all copies must be non-SLO locations.

e. If applicable, select Allowed in Cloud through Cloud Tier/Cloud DR. f. Click Finish, and then go to step 9.

5. If you selected Backup, specify the following fields regarding the purpose of the new Backup SLA:

a. The SLA Name. b. If applicable, select Recovery Point Objective required (RPO), and then set the duration. The purpose of an RPO is

business continuity planning, and indicates the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

NOTE: You can select only Recovery Point Objective required to configure as an independent objective in the

SLA, or select both Recovery Point Objective required and Compliance Window for copy type. If you select

both, the RPO setting must be one of the following:

Greater than 24 hours or more than the Compliance window duration, in which case RPO validation occurs

independent of the Compliance Window.

Less than or equal to the Compliance Window duration, in which case RPO validation occurs within the

Compliance Window.

c. If applicable, select Compliance Window for copy type, and then select a schedule level from the list (for example, All, Full, Cumulative) and set the duration. Duration indicates the amount of time necessary to create the backup copy. Ensure that the Start Time and End Time of backup copy creation falls within the Compliance Window duration specified.

This window specifies the time during which you expect the specified activity to take place. Any specified activity that occurs outside of this Start Time and End Time triggers an alert.

d. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

e. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives. For example, if you set the synthetic full

backup Retain For to 30 days but set the full backup Retain For to 60 days, the Retention Time Objective must be

set to the lower value, in this case, 30 days.

f. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. g. Click Finish, and go to step 9.

The SLA Compliance window appears with the new SLA.

6. If you selected Extended Retention, specify the following fields regarding the purpose of the new Extended Retention SLA:

a. The SLA Name. b. If applicable, select Recovery Point Objective required (RPO), and then set the duration. The purpose of an RPO is

business continuity planning, and indicates the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

NOTE: By default, the RPO provides a grace period of 1 day for SLA compliance verification. For example, with

a weekly extended retention schedule, PowerProtect Data Manager provides 8 days for the RPO to pass the SLA

Compliance verification.

c. If applicable, select the Verify expired copies are deleted option.

44 Managing Virtual Machine Assets and Protection

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years. e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

7. If you selected Replication, specify the following fields regarding the purpose of the new Replication SLA:

a. The SLA Name. b. If applicable, select the Compliance Window, and specify the Start Time and End Time.

This window specifies the times that are permissible and during which you can expect the specified activity to occur. Any specified activity that occurs outside of this start time and end time triggers an alert.

c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives.

e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

8. If you selected Cloud Tier type SLA, specify the following fields regarding the purpose of the new Cloud Tier SLA:

a. The SLA Name. b. If applicable, select the Verify expired copies are deleted option.

This option is a compliance check to determine if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

c. If applicable, select Retention Time Objective and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives.

d. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. e. Click Finish.

9. If the SLA has not already been applied to a protection policy:

a. Go to Protection > Protection Policies. b. Select the policy, and then click Edit.

10. In the Objectives row of the Summary window, click Edit.

11. Do one of the following, and then click Next: Select the added Policy SLA from the Set Policy Level SLA list. Create and add the SLA policy from the Set Policy Level SLA list. The Summary window appears.

12. Click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

13. Click Go to Jobs to open the Jobs window to monitor the backup and compliance results, or click OK to exit.

NOTE: Compliance checks occur automatically every day at 2 a.m. Coordinated Universal Time (UTC). If any objectives

are out of compliance, an alert is generated at 2 a.m. UTC. The Validate job in the System Jobs window indicates the

results of the daily compliance check.

For a backup SLA with a required RPO setting that is less than 24 hours, PowerProtect Data Manager performs real-time compliance checks. If you selected Compliance Window for copy type and set the backup level to All, the real-time compliance check occurs every 15 minutes only within the compliance window. If the backup level is not All, or if a compliance window is not specified, the real-time compliance check occurs every 15 minutes without stop.

NOTE: If the backup SLA has a required RPO setting of 24 hours or greater, compliance checks occur daily at 2 a.m.

UTC. Real-time compliance checks do not occur for backup SLAs with an RPO setting of 24 hours or greater.

Real-time compliance-check behavior

Managing Virtual Machine Assets and Protection 45

If the interval of time between the most recent backup of the asset and the compliance check is greater than the RPO requirement, then an alert indicates the RPO of the asset is out of compliance. This alert is generated once within an RPO period. If the same backup copy is missed when the next compliance check occurs, no further alerts are generated.

If the interval of time between the most recent backup of the asset and the compliance check is less than the RPO requirement, the RPO of the asset is in compliance.

If multiple assets in a policy are out of compliance at the same time when a compliance check occurs, a single alert is generated and includes information for all assets that are out of compliance in the policy. In the Alerts window, the asset count next to the alert summary indicates the number of assets that are out of compliance in the policy.

14. In the Jobs window, click next to an entry to view details on the SLA Compliance result.

Add or remove assets in a protection policy Perform the following steps in the PowerProtect Data Manager UI to add or remove an asset in a protection policy.

About this task

When a protection policy is edited and new assets are added, backups for the new assets start from the next scheduled FULL backup job for the protection policy.

Steps

1. From the left navigation pane, select Protection > Protection Policies.

The Protection Policies window appears.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page.

3. In the Assets row, click Edit. The Assets page appears.

NOTE: For virtual machine protection policies, the view that you selected when creating the policy is retained in

this page, and cannot be changed. For example, if you set up this policy with View Asset Table selected, all assets

protected by this policy will display in a table on this page, and the option to select View by Host will be disabled. Both

views provide additional information about the virtual machines, such as any currently associated tags, protection rules,

and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add

or remove from this policy.

4. To remove containers or assets from the protection policy, select the object and click Remove.

The Assets page updates with the changes.

5. To add a container or asset to the protection policy:

a. Click + Add.

The Add Unprotected Assets dialog displays any objects that are unprotected.

b. Select the individual unprotected assets that you want to add to the policy, or select a container level within the hierarchy to add all assets within that level, and then click Add.

The Assets page updates with the changes.

6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from

the protection policy.

7. Click Next to save the changes and go to the Summary page.

8. In the Summary page, click Finish An informational dialog box appears.

9. Click OK to exit the dialog box, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

46 Managing Virtual Machine Assets and Protection

Extended retention You can extend the retention period for the primary backup copy for long term retention. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can extend the retention period to keep the full backups taken on Mondays for 10 weeks.

Both centralized and self-service protection policies support weekly, monthly, and yearly recurrence schedules to meet the demands of your compliance objectives. For example, you can retain the last full backup containing the last transaction of a fiscal year for 10 years. When you extend the retention period of a backup in a protection policy, you can retain scheduled full backups with a repeating pattern for a specified amount of time.

For example:

Retain full yearly backups that are set to repeat on the first day of January for 5 years. Retain full monthly backups that are set to repeat on the last day of every month for 1 year. Retain full yearly backups that are set to repeat on the third Monday of December for 7 years.

Preferred alternatives

When you define an extended retention stage for a protection policy, you define a set of matching criteria that select preferred backups to retain. If the matching criteria do not identify a matching backup, PowerProtect Data Manager automatically retains the preferred alternative backup according to one of the following methods:

Look-backRetain the last available full backup that was taken before the matching criteria. Look-forwardRetain the next available full backup that was taken after the matching criteria.

For example, consider a situation where you configured a protection policy to retain the daily backup for the last day of the month to extended retention. However, a network issue caused that backup to fail. In this case, look-back matching retains the backup that was taken the previous day, while look-forward matching retains the backup that was taken the following day.

By default, PowerProtect Data Manager uses look-back matching to select the preferred alternative backup. A grace period defines how far PowerProtect Data Manager can look in the configured direction for an alternative backup. If PowerProtect Data Manager cannot find an alternative backup within the grace period, extended retention fails.

You can use the REST API to change the matching method or the grace period for look-forward matching. The PowerProtect Data Manager Public REST API documentation provides instructions. If there are no available backups for the defined matching period, you can change the matching method to a different backup.

For look-forward matching, the next available backup can be an ad-hoc backup or the next scheduled backup.

Selecting backups by weekday

This section applies to centralized protection policies. Self-service protection policies have no primary backup schedule configuration.

When you configure extended retention to match backups by weekday, PowerProtect Data Manager may identify a backup that was taken on one weekday as being taken on a different weekday. This behavior happens where the backup window does not align with the start of the day. PowerProtect Data Manager identifies backups according to the day on which the corresponding backup window started, rather than the start of the backup itself.

For example, consider a backup schedule with an 8:00 p.m. to 6:00 a.m. backup window:

Backups that start at 12:00 a.m. on Sunday and that end at 6:00 a.m. on Sunday are identified as Saturday backups, since the backup window started on Saturday.

Backups that start at 8:01 p.m. on Sunday and that end at 12:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.

Backups that start at 12:00 a.m. on Monday and that end at 6:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.

In this example, when you select Sunday backups for extended retention, PowerProtect Data Manager does not retain backups that were taken between 12:00 a.m. and 8:00 p.m. This behavior happens even though the backups occurred on Sunday. Instead, PowerProtect Data Manager selects the first available backup that started after 8:00 p.m. on Sunday for extended retention.

If no backups were created between 8:01 p.m. on Sunday and 6:00 a.m. on Monday, PowerProtect Data Manager retains the next alternative to extended retention. In this example, the alternative was taken after 6:00 a.m. on Monday.

Managing Virtual Machine Assets and Protection 47

Extended retention backup behavior

When PowerProtect Data Manager identifies a matching backup, automatic extended retention creates a job at the beginning of the backup window for the primary stage. This job remains queued until the end of the backup window and then starts.

The following examples describe the behavior of backups with extended retention for centralized and self-service protection.

Centralized protection

For an hourly primary backup schedule that starts on Sunday at 8:00 p.m. and ends on Monday at 6:00 p.m. with a weekly extended retention schedule that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup starting after 8:00 p.m. on Sunday for long-term retention.

The following diagram illustrates the behavior of backups with extended retention for a configured protection policy. In this example, full daily backups starting at 10:00 p.m. and ending at 6:00 a.m. are kept for 1 week. Full weekly backups are set to repeat every Sunday and are kept for 1 month.

Figure 1. Extend retention backup behavior

Self-service protection

For self-service backups, PowerProtect Data Manager uses a default backup window of 24 hours. For a backup schedule that starts on Sunday at 12:00 p.m and ends on Monday at 12:00 p.m. with a weekly extended retention schedule that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup that is taken between 12:00 p.m. on Sunday and 12:00 p.m. on Monday for long-term retention.

Replication of extended retention backups

You can change the retention time of selected full primary backups in a replication stage by adding a replication stage to the extended retention backup. The rules in the extended retention stage define the selected full primary backups. Review the following information about replication of extended retention backups.

Before you configure replication of extended retention backups, create a replication stage for the primary backup. Configure the replication stage of the extended retention and match this stage with one of the existing replication stages

based on the primary backup. Any changes to a new or existing storage unit in the extended retention replication stage or the replication stage of the primary backup is applied to both replication stages.

The replication stage of extended retention backups only updates the retention time of replicated backup copies and does not create any new backup copies in the replication storage.

48 Managing Virtual Machine Assets and Protection

Edit the retention period for backup copies You can edit the retention period of one or more backup copies to extend or shorten the amount of time that backups are retained.

About this task

You can edit retention for all asset types and backup types.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. On the Assets window, select the tab for the asset type for which you want to edit retention. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

NOTE: For virtual machine assets, you can click the link in the Disk Excluded column next to a virtual machine asset to

view VMDKs that have been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion

from this window. To change the disks that are excluded for a protected asset, select the policy from the Protection

Policies window and click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

5. Select one or more backup copies from the table and click Edit Retention.

6. Choose one of the following options: To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, months, or years after the backup is performed, select Retention

Value. For example, you could specify that backups expire after 6 months.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

7. When satisfied with the changes, click Save. The asset is displayed in the list with the changes. The Retention column displays both the original and new retention period, and indicates whether the retention period has been extended or shortened.

Protection rules Protection rules comprise one or more conditions that select matching assets and automatically assign them to a corresponding protection policy. PowerProtect Data Manager applies these rules to assets at discovery time.

When you define a protection rule, note the following requirements:

Creating protection rules requires at least one existing protection policy. An asset can only belong to one protection policy. Assets can move from one policy to another policy based on the priorities of the protection rules. Virtual machine tags created in the vSphere Client can only be applied to a protection rule. To ensure the protection of homogeneous assets, the protection rule must specify a storage asset type. A virtual machine application-aware protection policy that protects a Microsoft SQL Server Always On availability group

(AAG) must include all the virtual machines of the AAG in the same protection group. Failure to meet this requirement might result in Microsoft SQL Server transaction log backups being skipped. Ensure that the protection rules are designed to include all the AAG virtual machines.

NOTE: Ensure that Oracle protection rules do not use the DB ID and Oracle SID Name field settings that were supported

with versions prior to PowerProtect Data Manager 19.6.

You can manually move an asset into a protection policy and override automatic placement through protection rules. Manual assignment protects the asset through the specified policy but protection rules no longer apply to that asset. To apply protection rules again, remove the asset from the protection policy.

Managing Virtual Machine Assets and Protection 49

Creating virtual machine tags in the vSphere Client

Creating virtual machine tags in the vSphere Client is supported by PowerProtect Data Manager with vSphere versions 6.5 and later. Tags enable you to attach metadata to the virtual assets in the vSphere inventory, which makes assets easier to sort and search for when creating a protection policy.

Asset inclusion in a PowerProtect Data Manager protection policy is based on the filtering criteria that you specify when creating a protection rule.

When you create a tag in the vSphere Client, the tag must be assigned to a category in order to group related tags together. When defining a category, you can specify the object types to which the tags will be applied and whether more than one tag in the category can be applied to an object. Within a single rule, you can apply up to 50 rule definitions to tags and categories, as shown in the following example where Category is the category name and Bronze is the tag name:

Category:Category1,Tag:Bronze1 Category:Category2,Tag:Bronze2 Category:Category3,Tag:Bronze3 ... Category:Category50,Tag:Bronze50

In the above example, category names and tag names that exceed 9 or 7 characters respectively reduce the limit for rule definitions in a single rule to less than 50. When rule definitions exceed the maximum limit, no virtual machines are backed up as part of the group, because no members are associated with the group. As a best practice, keep the number of rule definitions within a single rule to 10 or fewer and, in cases where there are a large number of rule definitions within a single rule, keep the number of characters in category or tag names to 10 or fewer.

To view existing tags for vCenter in the vSphere Client, select Menu > Tags & Custom Attributes, and then select the Tags tab. Click a tag link in the table to view the objects associated with this particular tag.

For PowerProtect Data Manager to include tagged assets in a protection rule based on the tags created for vCenter, you must assign at least one tag to at least one virtual machine. Note that tags associated with containers of virtual machines (for example, a virtual machine folder) are not currently supported for tag associations to assets.

NOTE: Once virtual machines are associated with tags, the association is not reflected in the PowerProtect Data Manager

user interface until the timeout period has completed. The default timeout to fetch the latest inventory from the vCenter

server is 15 minutes. When adding a protection rule and using tags as the asset filter, you must select VM Tags.

Add a protection rule

Select a protection policy and then define one or more conditions. Where applicable, create compound rules by linking multiple conditions through logical operators.

About this task

Compound rules enable you to combine multiple selection criteria through AND and OR operators for higher precision. For example, assets in a particular data center with particular tags. Compound rules must have at least one condition.

The Add Protection Rule wizard displays compound rules in containers. Grouping rules in the same container represents a logical AND of those rules. Placing rules in separate containers represent a logical OR of those rules. For example, the compound rule (A AND B) OR (C) corresponds to one container with rules A and B, and another container with rule C.

The wizard validates fields as you type. As you define the protection rule, the wizard also displays a count of assets which match the entire protection rule, next to View Filtered Assets.

Steps

1. From the PowerProtect Data Manager UI, select Protection > Protection Rules. The Protection Rules window appears.

2. Click the tab to select the type of host for which you would like to add the protection rule, and then click Add. For example, Virtual Machines. The Add Protection Rule window opens to the Select Protection Policy page.

3. Select the target protection policy for the protection rule and then click Next. The Add Rule Description page appears.

4. Define the purpose of the protection rule:

a. Name. For example, Rules Prod Finance. The name must be unique.

b. Description. For example, Finance department production servers

50 Managing Virtual Machine Assets and Protection

c. Click Next.

The Add Conditions page appears.

5. Define the protection rule:

a. Select an attribute. The available attributes depend on the selected host type and include names (such as Datacenter Name or Host Name), characteristics (such as asset size), tags (VM tags or namespace labels). The Power State attribute enables filtering of virtual machine hosts based on the state of the host (such as Power On, Power Off, or Suspended).

NOTE: If using the Host Name for the protection rule to determine which assets get included, ensure that you do

not specify a host in a cluster. If you specify a host in a cluster, PowerProtect Data Manager will not protect the

virtual machine assets under this host because although these assets are currently running within this host, they are

not owned by the host and can be switched to another host under the same cluster at any time.

b. Select a matching criteria. The available matching criteria depend on the selected attribute:

For names, matching criteria include options such as Begins with, Ends with, Contains, Does not contain, Equals, Match Regular Expression, and Does Not Match Regular Expression.

The VM Folder Name and VM Resource Pool attributes support protection for all VM assets and resource pools in the selected folder and its subfolders.

For characteristics, matching criteria include options such as Greater than or Less than.

For tags, matching criteria include options such as Includes, Does not include, In, or Not in. The In and Not in criteria support multiple tags.

For Power State, matching criteria include options such as Equals and Does Not Equal.

Where the available matching criteria includes regular expressions, click for a list of supported operators and effects in a separate dialog box.

NOTE: Regular expressions for the VM Folder Name and VM Resource Pool attributes use Google

RE2J syntax. The operators and effects on the Optional tab of the dialog box are unavailable for these

attributes. However, the operators and effects on the Unsupported tab are available, as are the standard

regular expression predefined character classes. For example, \d for a digit.

Regular expressions for all other attributes use ElasticSearch regex syntax. These expressions do not support

predefined character classes.

Because predefined character classes are valid for some attributes, the UI does not mark these classes as invalid

syntax. This is true even for attributes where such classes are not supported.

c. Depending on the selected attribute, supply a search phrase to compare against the attribute or select an option from the list. The wizard displays a count of matching assets beside the rule and enables new Add Rule options for compound rules.

For example, a rule with the filters VM Folder Name, Contains, and Finance can match assets belonging to your finance department to the selected protection policy.

6. To define a compound rule:

The wizard only enables some Add Rule options after the successful validation of other rules in the same container. For example, rules cannot be empty.

a. Select a logical operation, and then click the corresponding Add Rule option. If you select + (AND), the new rule appears in the same container. If you select Add Rule - OR, the new rule appears in a separate container.

b. Repeat the previous step to define the new protection rule.

c. To remove a rule from a compound rule, click for that rule.

NOTE: The wizard disables for any rules whose deletion would result in an empty container. To remove these

rules, remove the entire container.

The wizard removes the selected rule and any associated Add Rule options.

d. To remove an entire container and any rules within it, click for that container. The wizard also removes any associated Add Rule options.

e. To remove all rules, click Reset Rules.

The wizard displays a count of matching assets beside each rule and, for each container, a count of matching assets for all rules in the container.

Managing Virtual Machine Assets and Protection 51

NOTE: The counts displayed by the Protection > Protection Rules > Add Protection Rules > Add Conditions and

Protection > Protection Rules > Add Protection Rules > Add Conditions > Filtered Assets panes only count

the number of assets in the filtered folders and resource pools. The counts do not include assets in subfolders or

sub-resource pools. Despite the displayed count, all assets in subfolders and sub-resource pools are also protected. For

existing protection rules, accurate asset counts are displayed in the Protection > Protection Rules and Protection >

Protection Policies panes.

7. To see a list of unprotected assets which match the protection rule, click View Matching Assets. The Matching Assets window opens and displays the details of each matching asset. Verify that the list includes all expected assets, and then click Done.

8. If the protection rule and list of matching assets do not meet expectations, adjust the rules accordingly. Alternatively, reset the rules and then build the protection rule again.

9. If the protection rule and list of matching assets meet expectations, click Next. The Summary page appears.

10. Review the protection rule details and then click Finish.

Results

The new protection rule automatically protects any matching assets.

Manually run a protection rule

PowerProtect Data Manager automatically runs protection rules when new assets are detected or when existing assets are modified. You can also run protection rules manually.

Prerequisites

NOTE: For SQL, Oracle, SAP HANA, and file system asset types, the protection rule runs only on scheduled discovery in

PowerProtect Data Manager. Ensure that you schedule discovery for these asset types.

Steps

1. From the PowerProtect Data Manager UI, select Protection > Protection Rules.

The Protection Rules window appears.

2. Select the required protection rules, and then click Run.

PowerProtect Data Manager runs all of the selected protection rules for the current asset type.

Schedule asset discovery

To schedule discovery in the PowerProtect Data Manager UI, complete the following steps:

Steps

1. Select Infrastructure > Asset Sources.

2. Select the App/File System Host tab.

3. Select the application host, and then click Discover.

4. From the Discovery Schedule list, select the time of day to initiate the discovery.

Edit or delete a protection rule

You can change the name, description, the rule filters, and the associated protection policy.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. To edit a protection rule, select the rule and then click Edit.

52 Managing Virtual Machine Assets and Protection

The Edit Protection Rule window appears.

a. Select a protection policy, and then click Next. b. Modify the name, description, or filter rules, and then click Next.

Add a protection rule on page 50 provides more information about working with rules.

c. Review the protection rule summary, and then click Finish.

3. To delete a protection rule, select the rule and then click Delete.

PowerProtect Data Manager removes from protection policies any assets that were added because of this protection rule. PowerProtect Data Manager adds those assets again if you do not update related protection rules.

View assets applied to a protection rule

You can view the assets that are applied to a protection rule from the Protection Rules window. If the modification of a protection rule results in assets moving from one policy to another, the Protection Rules window enables you to verify the results.

About this task

To view assets that are applied to a protection rule, complete the following steps.

Steps

1. From the left navigation pane, select Protection > Protection Rules.

The Protection Rules window appears.

2. Click the link in the Assigned Assets Count column for the protection rule.

The Assets List window appears and displays the matched assets.

Change the priority of an existing protection rule

When multiple protection rules exist, you can define the priority of each rule. Priority determines which rule applies to an asset when that asset matches multiple rules and those rules have conflicting actions.

About this task

For example, if an asset matches several protection rules and each rule specifies a different protection policy, then the rule with the highest priority determines the policy assignment.

Protection rule priorities are integers. Smaller integers represent a higher priority.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. To change a protection rule's priority, select the rule and then click Up or Down.

Remember that the smaller integer has the higher priority.

Configure protection rule behavior

You can use the REST API to configure what happens when a protection rule changes.

The PowerProtect Data Manager Public REST API documentation provides instructions.

NOTE:

If you update from a previous release of PowerProtect Data Manager, the configured behavior for protection rules changes

still applies to the current release. For example, in PowerProtect Data Manager 19.4, if you did not configure protection

rules through application.properties to move assets across policies, then you cannot change the behavior with this

method in PowerProtect Data Manager 19.5 or later.

Managing Virtual Machine Assets and Protection 53

However, if you updated the configuration file to enable protection rules to move assets across policies, then this behavior

continues to apply after the update.

54 Managing Virtual Machine Assets and Protection

Restoring Virtual Machine Data and Assets

Topics:

Prerequisites to restore a virtual machine View backup copies available for restore Restoring a virtual machine or VMDK Restoring a virtual machine backup with the storage policy association Image-level restores Instant Access virtual-machine restore File-level restores Restore an application-aware virtual machine backup

Prerequisites to restore a virtual machine Review the following requirements before you restore a virtual machine in PowerProtect Data Manager:

Only the Administrator and the Restore Administrator roles can restore data. Ensure that you have added protection storage and the vCenter server, and that the protection of virtual machine copies

has completed successfully.

To check, select Infrastructure > Assets and Infrastructure > Asset Sources. Ensure that protection of the virtual machines completed successfully. If the virtual machines have been backed up by a

protection policy, the assets appear in the Restore > Assets window. Verify that no pre-existing snapshots exist on the virtual machine. If performing a restore to the original virtual machine, a minimum vCenter version of 6.7 is required if you want to restore the

virtual-machine protection policy backup's storage-policy assignments. If performing a restore to a new location, ensure that sufficient space is available on the target datastore. Verify that the virtual machine copy that is selected for restore has not expired. For restores of virtual machine protection policy backups using the Transparent Snapshot Data Mover (TSDM) protection

mechanism, note the following: For a Restore to Original Folder and Overwrite Original Files, the virtual machine must be currently protected by a

policy that uses TSDM. For a Create and Restore to New VM, the destination ESXi host where the new virtual machine will be created must

have the vSphere Installation Bundle (VIB) installed and enabled.

View backup copies available for restore When a protection policy is successfully backed up, PowerProtect Data Manager displays details such as the name of the storage system containing the asset backup, location, the creation and expiry date, and the size. To view a backup summary:

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets or Restore > Assets.

2. Select the tab that corresponds to the type of assets that you want to view. For example, for vCenter virtual machine assets, click Virtual Machine.

Assets that are associated with protection copies of this type are listed. By default, only assets with Available or Not Detected status display. You can also search for assets by name.

For virtual machines, you can also click the File Search button to search on specific criteria.

4

Restoring Virtual Machine Data and Assets 55

NOTE: In the Restore > Assets window, only tabs for asset types supported for recovery within PowerProtect Data

Manager display. Supported asset types include the following:

Virtual Machines

File System

Storage Group

Kubernetes

3. To view more details, select an asset and click View copies.

The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.

When you click a child node, the right pane displays the following information:

Storage system where the copy is stored. The number of copies Details of each copy, including the time that each copy was created, the consistency level, the size of the copy, the

backup type, the copy status, and the retention time. The indexing status of each copy at the time of copy creation:

Success indicates that all files or disks are successfully indexed. Partial Success indicates that only some disks or files are indexed and might return partial results upon file search. Failed indicates that all files or disks are not indexed. In Progress indicates that the indexing job is in progress.

If indexing has not been configured for a backup copy, or if global expiration has been configured and indexed disks or files have been deleted before the backup copy expiration date, the File Indexing column displays N/A.

The indexing status updates periodically which enables you to view the latest status. For virtual machine backups, a Disk Excluded column enables you to view any virtual disks (VMDKs) that were excluded

from the backup.

Restoring a virtual machine or VMDK After virtual assets are backed up as part of a virtual machine protection policy in the PowerProtect Data Manager UI, you can perform image-level and file-level recoveries from individual or multiple virtual machine backups, and also restore individual virtual machine disks (VMDKs) to their original location.

PowerProtect Data Manager supports multiple data movers for restoring virtual machines, depending on the restore type and the vSphere capabilities. Restores are performed using one of the following data movers:

Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual machine policies when vCenter or ESXi version 7.0 U3c or later is deployed in the environment. Review the section Prerequisites to restore a virtual machine on page 55 for specific restore type requirements for TSDM.

VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware virtual machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.

Storage vMotion from protection storage to primary storage.

All types of recoveries are performed from the Restore > Assets window. Recovery options include the following:

Restore to Original VM: Restore the virtual machine to its original location on the vCenter server, along with (optionally) the virtual machine configuration that existed at the time of the backup.

Restore Individual Virtual Disks: Restore select virtual disks to their original location on the vCenter server. Create and Restore to New VM: Create a new virtual machine using a copy of the original virtual machine backup, and

restore this backup to the new virtual machine. Instant Access VM: Instant access to the virtual machine backup for browse and restore. File Level Restore: Restore individual files/folders the original or a new virtual machine Direct Restore to ESXi: Recover the virtual machine directly to an ESXi host without a vCenter server.

The Restore button, which launches the Restore wizard, is disabled until you select one or more virtual assets in the Restore > Assets window. Selecting multiple assets disables the View Copies button, since this functionality is available within the first page of the Restore wizard.

56 Restoring Virtual Machine Data and Assets

To access the Restore and Overwrite Original VM, Create and Restore to New VM, and Instant Access VM recovery types, or the Restore Individual Virtual Disks option, select one or more virtual assets and then click Restore to launch the Restore wizard.

To access the File Level Restore and Direct Restore to ESXi recovery options, select a virtual asset and then click View Copies.

In both instances, you must select a backup copy in the first page of the Restore wizard before you can go to the Options page, which displays the available recovery options.

NOTE: For all options, recovery in the PowerProtect Data Manager UI can only be performed if the backup or replica is

on a DD system. If a replica backup does not exist on such storage, you must manually replicate this backup to DD storage

before performing the restore.

The following sections describe each recovery option and provide instructions to perform the recovery.

NOTE: Full SQL-database and transaction-log restores of a virtual machine from application-aware virtual-machine

protection policies must be performed using Microsoft application agent tools. The section Restore an application-aware

virtual machine backup provides more information.

Restoring a virtual machine backup with the storage policy association vSphere storage-based policies are used to communicate to the storage system details about how the virtual machine and its contents should be stored. At the time of backup, the existing policy assignments for the virtual machine will be stored in the backup copy.

During a restore to the original virtual machine in the PowerProtect Data Manager UI or the vSphere Client, you can select the Restore Storage Policies option if you want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

This option is only applicable to virtual machine backup copies taken with PowerProtect Data Manager 19.6 and later. If you select this option but the virtual machine backup copy was created with PowerProtect Data Manager version 19.5 and earlier, or the storage policy has been deleted from the vCenter Server, the virtual machine restore will proceed but any storage policy association will not be restored.

NOTE: Enabling this option requires vCenter version 6.7 and later.

Image-level restores The following topics provide instructions to perform restore operations at the virtual machine image level.

Restore to the original virtual machine

A Restore to Original VM recovers a virtual machine backup to its original location on the vCenter server. This operation rolls the virtual machines that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time. Use this process for restoring the production system.

Prerequisites

Review Prerequisites to virtual machine restore before performing the restore.

About this task

NOTE: If the original virtual machine was deleted, a Restore to Original Folder and Overwrite Original Files recovery

attempts to re-create the virtual machine. However, if the original virtual machine resources such as the datastore and

cluster are no longer available, the restore fails and a Restore to New is required.

Restoring Virtual Machine Data and Assets 57

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

Use the filter in the Name column to search for the asset name of the specific virtual machine, or use the File Search button to search on specific criteria for files within backed-up virtual machines.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup to the original location, and then click Next.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

The Restore Type page appears.

7. On the Restore Type page:

a. Select Restore to Original VM.

NOTE: If the system determines that the original virtual machine datastores may be insufficient to complete the

restore a warning is displayed. In this case, create more space in the original datastores, and then, select Proceed

Anyways.

b. Select Restore VM Tags to restore the vCenter tags and categories that are associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Selecting this option replaces any

existing tags and categories on the assets in the restore location with tags and categories from the assets in the

restored copy. Tags and categories being restored that do not exist on the vCenter server at the time of the

restore, or have been deleted, are re-created as part of the restore, along with the tag description and the cardinality

settings that determine the relationship of tags within a category. If tags and categories on the vCenter server have

been renamed since the last backup, the renamed tags and categories will not be overwritten upon restore. For

example, if a tag ID is the same but the tag name has been changed since the backup, a new tag is created based on

the tag name in the backup copy being restored.

Upon successful restore, the replaced tags and categories are not deleted in the vSphere Client, and can be viewed

in the Tags & Custom Attributes window, or the Tags pane of the Summary window when the virtual machine is

selected.

c. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore proceeds but any storage policy association is not restored.

NOTE: Enabling this option requires vCenter version 6.7 or later.

d. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

e. Select Restore VM Configuration to use the .vmx file to restore the virtual machine configuration that existed at the time of the backup. If there were changes to the VM disk configuration, you cannot clear this option.

8. Click Next.

58 Restoring Virtual Machine Data and Assets

If the virtual machine was backed up using PowerProtect Data Manager 19.9 or later, or the virtual machine configuration on the original virtual machine is identical to the copy being restored, the Networks page appears.

If the virtual machine was backed up using PowerProtect Data Manager 19.8 and earlier, or you selected the Restore VM Configuration option and the disk configuration has changed since the original backup, the Options page appears.

9. On the Options page, review the current configuration of the virtual machine along with any disks that have been added since the last backup. For any hard disks in the current virtual machine configuration that were not part of the backup copy: Select Delete disks that will be detached to remove these disks upon restore. Clear Delete disks that will be detached to keep these disks in their original folders on the virtual machine after the

restore. These disks will not be in the virtual machine configuration, but after the restore you can use the vSphere Client to manually reattach or download these disks as appropriate.

10. The Networks page displays the network interface controllers and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

NOTE: If a network used by an adapter is no longer accessible to the current virtual machine, a warning is displayed, and

a different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network interface controller, select or clear the associated check box in the Connect at Power On column.

11. Click Next. The Summary page appears with a confirmation message indicating that the virtual machine will be powered off and that the virtual machine in the datastore will revert to the point in time of the selected backup copy before being powered back on.

12. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

13. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore individual virtual disks

A Restore Individual Virtual Disks recovers individual virtual disks (VMDKs) to their original location on the vCenter server, rolling the VMDKs that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time.

Prerequisites

Review Prerequisites to virtual machine restore before you perform the following procedure.

About this task

NOTE: When you restore individual VMDKs, only the selected disks are restored. The virtual machine configuration does not

change.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Individual Virtual Disks to restore specific VMDKs.

Restoring Virtual Machine Data and Assets 59

7. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

8. Click Next. The Select Disks page displays.

9. From the Backup Properties pane, select the VMDKs that you want to restore, and then click Next. Note that individual VMDKs can only be restored to the original location. The Summary page appears with a confirmation message indicating that the selected disk(s) will be overwritten in the current configuration with the copy from the backup.

10. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore to a new virtual machine

A Create and Restore to New VM enables you to create a new virtual machine using a copy of the original virtual machine backup. Other than having a new name or location and a new vSphere VM Instance UUID, this copy is an exact replica of the virtual machine that you backed up with the protection policy in PowerProtect Data Manager.

Prerequisites

Review Prerequisites to virtual machine restore before you perform this procedure.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the checkbox next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to run file level restore workflows on specific files within virtual machines.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page: Select Restore Entire VMs if you want to restore an image-level virtual machine backup.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

Select Restore Individual Virtual Disks if you want to restore only specific VMDKs.

NOTE: Individual disks can only be restored to the original location.

7. Click Next.

8. On the Restore Type page:

a. Select Create and Restore to New VM. b. Select the Restore VM Tags checkbox to restore vCenter tags and categories associated with this backup copy. Tags

are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on

the assets in the restore location will be replaced with the tags and categories from the assets in the restored copy.

If the tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings

that determine the relationship of tags within a category. If tags and categories on the vCenter server have been

60 Restoring Virtual Machine Data and Assets

renamed since the last backup, the renamed tags and categories will not be overwritten upon restore. For example, if

a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag

name in the backup copy being restored.

Upon successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

c. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

d. Click Next.

9. On the VM Information page:

a. From the Restore to vCenter list, select the vCenter server for the new virtual machine restore. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

b. Select the destination data center. c. Click Next.

10. On the Restore Location page:

a. Select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster.

b. If you select an ESXi host within this page, the next page is unnecessary. c. Click Next.

11. On the ESX Host page: If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click

Next. If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to

proceed.

12. On the Datastore page, select the datastore where you want to restore the virtual machine disks.

NOTE:

The Total Estimated Space Needed for Recovery is displayed and updated according to the specified disk

provisioning type.

In the datastore list:

The free space in each datastore is displayed.

If a datastore is estimated to be smaller than required for recovery, it is displayed in red alongside an error icon.

Select Browse... to display the total capacity, provisioned capacity, and free capacity of all available datastore(s),

and select a datastore.

a. If you are restoring multiple virtual machines, select the Datastore and Provisioning Type to use for all virtual machines.

b. If you are restoring one virtual machine: To restore all disks to the same location, keep Configure Per Disk disabled, and select the datastore from the

datastore list in the Storage column. To restore disks to different locations, enable Configure Per Disk, and for each disk, select a datastore from the

datastore list in the Storage column. Select how to provision the disk from the provisioning types in the Disk Format column.

NOTE: If you select a datastore whose estimated free space is smaller than required for recovery, a warning is

displayed. In this case, you can select Proceed Anyways to continue, but it is recommended to create more space in

the specified datastore(s) before doing so.

c. Click Next.

13. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

Restoring Virtual Machine Data and Assets 61

NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a

different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.

14. On the Options page:

a. For Select Access Level, keep the slider set to Yes if you want to enable instant access for this restore.

When you select this option, the virtual machine is created and turned on while temporarily accessing the VMDKs from DD storage. Storage vMotion is initiated to the target datastore. The virtual machine becomes available for use when it is turned on.

b. (Optional) For the recovery options, select Power on the virtual machine when the recovery completes and Reconnect the virtual machine's NIC when the recovery completes. Power on the virtual machine when the recovery completes is selected by default when instant access is enabled.

c. Click Next.

15. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.

16. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all of the virtual machines available for restore.

2. Select the checkbox next to the desired virtual machine and click View Copies.

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the recovery completes, if desired. Power on the virtual machine when the recovery completes is selected by default.

b. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

c. Click Next.

62 Restoring Virtual Machine Data and Assets

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Instant Access virtual-machine restore An Instant Access VM restore enables you to create a new virtual machine directly from the original virtual machine backup on protection storage for the purposes of instant backup validation and recovery of individual files. The instant access virtual machine is initially available for 7 days. This process does not copy or move any data from protection storage to the production datastore. An instant access virtual machine restore also provides the option to move the virtual machine to a production datastore when you want to retain access to the virtual machine for a longer time.

Prerequisites

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the Data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration on page 75 and Create a VMkernel port for a distributed vSwitch configuration on page 75 provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine, or click the File Search button to search on specific criteria.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page: Select Restore Entire VMs if you want to restore an image-level virtual machine backup.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

Select Restore Individual Virtual Disks if you want to restore only specific VMDKs.

NOTE: Individual disks can only be restored to the original location.

7. On the Restore Type page:

a. Select Instant Access VM. b. Select the Restore VM Tags checkbox to restore vCenter tags and categories associated with this backup copy.

Restoring Virtual Machine Data and Assets 63

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories

on the assets in the restore location will be replaced with the tags and categories from the restored copy. If the

tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings

that determine the relationship of tags within a category. If tags and categories on the vCenter server have been

renamed since the last backup, the renamed tags and categories will not be overwritten upon restore. For example, if

a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag

name in the backup copy being restored.

Upon successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

c. Click Next.

8. On the VM Information page:

a. Select whether you want to use the original virtual machine name for the instant access virtual machine restore, or rename the instant access virtual machine by appending a suffix to the original name.

b. From the Restore to vCenter list, select the vCenter server for the instant access virtual machine restore. You can select the vCenter server of the original virtual machine backup, or another vCenter server. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

c. Select the destination data center. d. Click Next.

9. On the Restore Location page, select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster. If you select an ESXi host within this page, the next page is unnecessary. Click Next.

10. On the ESX Host page: If you did not select a specific host in the previous step, select a host that is connected with the cluster, and then click

Next. If you selected a host in the previous step, this page indicates that a host is already selected and you can click Next to

proceed.

11. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a

different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.

12. On the Options page:

a. Specify a name for the Instant Access virtual machine. b. Optionally, select Power on the virtual machine when the recovery completes and Reconnect the virtual

machine's NIC when the recovery completes. Power on the virtual machine when the recovery completes is selected by default for instant access virtual machine restores.

c. Click Next.

13. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore. A confirmation message displays indicating that the restore has been initiated and providing the option to go to the Jobs window to monitor the restore progress.

14. Go to the Jobs window to view the entry for the instant access virtual machine recovery and verify when the recovery

completes successfully. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Results

To monitor and manage the instant access virtual machine recovery, select Restore > Running Sessions, and then click the Instant Access tab. From this window, you can also extend the instant access virtual machine session beyond the default period of 7 days.

64 Restoring Virtual Machine Data and Assets

NOTE: On a single-node protection storage system such as a DD system, instant access/restore functionality has been

enhanced to return a failure message when overwhelmed with traffic. For example, if on the target node or the ESXi host

there are Live VM and/or Instant Restore sessions that are in conflict, instant access/restore jobs will fail with a message

indicating a resource contention issue. If this occurs, you need to clear the conflicts and then restart the session in order for

the job to execute.

Manage and monitor Instant Access sessions

In the PowerProtect Data Manager UI, the Instant Access tab of the Restore > Running Sessions window enables you to monitor vMotion events, and to manage the status of a virtual machine restore to new or instant access virtual machine restore. For example, you can extend the availability period or delete an instant access virtual machine.

NOTE: The Instant Access Sessions that are used by a SQL application-aware self-service restore are displayed in the

PowerProtect Data Manager UI, but management is disabled. Use the SQL application-aware self-service restore UI to

manage these sessions.

When the Jobs window indicates that a recovery has completed successfully, go to Restore > Running Sessions > Instant Access to access information about the sessions. This window enables you to monitor and manage all exported copies that you have created from protection storage. An active restore session with a state of Mounting indicates that the restore is still in progress. Once the state changes to Mounted, the restore is complete and the instant access virtual machine is ready. When you select the session in the table, you can choose from three options:

Extend Click to extend the number of days the instant access virtual machine restore is available. The default retention period of an instant access virtual machine restore is 7 days.

Migrate Click to open the Migrate Storage vMotion wizard, which enables you to move the instant access virtual machine to a protection datastore. Migrate an instant access session provides instructions.

Delete Click if you no longer require the active restore session. Note that you can also vMotion from inside the vCenter server, and PowerProtect Data Manager removes the Instant Access Session upon detection.

For instant access virtual machine restores, availability of the instant access virtual machine session is also indicated in the vSphere Client. The session appears in the Recent Tasks pane, and you can expand the cluster and select the instant access virtual machine to view summary information, as shown in the following figure.

Figure 2. instant access virtual machine restore in the vSphere Client

Restoring Virtual Machine Data and Assets 65

Migrate an Instant Access session

Once you validate that the instant access virtual machine is the virtual machine that you require for production, click Migrate to open the Migrate Storage vMotion wizard, which enables you select the session and move the virtual machine to a production datastore.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Running Sessions, and then click the Instant Access tab.

2. Select a session from the table that is in Mounted state, and click Migrate. The Migrate Storage vMotion wizard displays.

3. On the Disk Files Datastore page, select the datastore where you want to relocate the instant access virtual machine, and then click Next. To migrate all VMDKs to the same datastore, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To migrate VMDKs to separate datastores, move the Configure per disk slider to the right, and then:

a. Select a datastore for each disk from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

4. On the Summary page, review the information to ensure that the details are correct, and then click Migrate.

5. Go to the Jobs window or the Instant Access window to view the progress of the migration.

In the Jobs window, the migration job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed. In the Instant Access window, you can monitor the vMotion status of the migration. When a vMotion is in progress, the status indicates VMotioning. Once the storage vMotion for the session is complete, the status of the session changes to Deleting as the session is being removed from the Instant Access window.

File-level restores The following topics provide instructions to perform restore operations at the file level.

There are two methods of restoring individual virtual machine files within the PowerProtect Data Manager UI: Using the File Level Restore wizard Using the File Search functionality.

File-level restore to the original virtual machine

A file-level restore to the original virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to the same or a new location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore troubleshooting and limitations on page 135. The Dell EMC vProxy Agent, which is installed automatically during file level restore, facilitates the mounting and unmounting

of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the Dell EMC vProxy Agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list. The section Dell EMC vProxy Agent for virtual-machine file-level restore on page 132 provides more information.

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the Data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration on page 75 and Create a VMkernel port for a distributed vSwitch configuration on page 75 provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows machine, or from a Linux

backup to a Linux machine.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

66 Restoring Virtual Machine Data and Assets

The Restore window displays all the virtual machines available for restore.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name. NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File

Search button is used for virtual machine file level restore when restoring files from multiple copies across one or more

virtual machines. File-level restore to the original virtual machine on page 66 provides more information.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Original Virtual Machine, and then click Next.

6. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected to keep the Dell EMC vProxy Agent on the destination virtual machine after the restore completes.

c. (Optional) If you are a local user, select Run with Elevated Privileges to override any User Account Control prompts that appear when restoring to folders. To enable this option, the Dell EMC vProxy Agent must be installed by the Administrator.

NOTE: On Windows, the local user must be part of the Administrators group. On Linux, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

When validated, the Dell EMC vProxy Agent is installed automatically on the restore destination, if it is not already installed.

e. Upon successful mount, click Next.

7. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

8. On the Options page, select from one of the following options, and then click Next. Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original

location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original

virtual machine.

9. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information.

b. Click Restore.

10. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restoring Virtual Machine Data and Assets 67

File-level restore to alternate virtual machine

A file-level restore to alternate virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to a new location on a new virtual machine. This restore can be performed to a primary or secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore troubleshooting and limitations on page 135. The Dell EMC vProxy Agent, which is installed automatically during file level restore, facilitates the mounting and unmounting

of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic Dell EMC vProxy Agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list. The section Dell EMC vProxy Agent for virtual-machine file-level restore on page 132 provides more information.

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the Data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration on page 75 and Create a VMkernel port for a distributed vSwitch configuration on page 75 provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows machine, or from a Linux

backup to a Linux machine.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Select the checkbox next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name. NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File

Search button is used for virtual machine file level restore when restoring files from multiple copies across one or more

virtual machines. File level restore to alternate virtual machine using File Search on page 70 provides more information.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Alternate Virtual Machine, and then click Next.

6. On the Select Target VM page, choose from one of the following options: Search for a target virtual machine by typing the name. Browse from the available vCenter servers to locate the destination virtual machine.

7. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected to keep the Dell EMC vProxy Agent on the destination virtual machine after the restore completes.

c. (Optional) If you are a local user, select Run with Elevated Privileges to override any User Account Control prompts that appear when restoring to folders. To enable this option, the Dell EMC vProxy Agent must be installed by the Administrator.

NOTE: On Windows, the local user must be part of the Administrators group. On Linux, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

68 Restoring Virtual Machine Data and Assets

d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

When validated, the Dell EMC vProxy Agent is installed automatically on the restore destination, if it is not already installed.

e. Upon successful mount, click Next.

8. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

9. On the Restore Location page:

a. Browse the folder structure of the destination virtual machine to select the folder where you want to restore the objects. b. Click Next.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore.

11. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Virtual machine file level restore from a search

Within the Restore window of the PowerProtect Data Manager UI, File Search enables you to restore files from protected virtual machine backup copies to: The original virtual machine An alternate virtual machine.

NOTE: Only file level virtual machine restore is available from File Search.

File level restore to original virtual machine using File Search

Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to the same location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore troubleshooting and limitations on page 135. If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the Data network for the

destination ESXi host. Create a VMkernel port for a standard vSwitch configuration on page 75 and Create a VMkernel port for a distributed vSwitch configuration on page 75 provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file level restores to the original machine:

The files must be restored from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

Restoring files from multiple copies with identical file names and paths from the same asset is not supported. In this

case, only a file level restore to the alternate virtual machine is available.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Click File Search, and then perform the following:

Restoring Virtual Machine Data and Assets 69

a. Select a virtual machine from the VM Name list. b. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the

search. The files that match the search criteria display in the Results pane.

c. In the Results pane, select the files that you want to restore, and then click Add. The Results pane is collapsed, and the Selected Files pane updates to display the current file selections.

d. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click Restore.

The VM File Restore wizard appears, displaying the Location page.

3. On the Location page:

a. Select Restore to Original Location. b. (Optional) Select Overwrite existing files with the same name to replace files in the original location with the files

being restored if the files have the same name. c. If you selected files from multiple virtual machines, and these virtual machines share the same credentials, move the Use

one set of credentials for all VMs slider to the right to avoid retyping the credentials for each virtual machine. d. For one or more virtual machines, type the virtual machine User Name and Password, and then click Verify to validate

the credentials.

If there are administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials are handled as end-user credentials.

You are not required to wait for validation to complete before clicking Verify for another set of virtual machine credentials.

When validated, if the Dell EMC vProxy Agent is not already installed, it is installed automatically on the restore destination. The Dell EMC vProxy Agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic Dell EMC vProxy Agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list. The section Dell EMC vProxy Agent for virtual-machine file-level restore on page 132 provides more information.

e. (Optional) Leave Keep FLR Agent Installed selected to keep the Dell EMC vProxy Agent on the destination virtual machines after the restore completes.

f. (Optional) If you are a local user, select Run with Elevated Privileges to override any User Account Control prompts that appear when restoring to folders. To enable this option, the Dell EMC vProxy Agent must be installed by the Administrator.

NOTE: On Windows, the local user must be part of the Administrators group. On Linux, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

g. Click Next.

The Summary page appears.

4. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information.

b. Click Restore or Finish.

5. Go to the Jobs window to monitor the restore. A batch file level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.

File level restore to alternate virtual machine using File Search

Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to a new location on a new virtual machine. The files can be restored to the primary vCenter server or a secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore troubleshooting and limitations on page 135.

70 Restoring Virtual Machine Data and Assets

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the Data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration on page 75 and Create a VMkernel port for a distributed vSwitch configuration on page 75 provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores to an alternate virtual machine:

You can only restore files from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

Restore of multiple files from different operating systems to the same target virtual machine is not supported. In this

case, only a file level restore to the original virtual machine is available.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Click File Search, and then perform the following:

a. Select a vCenter server from the vCenter Name list. b. Select a virtual machine from the VM Name list. c. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the

search. The files that match the search criteria display in the Results pane.

d. In the Results pane, select the files that you want to restore, and then click Add. The Results pane is collapsed, and the Selected Files pane updates to display the current file selections.

e. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click Restore. The VM File Restore wizard appears, displaying the Location page.

3. On the Location page:

a. Select Restore to Alternate Location. The table on the page updates to display the available destination virtual machines within the vCenter server and the location of any selected virtual machine.

b. Expand the vCenter server to locate the virtual machine that you want to restore to, and then select the virtual machine. A prompt appears, requesting the credentials of this virtual machine.

c. Type the virtual machine User Name and Password, and then click Verify to validate the credentials. When validated, if the Dell EMC vProxy Agent is not already installed, it is installed automatically on the restore destination. The Dell EMC vProxy Agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic Dell EMC vProxy Agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list. The section Dell EMC vProxy Agent for virtual-machine file-level restore on page 132 provides more information.

d. (Optional) Leave Keep FLR Agent Installed selected to keep the Dell EMC vProxy Agent on the destination virtual machines after the restore completes.

e. (Optional) If you are a local user, select Run with Elevated Privileges to override any User Account Control prompts that appear when restoring to folders. To enable this option, the Dell EMC vProxy Agent must be installed by the Administrator.

NOTE: On Windows, the local user must be part of the Administrators group. On Linux, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

f. When validation completes, click Close to return to the Location page. The Location page updates with the available destination folders on the selected virtual machine.

g. Browse to the destination folder, or select a location and click Add Folder to create a destination within this folder. h. Optionally, select Overwrite existing files with the same name to replace files in the destination folder with the files

being restored if the files have the same name. i. Click Next.

The Summary page appears.

4. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore or Finish.

5. Go to the Jobs window to monitor the restore. A batch file level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.

Restoring Virtual Machine Data and Assets 71

Restore an application-aware virtual machine backup When virtual machine applications are protected within a protection policy in PowerProtect Data Manager, you can recover the application data using the Microsoft application agent, or perform a centralized restore within the PowerProtect Data Manager UI.

The PowerProtect Data Manager Microsoft SQL Server User Guide provides instructions on how to restore an application- aware virtual machine using the VM Direct SQL Server Management Studio (SSMS) plug-in.

72 Restoring Virtual Machine Data and Assets

Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Topics:

Overview of transparent snapshots for virtual machine protection VIB installation monitoring and management Transparent snapshot data mover system requirements Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Virtual machine transparent snapshot unsupported features and limitations Transparent Snapshot Performance and Scalability

Overview of transparent snapshots for virtual machine protection The transparent snapshot data mover (TSDM) is a new protection mechanism in PowerProtect Data Manager 19.9 and later designed to replace the VMware vStorage API for Data Protection (VADP) protection mechanism for crash-consistent virtual machine protection.

The advantages of using the TSDM protection mechanism for virtual machine data protection include the following:

Eliminates the latency and performance impact on the production virtual machine during the protection policy life cycle. Reduces the CPU, storage, and memory consumption required for backups. After the initial full backup, only incremental

backups using the immediate previous snapshot will be performed. An external VM Direct Engine is not required. The VM Direct Engine embedded with PowerProtect Data Manager is

sufficient. Automatic scaling.

VIB installation monitoring and management The vSphere Installation Bundle (VIB) is a software package that is bundled with the PowerProtect Data Manager OVA and update package. The VIB is installed automatically on a vSphere ESXi host during a PowerProtect Data Manager 19.9 and later deployment or update, and is required to enable the transparent snapshot data mover (TSDM) for virtual machines.

An entry for the job Performing Host Configuration (vib_install) appears in the PowerProtect Data Manager UI during the VIB installation. During the installation, information for the vCenter and ESXi host is detected to verify that the supported versions are installed.

You can use the Transparent Snapshot Data Movers tab in the Protection Engines window of the PowerProtect Data Manager UI to monitor and manage the installation of the VIB. This window provides a vCenter hierarchy view which is based on the asset sources that are enabled in PowerProtect Data Manager. If an ESXi host is not eligible or available for the VIB installation, the status displays as Not Eligible in the Protection Engines window.

During the creation of a crash-consistent virtual machine protection policy, the VIB is deployed automatically on the vSphere cluster being protected. If all requirements are met, TSDM is used as the default protection mechanism instead of VADP. If crash-consistent policies that were created in PowerProtect Data Manager 19.8 and earlier are configured with the following options, these policies can be migrated to use TSDM:

Exclude swap files from backup is off. Enable guest file system quiescing is off.

You can use the PowerProtect Data Manager UI to apply TSDM as the data mover for virtual machine assets.

5

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 73

Transparent snapshot data mover system requirements The following software is required to automatically enable use of the Transparent Snapshot Data Mover (TSDM) for virtual machine data protection operations.

NOTE: TSDM for virtual machine protection also requires that the protection policy is a crash-consistent policy, with the

quiescing and swap file exclusion options disabled.

Table 11. Software requirements

Software required Version supported Notes

vCenter server 7.0 U3c vCenter and ESXi 7.0 U3c is the minimum version that is required to use TSDM. Until this version is deployed in the environment, TSDM is not used for virtual machine protection policies.

ESXi server 7.0 U3c

PowerProtect Data Manager software

19.9 and later

Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Review the following recommendations for use of the Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine protection.

Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover

You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the additional privileges required to use the Transparent Snapshot Data Mover (TSDM) for virtual machine protection operations.

NOTE: For the remaining privileges required for the dedicated vCenter user account, see Specify the required privileges for

a dedicated vCenter user account on page 23.

Table 12. Minimum required vCenter user account privileges

Setting vCenter 7.0.3 and later required privileges PowerCLI equivalent required privileges

Datastore Datastore > Browse datastore Datastore > Low level file operations

$privileges = @( 'Host.Config.Patch', 'Host.Config.Image', 'Host.Config.NetService', 'Datastore.FileManagement', 'Datastore.Browse',

'vSphereDataProtection.Protectio n', 'vSphereDataProtection.Recovery' ,

'System.Read',

'Task.Create', 'Task.Update' )

Host Configuration > Image configuration Configuration > Security profile and firewall Configuration > Query patch

System System > Read

Tasks Tasks > Create task Tasks > Update task

vSphere Data Protection

Protection Recovery

74 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Table 12. Minimum required vCenter user account privileges (continued)

Setting vCenter 7.0.3 and later required privileges PowerCLI equivalent required privileges

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Creating VMkernel ports for TSDM

For backup and restore of virtual assets from the ESXi hosts and their respective virtual machines using the Transparent Snapshot Data Mover (TSDM) protection engine, Dell Technologies strongly recommends that you create a dedicated VMkernel port for all ESXi hosts in the cluster to facilitate data transfer.

Before you begin:

For optimal data transfer between ESXi hosts and protection storage, use the same network subnet that is used for backup storage.

For each ESXi host in the cluster, it is recommended to use a 10G physical network adapter port for TSDM backup traffic. Plan a unique network subnet to use exclusively for TSDM protection engine that does not overlap with any other existing

network subnets. This subnet must contain the following: An IP address for each VMkernel port in each ESXi host. An IP address for each port in protection storage target interfaces.

Complete Create a VMkernel port for a standard vSwitch configuration on page 75 or Create a VMkernel port for a distributed vSwitch configuration on page 75. Use the switch and IPv4 settings recommendations above.

Create a VMkernel port for a standard vSwitch configuration

For each ESXi host in the cluster:

Steps

1. In the vSphere Client, navigate to the ESXi host and select the host.

2. Right-click the host and select Add Networking.

3. Select VMkernel Network Adapter, and then click Next.

4. Create a new switch, or choose an existing one.

When creating a new switch, assign the NIC adapter to Active Adapters.

5. In the Port Properties settings IP settings, select IPv4, and clear all other check boxes under Available services.

6. In the IPv4 settings, specify the VMkernel IPv4 settings.

Create a VMkernel port for a distributed vSwitch configuration

Steps

1. On the vSphere Client home page, click Networking, and then navigate to and select a distributed port group.

2. From the Actions menu, select Add VMkernel Adapters.

3. On the Select hosts page, click Attached hosts, select from the hosts that are associated with the distributed switch, and then click OK.

4. Click Next.

5. On the Configure VMkernel adapter page, select IPv4, and clear all other check boxes under Available services.

6. In the IPv4 settings, specify the VMkernel IPv4 settings.

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 75

Virtual machine transparent snapshot unsupported features and limitations Review the following unsupported features and limitations for the transparent snapshot data mover (TSDM) in PowerProtect Data Manager.

Unsupported virtual machine platforms and configurations

TSDM virtual machine protection is not supported for the following virtual machines, configurations, and platforms:

Physical RDMs Virtual RDMs Encrypted virtual machines Fault Tolerant virtual machines Azure VMware Solution (AVS) on Microsoft Azure Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) VMware Cloud (VMC) on Amazon Web Services (AWS)

VADP restore of TSDM backup restores disks as thick-provisioned in some circumstances

If VADP data path is used to restore a virtual machine that was backed up using the TSDM protection mechanism, the disks are restored as thick-provisioned instead of thin-provisioned. PowerProtect Data Manager uses VADP data path for restores in the following circumstances:

The virtual machine is restored in a vSphere environment running with a version previous to 7.0 U3. The virtual machine is restored to an ESXi host that does not have the TSDM vSphere Installation Bundle (VIB) installed. The virtual machine is restored directly to the ESXi host, since the vCenter server is not used for a Direct Restore to ESXi.

Virtual Machine Disk (VMDK) limit for virtual machines protected with TSDM

TSDM-based protection supports a maximum of 40 VMDKs per virtual machine. If this limit is exceeded, backups are queued for a longer time, and must be canceled manually.

For virtual machines with more than 40 VMDKs, you can override the protection mechanism at the asset level to use VADP. The section Migrating assets to use the Transparent Snapshot Data Mover on page 31 provides more information.

Size of thin provisioned files created by vSphere during TSDM operations does not reflect the true size written to file system

VMware vSphere creates files that are displayed as two times larger than the VMDK files of the virtual machines that are protected by TSDM. The names of these files end in -flat.ses, and the files are located in the same VMFS volume and directory as the VMDK files of the protected virtual machines.

These are thin-provisioned files and part of normal TSDM operations. To determine the real amount of data that is written to the file system, use the du command.

vMotion of TSDM protected virtual machines

vSphere disables the vMotion migration of virtual machines to an ESXi host version previous to 7.0 U3 when the virtual machine is protected with TSDM. In order to migrate the TSDM protected virtual machine to an ESXi version that does not support TSDM, you must disable the Lightweight Delta (LWD) filter that is attached to the virtual machine during the initial protection

76 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

policy configuration. To disable the filter, remove the virtual machine from the TSDM protected virtual machine protection policy. Once the virtual machine is removed from the policy, a job is automatically initiated to disable the filter.

Once the vMotion completes, you can re-add the virtual machine to the protection policy. This virtual machine is then protected by the VADP protection mechanism, since the new ESXi/cluster host version is lower than the version required by TSDM.

Removal of managed snapshots required before running virtual machine protection policies

A PowerProtect Data Manager virtual machine protection policy cannot be configured to use the TSDM protection mechanism when the virtual machine contains managed snapshots. Verify that no managed snapshots exist for the virtual machine, and then retry the configuration job from the System Jobs window of the PowerProtect Data Manager UI.

TSDM only available for virtual machine crash-consistent policies

Use of the TSDM protection mechanism is only supported for crash-consistent virtual machine protection policies. Also, the virtual machine crash-consistent policy must have the swap file exclusion and quiescing options disabled.

Transparent Snapshot Performance and Scalability Review the following information related to performance considerations to scale your environment.

NOTE: As a VMware infrastructure best practice, Dell Technologies recommends spreading the workload across ESXi

servers as much as possible. With the Transparent Snapshot Data Mover protection mechanism, you can move backup data

in streams from multiple ESXi servers.

Table 13. Scalability limits for the vCenter and ESXi server

Component Maximum limit

Number of protected virtual machines per ESXi server Unlimited

Number of protected VMDKs per ESXi server 1000

Size of VMDK 64 TB

Transparent Snapshot Data Mover (TSDM) backups Up to 3000 virtual machine backups, and up to 180 concurrent virtual machine backups.

NOTE: An external VM Direct Engine is not required when using TSDM as the protection mechanism for crash-consistent virtual machine protection. For application consistent and application aware virtual machine protection, add a VM Direct Engine.

Table 14. TSDM maximum concurrent protection operations and memory consumption

Component Maximum limit Notes

Number of concurrent virtual machine backups per ESXi host

10 The maximum is based on improvements to TSDM performance that result in faster processing of these sessions. Also, a lower number of concurrent streams helps to avoid over-subscription to the ESXi host memory.Number of concurrent virtual machine

restores per ESXi host 10

Concurrent VMDK backups Up to 28 disks A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.

256 MB/9 MB per disk=up to 28 VMDK backups in parallel.

For a single virtual machine, as an example, there might be a maximum of four parallel VMDKs per virtual machine during a full sync, and a maximum of 10 parallel VMDKs per virtual machine during a delta sync.

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 77

Table 14. TSDM maximum concurrent protection operations and memory consumption (continued)

Component Maximum limit Notes

NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 parallel VMDK backups is not always possible.

TSDM memory consumption on ESXi host Up to 768 MB

TSDM memory consumption on ESXi host for DD streams

Up to 256 MB

Up to 28 streams

A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.

256 MB/9 MB per stream=up to 28 DD streams in parallel.

NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 streams is not always possible.

78 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

PowerProtect Functionality Within the vSphere Client

Topics:

PowerProtect functionality within the vSphere Client Overview of the PowerProtect plug-in for the vSphere Client Overview of VASA and VMware Storage Policy Based Management

PowerProtect functionality within the vSphere Client The vSphere Client integrates with PowerProtect Data Manager to provide the following functionality: PowerProtect portletWhen adding a vCenter server as an asset source in the PowerProtect Data Manager UI, if you

enable the vSphere Plugin option, a pane for PowerProtect appears in the vSphere Client. This pane provides a subset of PowerProtect Data Manager functionality, including the availability to perform a manual backup, image-level restore and file-level restore of PowerProtect Data Manager virtual machine protection policies.

Storage policy association with a PowerProtect Data Manager virtual machine protection policyvSphere Storage APIs for Storage Awareness (VASA) leverages VMware Storage Policy Based Management (SPBM) to support data protection operations, allowing you to pair SPBM policies that are created in the vSphere Client with protection policies that are created in PowerProtect Data Manager. This association allows you to manage all virtual machine storage and protection requirements in a centralized location (the vSphere Client), instead of requiring multiple user interfaces.

Overview of the PowerProtect plug-in for the vSphere Client When adding a vCenter server in the PowerProtect Data Manager user interface, if you enable the vSphere Plugin option, a subset of the user-interface functionality becomes available within the vSphere Client.

The PowerProtect Data Manager portlet appears when you select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

6

PowerProtect Functionality Within the vSphere Client 79

Figure 3. PowerProtect portlet in the vSphere Client

NOTE: If you were already logged into the vSphere Client when the vCenter discovery was started in PowerProtect Data

Manager, you must log out and log back in to see the PowerProtect Data Manager user interface.

If the virtual assets in the vCenter server have not yet been assigned to a PowerProtect Data Manager protection policy, only the PowerProtect name displays in the portlet. Adding the virtual machine to a protection policy provides additional information, as shown in the following figure.

80 PowerProtect Functionality Within the vSphere Client

Figure 4. PowerProtect portlet with protected virtual machine

After you set up a virtual machine protection policy, you can perform the following PowerProtect Data Manager functionality within the vSphere Client:

View information about protection policies and information about available protection copies. Monitor in-progress backup and restore operations for the virtual machine protection policy. You can also view information

for successfully completed protection copies that are available for restore. Perform a manual backup. Perform an image-level restore (Restore to Original, Restore to New, or Instant Access). Perform a file-level restore.

Prerequisites for enabling the vSphere Client PowerProtect plug-in

To use the vSphere Client PowerProtect plug-in for backup and restore operations, complete the following tasks in the vSphere Client and the PowerProtect Data Manager UI.

Add the vCenter serverIn the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and select vSphere Plugin to enable the plug-in. Add a VMware vCenter server on page 21 provides information.

Add privileges for the Virtual machine power user group (if you are already an administrator, this task is optional)In the vSphere Client, go to Administration > Roles, select the Virtual Machine power user (PPDM), and then open the Edit Role window.

Add the following PowerProtect Data Manager privileges:

Backup File Level Restore to Original Instant Access Restore to New Restore to Original

PowerProtect Functionality Within the vSphere Client 81

Figure 5. PowerProtect privileges added for the virtual-machine power user

NOTE: If you edit the vCenter server in the PowerProtect Data Manager user interface to unregister the vSphere

Plugin for PowerProtect Data Manager, these PowerProtect Data Manager privileges are not removed from the user

group.

For the virtual asset (virtual machine, cluster, host) and all its child elements, add permissions to the Virtual machine power user group that you enabled with PowerProtect Data Manager privileges. To add these permissions, select the asset in the left pane of the vSphere Client, and then click the Permissions tab.

Add a virtual machine protection policy in the PowerProtect Data Manager user interface Protection > Protection Policies window to schedule a backup of the virtual machines. Add a protection policy for virtual-machine protection on page 34 provides information.

Monitor PowerProtect Data Manager virtual machine protection copies

You can use the Monitor tab in the vSphere Client to view PowerProtect Data Manager protection copies that are available for restore, and monitor in-progress backup and restore operations for the PowerProtect Data Manager virtual machine protection policy.

With a virtual machine selected, in the Monitor tab's navigation pane, select PowerProtect > Protection Copies to view information about completed PowerProtect Data Manager protection policy backups for this virtual machine. This view is the same as the view in the PowerProtect Data Manager UI Infrastructure window. A copy map enables you to view the available protection copies when you click on the storage icon, as described in More options for managing virtual-machine backups on page 42.

To view the status of active backup and restore operations initiated from the PowerProtect Data Manager UI or the vSphere Client, click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane. You can also view this pane from the Summary window.

Manual PowerProtect policy backup in the vSphere Client

You can back up one or more PowerProtect Data Manager virtual machine protection policies at any time by performing a manual backup in the vSphere Client.

Prerequisites

Ensure that you are logged in to the vSphere Client as an administrator.

82 PowerProtect Functionality Within the vSphere Client

Add the Backup privilege to the Administrator group in the vSphere Client. To add the Backup privilege, complete the following steps: 1. Select Administration > Roles. 2. Select Administrator, and then click Privileges in the right pane. 3. In the PowerProtect Backup section, select Backup.

Ensure that virtual machine assets have been added to a virtual machine protection policy. You cannot perform manual backups of unprotected virtual machines.

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.

2. Perform a manual backup of a virtual machine protection policy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Backup. Within the PowerProtect portlet, click Backup Now. The vSphere Client starts the backup operation. A message appears indicating whether the request was processed successfully.

Results

An entry for the backup job appears in the Jobs > Protection window of the PowerProtect Data Manager UI. To view the status of operations, you can also click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane.

Image-level restore of a PowerProtect backup in the vSphere Client

You can use the vSphere Client PowerProtect plug-in to perform an image-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

About this task

Available image-level restore options in the vSphere Client include:

Restore to OriginalRestore the virtual machine to the original location on the same vCenter server. Restore Individual Virtual DisksRestore selected VMDKs to the original location on the same vCenter server. Restore to NewRestore the virtual machine to a new location on the original vCenter server. Instant AccessRestore the backup as a live virtual machine to view the backup and then determine whether you want to

do a full restore. Instant Access sessions are made available for a default period of 7 days, which can be extended.

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter.

2. In the Summary window, access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Restore. Within the PowerProtect portlet, click Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. On the Purpose page, select from one of the following options: Restore Entire VMsSelect this option if you want to restore the entire virtual machine.

PowerProtect Functionality Within the vSphere Client 83

Restore Individual Virtual DIsksSelect this option if you want to restore only specific virtual machine disks (VMDKs).

NOTE: Individual VMDKs can only be restored to the original location.

6. Click Next. If restoring entire virtual machines, the Restore Type page appears. If restoring individual VMDKs, the Select Disks page appears.

7. On the Restore Type page, select from one of the available restore types.

For Instant Access restore, review the section Instant Access virtual-machine restore on page 63. For Restore to New, review the section Restore to a new virtual machine on page 60. For Restore to Original, review the section Restore to the original virtual machine on page 57. For Restore Individual Virtual Disks, review the section Restore individual virtual disks on page 59. The wizard updates to display the options specific to the restore type that you selected.

NOTE: Options such as vCenter server, resource pool, and datastore are limited to the logged-in vSphere user's

permissions, and are not necessarily the same as a PowerProtect Data Manager administrator.

8. Click Next. The Summary page appears.

9. Review your selections and then click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.

Next steps

For Instant Access restores, when the virtual machine is powered on and you select the virtual machine in the left pane of the Summary window, the session information appears within the PowerProtect portlet. If you need extra time for this session, you can click Extend Session and increase session availability by up to 7 days.

File-level restore of a PowerProtect backup in the vSphere Client

You can use the PowerProtect portlet in the vSphere Client to perform a file-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

Prerequisites

Note the following before performing file-level restore in the vSphere Client:

A minimum vCenter version of 6.7 U1 is required. Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore troubleshooting and limitations on page 135. The Dell EMC vProxy Agent, which is installed automatically during file level restore, facilitates the mounting and unmounting

of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the Dell EMC vProxy Agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list. The section Dell EMC vProxy Agent for virtual-machine file-level restore on page 132 provides more information.

NOTE:

For file-level restores, you can only restore files:

From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

To virtual machines within the same vCenter server.

About this task

Available file-level restore options in the vSphere Client include:

Restore single or multiple files to the original folder and overwrite the original files within the same virtual machine, or Restore single or multiple files to a new folder with a new name within the same virtual machine.

84 PowerProtect Functionality Within the vSphere Client

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.

2. Access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > File Level Restore. Within the PowerProtect portlet, click File Level Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the Dell EMC vProxy Agent to remain on the destination virtual machine after the restore completes.

c. (Optional) If you are a local user, select Run with Elevated Privileges to override any User Account Control prompts that appear when restoring to folders. To enable this option, the FLR Agent must be installed by the Administrator.

NOTE: On Windows, the local user must be part of the Administrators group. On Linux, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

d. Click Start Mount to initiate the disk mount.

If not already installed, the Dell EMC vProxy Agent is installed on the target virtual machine. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the mounting of the destination virtual

machine completes successfully.

e. Upon successful mount, click Next.

6. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: In the browse view, each directory or hard drive appears twice. Selecting an object from one location selects the

object in the duplicate location as well.

7. On the Options page, select from one of the following options: Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original

location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original

virtual machine.

8. Click Next. If performing the restore to the original virtual machine, the Summary page displays. You can go to the final step. If performing the restore to an alternate location on the original virtual machine, the Restore Location page displays.

9. On the Restore Location page:

a. Browse the folder structure of the virtual machine to select the new folder where you want to restore the objects. b. Click Next.

10. On the Summary page:

PowerProtect Functionality Within the vSphere Client 85

a. Review the information to ensure that the restore details are correct. You can click Edit next to the Restore Location or Files Selected rows to change the information.

b. Click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.

Overview of VASA and VMware Storage Policy Based Management vSphere Storage APIs for Storage Awareness (VASA) is a set of application program interfaces (APIs) that allow arrays to integrate with vCenter for management functionality. Storage Vendor Providers allow the vCenter server to retrieve information from storage arrays, including topology, capabilities (such as native thin provisioning and deduplication), and status. The policy-based management functionality of a VASA provider helps administrators choose the appropriate storage device, and monitors and reports information about existing storage policies.

Starting in vSphere version 7.0 U1, VASA support is extended to Data Protection operations by leveraging VMware Storage Policy Based Management (SPBM). SPBM spans all storage offerings from VMware, allowing policies to provision and manage storage for any virtual machine application. The integration of PowerProtect Data Manager and SPBM allows you to:

Pair SPBM policies with protection policies, allowing you to meet virtual machine storage and protection requirements within vSphere without requiring the PowerProtect Data Manager UI for data protection operations.

Add new or existing virtual assets to an SPBM policy. You can also reassign these assets and remove them from the policy. View policy compliance status, including data protection policy information. Protect virtual machines at scale, allowing you to manage capacity resources and overcome challenges such as capacity

planning and different service level requirements.

Enabling VASA and SPBM within the vSphere Client for integration with PowerProtect Data Manager requires you to perform the following:

Register the VASA provider to allow for storage provisioning information flow between PowerProtect Data Manager and the vCenter server.

Select the PowerProtect Data Manager storage awareness provider within the vCenter server storage policy component creation workflow, which exposes the list of available PowerProtect Data Manager virtual machine protection policies.

Assign the PowerProtect Data Manager protection policy to an SPBM policy, which is automatically assigned to virtual machines when they are represented by an instance.

Monitor the status of storage compliancy of the virtual assets protected by these PowerProtect Data Manager policies.

If you replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved certificate authority, you must exchange the new security certificates with vCenter. The PowerProtect Data Manager Security Configuration Guide provides instructions.

Register the VASA provider for policy association

The following procedure describes how to register the VASA provider to enable PowerProtect Data Manager communication with the vCenter server and use the provider to enable an association between a virtual machine storage policy and a PowerProtect Data Manager virtual machine protection policy.

Prerequisites

The vSphere version must be a minimum 7.0 U1.

Steps

1. In the vSphere Client, go to Menu > Hosts and Clusters.

2. In the left pane, select the vCenter server, and then select the Configure tab.

3. Under Security, select Storage Providers, and then click + Add. The New Storage Provider dialog appears.

4. On the New Storage Provider dialog:

86 PowerProtect Functionality Within the vSphere Client

a. Specify a name for the provider. b. Specify a URL in the format https://my-ppdm.example.com:9009/vasa/version.xml, where my-

ppdm.example.com is the PowerProtect Data Manager fully qualified hostname. c. Provide PowerProtect Data Manager credentials for a user with the Administrator role, and then click OK.

These credentials are only required for the initial login to perform the registration. Subsequent log-in attempts use certificates.

If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt appears, asking if you want to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can dismiss and ignore this error.

5. Provide PowerProtect Data Manager administrator level credentials, and then click OK. The dialog updates to indicate that the registration is in progress. If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt displays to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can ignore this error.

6. When the registration is complete, click OK to exit the New Storage Provider dialog. The Configure tab updates to display the new VASA provider.

Results

You can now use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

NOTE: If the provider goes offline at any point, you can select the provider in the table and click Rescan to reestablish a

connection. Also, If the provider is removed and then readded, any policies that were previously assigned to the provider are

restored.

Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy

Use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

Steps

1. In the vSphere Client, select the vCenter server in the left pane.

2. Go to Menu > Policies and Profiles.

3. In the left pane, select VM Storage Policies, and then click Create in the right pane. The Create VM Storage Policy wizard appears.

4. Provide a name and description that helps identify this policy as a storage policy that you want to associate with a PowerProtect Data Manager protection policy, and then click Next.

5. On the Policy Structure page, select Enable host based rules, and then click Next.

6. On the Host based services page, select the Data Protection tab, and then perform the following:

a. Select Custom. b. From the Provider list, select DellEMC PowerProtect as the registered provider. c. From the PPDM Protection Policy list, select an existing PowerProtect Data Manager virtual machine protection policy

that you want to associate with this storage policy.

NOTE: Dell Technologies recommends that you use a descriptive name for the PowerProtect Data Manager virtual

machine protection policy so that the purpose is easy to identify, since the vSphere Client does not provide policy

details within the PowerProtect portlet. If you decide to rename the PowerProtect Data Manager policy at any

point, the association is retained since the UUID of the policy is used to create the connection.

d. Click Next.

7. Complete the storage policy details, and click Finish.

PowerProtect Functionality Within the vSphere Client 87

Results

The VM Storage Policies window displays the new storage policy in the table. An association is created between the PowerProtect Data Manager policy and the virtual machine storage policy, and the PowerProtect portlet in the vSphere Client updates to display the PowerProtect Data Manager protection policy. You can now perform manual backups and scheduled restores of the virtual assets in this policy.

When you assign the new storage policy to a virtual machine, that virtual machine should automatically be assigned to the associated PowerProtect Data Manager protection policy as well. Also, if you are creating a new virtual machine, you can assign a storage policy to the new virtual machine during this process.

NOTE: You can create separate storage policies for each virtual machine disk, but only the policy that is associated with the

virtual machine is used for data protection.

NOTE: If you want to remove a virtual machine from protection, assign the virtual machine to a different policy, or to the

Datastore Default policy.

Monitor virtual machine protection policy compliance

You can use the Storage Policies portlet within the vSphere Client to monitor the compliance of virtual assets in PowerProtect Data Manager virtual machine protection policies.

To access the portlet:

Select the Summary tab, or Select the Configure tab, select a virtual machine in the left pane, and then click Policies.

If a virtual asset was unassigned from the policy within PowerProtect Data Manager, the policy displays as Non-compliant.

88 PowerProtect Functionality Within the vSphere Client

VMware Cloud (VMC) on Amazon Web Services (AWS)

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the VMC-on-AWS portal Interoperability with PowerProtect Data Manager features vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for VMware Cloud (VMC) on Amazon Web Services (AWS).

Using PowerProtect Data Manager to protect virtual-machine assets in VMC on AWS is similar to how you protect virtual-machine assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual-machine assets in VMC on AWS, PowerProtect Data Manager and DDVE can be deployed in several ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are VMware Cloud on AWS (VMC on AWS) and the AWS Marketplace (AWS). The following table describes the supported deployment configurations of the two products:

Table 15. Supported deployment configurations

PowerProtect Data Manager DDVE

VMware Cloud on AWS VMware Cloud on AWS

VMware Cloud on AWS AWS Marketplace

AWS Marketplace AWS Marketplace

When deploying PowerProtect Data Manager to VMC on AWS, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the VMC-on-AWS environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to AWS, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the VMC-on-AWS environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Amazon Web Services Deployment Guide.

7

VMware Cloud (VMC) on Amazon Web Services (AWS) 89

Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual-machine assets.

To perform data protection and disaster recovery tasks in VMC on AWS, consider the following recommendations for the backup infrastructure:

Deploy PowerProtect Data Manager and DDVE either to VMC on AWS or to AWS. Deploy the VM Direct appliance to VMC on AWS. Deploy at least one VM Direct appliance for each software-defined data center (SDDC) cluster in the VMC-on-AWS

environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and the DDVE appliance. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the cloudadmin@vmc.local user. Refer to Creating a dedicated cloud-based vCenter user account on page 91 to create a dedicated cloud-based vCenter

user account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in the same environment as the first instance. This type of

deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

You can store backups outside of the VMC-on-AWS environment. For example, store backups on an AWS virtual private cloud (VPC). This type of deployment enables efficient data transfer over the fast ENI connection that is used by VMware to communicate with AWS.

Configuring the VMC-on-AWS portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, andDDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the VMC-on-AWS portal meets the following requirements:

By default, there is no external access to the vCenter server in the software-defined data center (SDDC). You can open access to the vCenter server by configuring a firewall rule. To enable communication to the vCenter public IP address from the SDDC logical network, set the firewall rule in the compute gateway of VMC on AWS. If the firewall rule is not configured in the SDDC, PowerProtect Data Manager does not allow you to add the vCenter server.

The default compute gateway firewall rules prevent all virtual machine traffic from reaching the Internet. To enable the PowerProtect Data Manager virtual machine to connect to the Internet, create a compute gateway firewall rule. This action enables outbound traffic on the logical network to which the PowerProtect Data Manager server virtual machine is connected.

Configure DNS to allow machines in the SDDC to resolve FQDNs to their public IP addresses. If the DNS server is not configured in the SDDC, the PowerProtect Data Manager server does not allow you to add the vCenter server by using the server's public FQDN or IP address.

It is recommended that you deploy the DD system as a virtual appliance. If deploying DDVE to VMC-on-AWS, connect the SDDC to an AWS account during the SDDC creation, and then select a VPC and subnet within that account.

DDVE must be connected to the SDDC through the VMC-on-AWS Elastic Network Interfaces (ENIs). This action allows the SDDC, the services in the VPC, and subnet in the AWS account to communicate without having to route traffic through the Internet gateway.

The same ENI channel is recommended for access to DDVE.

For more information about configuring ENIs, see https://vmc.vmware.com/console/aws-link. If DDVE is running in VMC-on-AWS, configure the inbound and outbound firewall rules of the compute gateway for DDVE

connectivity.

90 VMware Cloud (VMC) on Amazon Web Services (AWS)

For detailed information on what incoming and outgoing ports need to be opened for the PowerProtect-VM proxy solution, refer to the PowerProtect Data Manager Security Configuration Guide.

If using NSX-T, configure DNS to resolve to the internal IP address of the vCenter server. Navigate to SDDC Management > Settings > vCenter FQDN, and then select the Private vCenter IP address to directly access the management network over the built-in firewall.

Open TCP port 443 of the vCenter and ESXi servers in both the management and compute gateways.

For a VMC-on-AWS environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.

If DDVE is running in VMC-on-AWS, the inbound and outbound firewall rules of the VMC-on-AWE VPC security group are configured to provide connectivity between the SDDC compute gateway and DDVE.

If there is replication between DDVE instances, ensure the following: The security group in AWS is configured to allow all inbound traffic from the private IPs of the DDVE instances The DDVE instances can ping each other using their FQDNs .

Interoperability with PowerProtect Data Manager features VMC on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload and Compute sections in AWS.

Do not use the following non-accessible areas:

vSANdatastore datastore Management VMs folder in VMs and Templates view Mgmt-ResourcePool resource pool in Hosts and Clusters view

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

VMware Cloud (VMC) on Amazon Web Services (AWS) 91

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account on page 23.

Table 16. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage view

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count

92 VMware Cloud (VMC) on Amazon Web Services (AWS)

Table 16. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction Guest operating system management by

VIX API Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual-machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine on page 26, Transport mode considerations on page 130, and Protection engine limitations on page 26.

VMware Cloud (VMC) on Amazon Web Services (AWS) 93

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy

the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions on page 28 provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

94 VMware Cloud (VMC) on Amazon Web Services (AWS)

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in VMC on AWS does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the

privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account on page 92 Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover

(TSDM) protection mechanism.

NOTE: If protecting virtual-machine assets with a PowerProtect Data Manager machine image deployed to AWS, Cloud

Disaster Recovery (Cloud DR) and Search Clusters are also unsupported.

VMware Cloud (VMC) on Amazon Web Services (AWS) 95

Azure VMware Solution (AVS) on Microsoft Azure

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the AVS-on-Azure portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Azure VMware Solution (AVS) on Microsoft Azure.

Using PowerProtect Data Manager to protect virtual-machine assets AVS on Azure is similar to how you protect virtual-machine assets in an on-premises data center. This section provides information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual-machine assets in AVS on Azure, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Azure VMware Solution (AVS on Azure) and the Azure Marketplace (Azure). The following table describes the supported deployment configurations of the two products:

Table 17. Supported deployment configurations

PowerProtect Data Manager DDVE

Azure VMware Solution Azure Marketplace

Azure Marketplace Azure Marketplace

When deploying PowerProtect Data Manager to AVS on Azure, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the AVS-on-Azure environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to Azure, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the AVS-on-Azure environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Azure Deployment Guide.

8

96 Azure VMware Solution (AVS) on Microsoft Azure

Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual-machine assets.

To perform data protection and disaster recovery tasks in AVS on Azure, consider the following recommendations and requirements for the backup infrastructure:

Deploy PowerProtect Data Manager either to AVS on Azure or to Azure. Deploy DDVE to Azure. Deploy the VM Direct appliance to AVS on Azure. Deploy at least one VM Direct appliance for each software-defined data

center (SDDC) cluster in the AVS-on-Azure environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the cloudadmin@vsphere.local user. Refer to Creating a dedicated cloud-based vCenter user account on page 91 to create a dedicated cloud-based vCenter

user account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in Azure. This type of deployment enables backup copies to be

stored for longer retention, leveraging the Azure network for transferring data at lower latency and cost when compared to the public Internet.

Configuring the AVS-on-Azure portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and the DDVE appliance. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the AVS-on-Azure portal meets the following requirements:

If you have deployed a PowerProtect Data Manager OVA to AVS on Azure or a PowerProtect Data Manager machine image to Azure, it is configured to use a custom DNS server.

NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to

redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data

Manager Azure Deployment Guide.

Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in Azure. If you have more than one DDVE instance running in Azure to perform replication, the DDVE

instances have the ability to ping each other using their FQDNs.

NOTE: DDVE running in AVS-on-Azure is not supported.

DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to an Azure account, and an Azure cloud and subnet within that account is selected. Any DDVE instance on Azure is connected to the SDDC through a Vnet. This action allows the SDDC, the services in

the Azure cloud, and subnets in the Azure account to communicate without having to route traffic through the Internet gateway.

For an AVS-on-Azure environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.

The same Vnets are recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.

Azure VMware Solution (AVS) on Microsoft Azure 97

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account on page 23.

Table 18. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag

98 Azure VMware Solution (AVS) on Microsoft Azure

Table 18. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Assign or Unassign vSphere Tag on Object NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect'

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage view

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction

Azure VMware Solution (AVS) on Microsoft Azure 99

Table 18. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Guest operating system management by VIX API

Install VMware Tools Power off Power on Reset

-Privilege (Get-VIPrivilege -Id $privileges)

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual-machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine on page 26, Transport mode considerations on page 130, and Protection engine limitations on page 26.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy

the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic.

100 Azure VMware Solution (AVS) on Microsoft Azure

Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions on page 28 provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in AVS on Azure does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the

privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account on page 92 Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover

(TSDM) protection mechanism.

NOTE: If protecting virtual-machine assets with a PowerProtect Data Manager machine image deployed to Azure, Cloud

Disaster Recovery (Cloud DR), Search Clusters, and Microsoft Exchange Server are also unsupported.

Azure VMware Solution (AVS) on Microsoft Azure 101

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the GCVE-on-GCP portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP).

Using PowerProtect Data Manager to protect virtual-machine assets in GCVE on GCP is similar to how you protect virtual-machines assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual-machine assets in GCVE on GCP, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Google Cloud VMware Engine (GCVE on GCP) and the Google Cloud Marketplace (GCP). The following table describes the supported deployment configurations of the two products:

Table 19. Supported deployment configurations

PowerProtect Data Manager DDVE

Google Cloud VMware Engine Google Cloud Marketplace

Google Cloud Marketplace Google Cloud Marketplace

When deploying PowerProtect Data Manager to GCVE on GCP, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the GCVE-on-GCP environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to GCP, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the GCVE-on-GCP environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Google Cloud Platform Deployment Guide.

9

102 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Deployment and configuration best practices and requirements For GCVE-on GCP support, ensure that the following requirements are met:

To perform data protection and disaster recovery tasks in GCVE on GCP, consider the following recommendations and requirements for the backup infrastructure deployment:

Deploy PowerProtect Data Manager either to GCVE on GCP or to GCP. Deploy DDVE to GCP. Deploy the VM Direct appliance in a GCVE-on-GCP environment. Deploy at least one VM Direct appliance for each software-

defined data center (SDDC) cluster in GCVE on GCP. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the CloudOwner@gve.local user. Refer to the following section to create a dedicated cloud-based vCenter user account, and then specify the login

credentials for that user. You can clone backups to another DDVE instance running in GCP. This type of deployment enables backup copies to be

stored for longer retention, leveraging the GCP network for transferring data at lower latency and cost when compared to the public Internet.

Configuring the GCVE-on-GCP portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and DDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the GCVE-on-GCP portal meets the following requirements:

If you have deployed a PowerProtect Data Manager OVA to GVCE on GCP or a PowerProtect Data Manager machine image to GCP, it is configured to use a custom DNS server.

NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to

redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data

Manager Google Cloud Platform Deployment Guide.

Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in GCP. If you have more than one DDVE instance running in GCP to perform replication, both DDVE

instances have the ability to ping each other using their FQDNs.

NOTE: DDVE running in GCVE on GCP is not supported.

DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to a Google account, and a Google cloud and subnet within that account is selected. Any DDVE instances running in GCP is connected to the SDDC through a Vnet. This action allows the SDDC, the services in

GCP, and subnets in GCP to communicate without having to route traffic through the Internet gateway. For a GCVE-on-GCP environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect-

VM proxy solution.

The same Vnet is recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 103

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Discovering asset sources in a GCVE environment

There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.

Ensure the following permissions of any GCVE-located vCenter server:

The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the

vSphere object hierarchy.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account on page 23.

Table 20. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore

104 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Table 20. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Low level file operations Remove file

'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access',

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage view

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

Edit Inventory Create new Register

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 105

Table 20. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Remove Unregister

'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction Guest operating system management by

VIX API Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual-machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine on page 26, Transport mode considerations on page 130, and Protection engine limitations on page 26.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

106 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that only IPv4 addresses are supported. vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy

the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions on page 28 provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in GCVE on GCP does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 107

Backup and restore operations with anything other than the CloudOwner role or a customized role that has all of the privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account on page 92

Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism.

NOTE: If protecting virtual-machine assets with a PowerProtect Data Manager machine image deployed to GCP, Cloud

Disaster Recovery (Cloud DR), Search Clusters, Microsoft Exchange Server, and block-based backups (BBB) with the File

System agent (FSA) are also unsupported.

108 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Backing Up and Recovering a vCenter Server

Topics:

Backing up and recovering a vCenter server vCenter deployments overview Protecting an embedded PSC Protecting external deployment models vCenter server restore workflow Platform Services Controller restore workfow Additional considerations Command reference

Backing up and recovering a vCenter server The following sections describe how to protect the vCenter Server Appliance (VCSA) and the Platform Services Controllers (PSC). It is intended for virtual administrators who utilize the distributed model of the vCenter server and require protection of the complete vCenter server infrastructure.

vCenter deployments overview You can protect vCenter 6.5 and later deployments with PowerProtect Data Manager by using the vProxy appliance. The instructions in this section assume that the vCenter server and the Platform Services Controller (PSC) are deployed as virtual machines.

For the restores to complete successfully:

Ensure that these virtual machines use a fully qualified domain name (FQDN) with correct DNS resolution. Ensure that the host name of the machine is configured as an IP address. Note that if the host name is configured as an IP

address, the IP address cannot be changed.

There are mainly two types of vCenter deployments:

vCenter server appliances and Windows virtual machines with an embedded PSC. vCenter server appliances and Windows virtual machines with an external PSC.

This type has two sub categories:

vCenter server environments with a single external PSC. vCenter server environments with multiple PSC instances. This environment contains multiple vCenter server instances

registered with different external PSC instances that replicate their data.

Protecting an embedded PSC The following section describes backup and recovery options for protecting an embedded PSC.

Backup

You can perform a backup of an embedded PSC by using the following guidelines.

1. Create a protection policy, and then add the vCenter virtual machine to the protection policy. 2. Select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.

10

Backing Up and Recovering a vCenter Server 109

Recovery

Depending on the type of failure, you can perform the virtual machine recovery by using one of the following methods.

Restore to original This method is valid only when the vCenter Server Appliance (VCSA) is intact and running, but corrupted.

Recover as a new virtual machine to a managed ESXi server (Virtual Machine Recovery). Use this method if you have completely lost your VCSA. Note that this vCenter server must be registered with PowerProtect Data Manager.

Direct restore to ESXi server. Direct restore to ESXi will be the main use case.

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all of the virtual machines available for restore.

2. Select the checkbox next to the desired virtual machine and click View Copies.

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the checkbox next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the recovery completes, if desired. Power on the virtual machine when the recovery completes is selected by default.

b. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

c. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

110 Backing Up and Recovering a vCenter Server

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Protecting external deployment models Review the backup and recovery options for protecting external deployments.

Backup

You can perform a backup by using the following guidelines:

1. Create a protection policy and add the vCenter virtual machine and PSC virtual machine to the policy. This will ensure that snapshots are taken at the same time.

2. Ensure that you select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.

NOTE: Ensure that you back up all vCenter server and PSC instances at the same time

Recovery

Depending on the failure, you can perform virtual machine recovery by using one of the following methods:

Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server: Use this method of you have completely lost your VCSA. Note

that the vCenter server where the VCSA resides must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server. For Emergency recovery, perform the steps specified in the section Direct restore to

ESXi on page 62.

NOTE: In the event of a complete environment failure, PSC should be restored first, followed by the vCenter server

restore.

The following scenarios provide specific instructions based on the number of vCenter server appliances and external PSCs in the environment and the extent of the failure.

vCenter server appliance with one external PSC where PSC fails

Steps

1. Perform an image-level recovery of the PSC by using one of the methods indicated above, and then power ON the virtual machine.

2. Verify that all PSC services are running. For a PSC deployed as an appliance, run the service-control --status --all command in the appliance shell.

For a PSC installed on Windows, from the Windows Start menu, select Control Panel > Administrative Tools > Services.

3. Log into the vCenter server appliance shell as root.

4. Verify that no vCenter services are running, or stop any vCenter services that are running by typing service-control --stop.

5. Run the vc-restore script to restore the vCenter virtual machines. For a vCenter server appliance, type vcenter-restore -u psc_administrator_username -p

psc_administrator_password For a vCenter server installed on Windows, go to C:\Program Files\VMware\vCenter Server\, and then run

vcenter-restore -u psc_administrator_username -p psc_administrator_password where psc_administrator_username is the vCenter Single Sign-On administrator user name, which must be in UPN format.

6. Verify that all vCenter services are running and the vCenter Server is started, as specified in step two.

7. Perform a log in test to the vCenter server.

Backing Up and Recovering a vCenter Server 111

If the restore was successful, the login completes successfully.

vCenter server appliance is lost but the PSC remains

Steps

1. Perform an image-level recovery of the lost vCenter server by using one of the following methods, and then power ON. Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your VCSA.

Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all services are started.

3. Perform a login test.

vCenter server appliance with multiple PSCs where one PSC is lost but one remains

Steps

1. Repoint the vCenter instance (insert link) to one of the functional PSCs in the same SSO domain.

NOTE: Log in to all vCenter servers one by one to determine which vCenter login fails. This will be the vCenter server

that requires the repoint steps.

2. Run the following command on the vCenter server appliance:

cmsso-util repoint --repoint-psc psc_fqdn_or_static_ip [--dc-port port_number] NOTE: The square brackets enclose the command options.

3. Perform a login test on the vCenter server.

4. Deploy the new PSC and join to an active node in the same SSO and site, replacing lost ones.

5. Repoint the vCenter server to the new PSC.

vCenter server appliance remains but all PSCs fail

About this task

NOTE: In this scenario, none of the vCenter logins (SSO user) have been successful.

Steps

1. Restore the most recent PSC backup and wait for the vCenter services to start

2. Log in to the vCenter server appliance's shell as root.

3. Verify that no vCenter services are running, or stop vCenter services.

4. Run the vc-restore script to restore the VCSA (refer above for detailed steps).

NOTE: If the login test to any vCenter server appliance fails, then the restored PSC is not the PSC that the vCenter

server appliance is pointing to, in which case you may be required to perform a repoint, as described above.

5. Deploy the new PSC and join to an active node in the same SSO domain and site.

6. Repoint vCenter connections as required

vCenter server appliance remains but multiple PSCs fail

Steps

1. Restore one PSC.

112 Backing Up and Recovering a vCenter Server

2. Test the vCenter server appliance login. If the login fails, repoint the vCenter server appliance to an active PSC.

3. Deploy the new PSC and join to an active node in the same SSO domain and site.

vCenter server appliance fails

About this task

NOTE: If all PSCs and vCenter server appliances have failed, restore one PSC first before restoring the vCenter server

appliance.

Steps

1. Perform an image-level restore of the lost vCenter server by using one of the following methods, and then power ON the vCenter. Restore to original This method is valid only when the vCenter server appliance is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your vCenter

server appliance. Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all vCenter services have started.

3. Perform a log in test.

4. If the login test fails, then this vCenter server appliance is pointing to an inactive PSC. Repoint to an active node.

Backing Up and Recovering a vCenter Server 113

vCenter server restore workflow The following diagram shows the restore workflow for a vCenter server.

Figure 6. vCenter server restore workflow

114 Backing Up and Recovering a vCenter Server

Platform Services Controller restore workfow The following diagram shows the restore workflow for a Platform Services Controller (PSC).

Figure 7. PSC restore workflow

Additional considerations Review the following additional considerations when backing up and restoring the vCenter server and PSC.

Backing up the vCenter server will not save the Distributed switch (vDS) configuration as it is stored on the hosts. As a best practice, back up the vDS configuration by using a script that can be used after restoring the virtual center.

After restoring the PSC, verify that replication has been performed as designed by using the following commands to display the current replication status of a PSC and any of the replication partners of the PSC: For VCSA, go to /usr/lib/vmware-vmdir/bin and type ./vdcrepadmin -f showpartnerstatus -h

localhost -u administrator -w Administrator_Password For Windows, open a command prompt and type cd "%VMWARE_CIS_HOME%"\vmdird\

Backing Up and Recovering a vCenter Server 115

For the vCenter server or PSC, do not select advanced quiesce-based backup options. Selecting these options will result in application quiescing on virtual machines, which impacts the overall environment due to stunning.

The VMware vCenter server documentation, available at https://docs.vmware.com/en/VMware-vSphere/index.html, provides more information about the vCenter server and PSC.

Command reference Use the following command to start or stop services in the vCenter server and PSC, or obtain the status:

service-control -status/start/stop -all You can use other Replication topology commands, as in the following example.

Replication topology command

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u PSC_Administrator -w password

NOTE: You can replace localhost with another PSC FQDN to obtain all of the partnerships in the current vSphere

domain.

116 Backing Up and Recovering a vCenter Server

Backing Up VMware Cloud Foundation (VCF) on VxRail

Topics:

Backing up VCF on VxRail VCF and VxRail overview VCF components and backup methods Check VMware certification Backup prerequisites The backup script Quick protection Selective protection: SDDC and NSX-T Managers Selective protection: vCenter servers Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines SFTP password change: SDDC and NSX-T Managers SFTP password change: vCenter servers Backup-script troubleshooting

Backing up VCF on VxRail The following sections describe how to protect VMware Cloud Foundation (VCF) on VxRail by using a PowerProtect Data Manager command-line backup script.

NOTE: VxRail is the preferred Dell EMC platform for VCF. However, environments that use other VMware-supported vSAN

Ready Nodes are also supported by Dell EMC. The following sections also apply to those environments.

VCF and VxRail overview VCF integrates a VMware cloud infrastructure with cloud management services by using the vRealize software suite to run enterprise applications. The VCF infrastructure is managed by the SDDC Manager, and it includes vSphere compute, vSAN storage, NSX networking, and a range of security implementations.

Dell EMC VxRail is an all-in-one solution that uses Dell EMC PowerEdge servers and its own VxRail hyperconverged infrastructure (HCI) software to provide a fully functional VCF environment to enterprise customers.

For more information about VCF and VxRail, see the following resources:

The VMware Cloud Foundation documentation The Dell EMC VxRail Administration Guide at Customer Support About VMware Cloud Foundation on Dell EMC VxRail

11

Backing Up VMware Cloud Foundation (VCF) on VxRail 117

VCF components and backup methods Understanding the backup method used by a VCF component aids in understanding how the VCF component is protected by the backup script. The following tables show the VCF components of the different backup methods.

Table 21. VCF components of file-based backups

Backup Method Component

File based NSX-T Data Center

SDDC manager

vCenter server

Assets of these components are first copied to an external server that uses Secure File Transfer Protocol (SFTP) or another supported protocol. After that, the external server is backed up by PowerProtect Data Manager.

If using quick protection, these components are automatically protected.

Table 22. VCF components of image-based backups

Backup Method Component Automatically discovered

Image based vRealize Suite Lifecycle Manager (vRSLCM) VCF 4.0

vRealize Automation VCF 4.1

vRealize Business No

vRealize Log Insight VCF 4.1

vRealize Network Insight No

vRealize Operations Manager VCF 4.1

VxRail Manager No

Workspace ONE Access VCF 4.1

Assets of these components are backed up directly by PowerProtect Data Manager. The Automatically discovered column displays the minimum required version of VCF for a component to be automatically

discovered, as well as those components that are not automatically discovered by any version of VCF. If using quick protection, the automatically discovered components are automatically protected.

All image-based backups follow the VMware quiescing recommendations for VCF virtual machines that are part of VMware Validated Design (VVD):

Table 23. VCF components and quiescing

Component Quiescing

vRealize Suite Lifecycle Manager Enabled

Workspace ONE Access Enabled

vRealize Log Insight Disabled

vRealize Operations Manager Disabled

vRealize Automation Enabled

118 Backing Up VMware Cloud Foundation (VCF) on VxRail

Check VMware certification Use this method to check the versions of PowerProtect Data Manager that VMware has certified to work with their products.

About this task

VMware certification allows customers to receive support from VMware for any VMware-specific features related to PowerProtect Data Manager.

NOTE: VMware will only certify a version of PowerProtect Data Manager after it has been released and tested. If you are

waiting for the current version of PowerProtect Data Manager to be certified, you can continue to check its status.

Steps

1. In a browser, navigate to the VMware Compatibility Guide.

2. Select All > Dell EMC > All.

3. Click Update and View Results.

4. In the Solution Name column, look for EMC PowerProtect Data Manager entries.

5. Review the information in the corresponding Solution Version and Supported Releases columns.

Backup prerequisites Ensure the following prerequisites are met before backing up VCF on VxRail:

VCF is at a supported version. For more information, see the PowerProtect Data Manager compatibility matrix at the E-Lab Navigator.

Any external server (using SFTP or another supported protocol) used in a file-based backup has been discovered as a File System asset in PowerProtect Data Manager.

Any vCenter server being protected has been added as an asset source in PowerProtect Data Manager. PowerProtect Data Manager and the vCenter server and SDDC, and NSX-T managers are all set to the same time zone and

have their clocks synchronized. PowerProtect Data Manager and VCF do not have backup schedules that would back up the same assets at the same time. A VM Direct Engine exists. Any backup directory path specified by an external server in a file-based backup exists. All credentials provided during the execution of the backup script resolve to accounts with the required permissions to

access the related resources. This includes but is not limited to the following: The vCenter username being used belongs to the vCenter Administrators group. The SDDC manager username being used has the SDDC manager Admin role.

The backup script You use a PowerProtect Data Manager script to protect VCF components.

The script is accessible from the PowerProtect Data Manager command line. It provides a series of guided procedures that automate multiple backup operations into a single process. The script can also be used to change external SFTP passwords.

NOTE: This script only backs up the data of protected VCF components. It cannot be used to restore any of the data

that is backed up. To restore the data, use the PowerProtect Data Manager and VMware user-interface tools. Ensure that

you restore VCF-management data to components in a manner supported by VMware. For more information, go to the

VMware Validated Design Documentation website and review the backup and restore procedures of the documentation

that corresponds to your version of VCF. If disaster recovery must be performed, see VMware Cloud Foundation Disaster

Recovery With PowerProtect Data Manager at Customer Support.

Backing Up VMware Cloud Foundation (VCF) on VxRail 119

Quick protection This procedure uses default backup settings and values to protect all VCF components at once. Every vCenter server and any automatically discovered VCF component will be protected. Quick protection requires the least amount of input, but also provides the least amount of choice. For information about the default settings and values used, review the selective-protection procedures that follow.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 1.

NOTE: Quick protection uses the same external SFTP server and backup schedule for both the SDDC Manager

and vCenter servers. It also overrides the existing backup configurations of the SDDC and vCenter servers without

prompting.

5. Enter the address of an external SFTP server, including the backup directory path, followed by credentials to access the server. The external SFTP server is also used for vCenter server configuration.

The external SFTP server and backup directory path uses the format sftp://server_ip_address:port_number/ folder/subfolder. For example:

sftp://172.17.62.201:22/upload/backup

6. Enter the encryption passphrase for SDDC Manager backups.

The encryption passphrase must be between 12 and 20 characters in length and contain at least two lowercase letters, two uppercase letters, two numerals, and a special character.

NOTE: The encryption passphrase is also used for vCenter server backups, and is required when restoring data. Store

the passphrase in a secure location that is separate from the backup files and VCF environment you are protecting.

7. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

8. Select the days of the week a backup takes place, and then enter the time of day.

Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

9. Select both a File System and Virtual Machine protection policy to use.

If a default protection policy of either type does not exist, it will be automatically created with a frequency of DAILY, a time of 8:00 PM to 6:00 AM, and a retention of 7 days.

A protection policy with the name VCF-Image-Based-Protection is used as the default image-based protection policy. A protection policy with the name VCF-File-Based-(SFTP)-Protection is used as the default file-based protection policy. If a default protection policy has just been automatically created and it is the only protection policy of that type, it will be

automatically used. If a default protection policy already exists, confirm if it should be used or if the protection policy to use should be

selected from a list.

120 Backing Up VMware Cloud Foundation (VCF) on VxRail

10. Enter the IP address or FQDN of any image-based VCF component that is not automatically discovered and that you want to protect. For a list of components that are not automatically discovered, see VCF components and backup methods on page 118.

Results

You can monitor the progress of the backup script as it protects the VCF components.

Selective protection: SDDC and NSX-T Managers This procedure protects just the SDDC and NSX-T manager file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2, and then 1.

5. To override an existing SDDC Manager backup configuration, enter y.

6. To add or modify SDDC Manager backup configuration information, enter the address of an external SFTP server, including the backup directory path, followed by credentials to access the server.

The external SFTP server and backup directory path uses the format sftp://server_ip_address:port_number/ folder/subfolder. For example:

sftp://172.17.62.201:22/upload/backup

7. Enter the encryption passphrase for SDDC Manager backups.

The encryption passphrase must be between 12 and 32 characters in length and contain at least two lowercase letters, two uppercase letters, two numbers, and a special character.

NOTE: The encryption passphrase is required when restoring data. Store this passphrase in a secure location that is

separate from the backup files and VCF environment you are protecting.

8. The default SSH fingerprint of the external SFTP server is displayed. Confirm that it should be used, or enter a new one.

NOTE: With quick protection, the default SSH fingerprint of the external SFTP server is always used.

9. Select the backup frequency. If you select HOURLY, enter the minute of each hour a backup takes place. If you select WEEKLY, select the days of the week a backup takes place, and then enter the time of day.

For a weekly backup frequency, type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

10. Enter the backup-retention values described in the following table. The values automatically used by quick protection are also listed.

Backing Up VMware Cloud Foundation (VCF) on VxRail 121

Table 24. Backup-retention values

Parameter Value range Quick-protection default value

Days of daily backups to retain 030 7

Days of hourly backups to retain 014 7

Backup files to retain 1600 15

Take backups on state change Yes or no Yes

11. Confirm if a new File System protection policy should be created in order to protect the external SFTP server. Enter y to provide details of the new protection policy.

Enter n to either select from a list of existing protection policies or skip protection of the external SFTP server.

Results

You can monitor the progress of the backup script as it protects the selected VCF components.

Selective protection: vCenter servers This procedure protects just the vCenter server file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2 twice.

5. Select the automatically discovered vCenter servers to protect.

Enter a to protect all the servers. Otherwise, enter the numbers that correspond to the individual servers to protect, separating each number with a space.

6. Enter the address of an external server, including the backup directory path, followed by credentials to access the server.

Supported protocols for the external server are FTP, SFTP, FTPS, HTTP, HTTPS, NFS, and SMB. The external server and backup directory path uses the format protocol://server_ip_address:port_number/folder/subfolder. For example:

sftp://172.17.62.201:22/upload/backup

7. Select the days of the week a backup takes place, and then enter the time of day.

Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

8. Confirm if the backups should be encrypted. If they should be encrypted, enter an encryption password.

If you enter an encryption password, it must be between 8 and 20 characters in length and contain at least one lowercase letter, one uppercase letter, one number, and one special character.

9. Confirm if historical data should be backed up and the number of backups to retain.

122 Backing Up VMware Cloud Foundation (VCF) on VxRail

NOTE: In quick protection, the default is to back up historical data and retain all backups.

10. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

11. If there is an existing vCenter server backup configuration, confirm if it should be overridden.

NOTE: Should the existing backup configuration fail to be overridden, the vCenter server will be left without a backup

configuration.

12. Confirm if a new File System protection policy should be created in order to protect the external server. Enter y to provide details of the new protection policy.

Enter n to either select from a list of existing protection policies or skip protection of the external server.

Results

You can monitor the progress of the backup script as it protects the selected VCF components.

Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines This procedure protects all of the image-based VCF components, while providing more control over the backup settings used for them than quick protection. The components protected include vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines. To protect file-based VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2, and then 3.

5. Select an image-based VCF component type to protect.

NOTE: You can only select a single component type. To protect more than one component, follow the selective

protection steps for each component.

If you select vRSLCM, select a discovered vRSLCM server to protect. If you select any other component type, enter the IP address or fully qualified domain name (FQDN) of the server to

protect.

6. Confirm if a new Virtual Machine protection policy should be created in order to protect the component. Enter y to provide details of the new protection policy.

Enter n to select from a list of existing protection policies.

Results

You can monitor the progress of the backup script as it protects the selected VCF component.

Backing Up VMware Cloud Foundation (VCF) on VxRail 123

SFTP password change: SDDC and NSX-T Managers While using the backup script to protect VCF components, you might want to change the password of the external SFTP server account associated with the SDDC and NSX-T Managers.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 3, and then 1.

5. Confirm if you want to change the password of the external SFTP server account. Enter y to change the password, and then perform the following actions:

a. Enter the new password. b. Enter y to confirm if the automatically generated SSH fingerprint should be used. Otherwise, enter n to provide your

own SSH fingerprint. Enter n to skip the password change.

Results

You can monitor the progress of the backup script as it changes the password of the external SFTP server account associated with the SDDC and NSX-T managers.

SFTP password change: vCenter servers While using the backup script to protect VCF components, you might want to change the password of an external SFTP server associated with an automatically discovered vCenter server.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 3, and then 2.

5. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

6. Confirm if you want to provide a backup encryption password. This password will be used when backing up the VCF components of all vCenter servers.

7. For each automatically discovered vCenter server, confirm if you want to change the password of the external SFTP server account associated with it.

124 Backing Up VMware Cloud Foundation (VCF) on VxRail

Results

You can monitor the progress of the backup script as it changes the passwords of all external SFTP server accounts associated with the selected vCenter servers.

Backup-script troubleshooting The following table provides common error codes and messages, along with explanations or recommended areas of investigation to resolve the problem.

Table 25. Error codes and explanations

Error code or message Explanation or area of investigation

INVALID_ENCRYPTION_PASSPHRASE

Provided encryption passphrase is invalid.

The encryption passphrase specified for external SFTP server is invalid.

Validate Backup Location Details FAILED The backup location specified for the external SFTP server in the SDDC Manager backup configuration does not exist.

INPUT_PARAM_ERROR

Failed to establish SFTP connection to with username on port .

The credentials specified for the external SFTP server in the SDDC Manager backup configuration are incorrect.

INVALID_ARGUMENT

The entered backup password does not adhere to the password requirements.

The encryption passphrase specified in the vCenter server backup configuration is invalid.

INVALID_ARGUMENT

Plugin error occurred. Access to the backup server is denied. Check your credentials.

The password specified for the external server in the vCenter server backup configuration is incorrect.

UNAUTHENTICATED

Authentication required.

com.vmware.vapi.endpoint.method.authenticat ion.required

The credentials specified for the vCenter server are incorrect.

Perform validations for backup server fingerprint FAILED

The SSH fingerprint specified for the external SFTP server in the SDDC Manager backup configuration is invalid.

Backing Up VMware Cloud Foundation (VCF) on VxRail 125

Table 25. Error codes and explanations (continued)

Error code or message Explanation or area of investigation

SCHEDULING_SDDC_MANAGER_BACKUPS_FAILED_REAS ON_UNKNOWN

Unexpected error occurred. Provided backup schedule not applied.

Check for errors on the SDCC Manager.

LOCK_NOT_AVAILABLE

Lock is not available - SDDC Manager DEPLOYMENT lock to perform Backup & Restore operation.

There are too many pending SDDC Manager jobs. Try running the backup script at another time.

503

The data store service is not available. Try again later.

remediation timestamp path /api/v2/assets

PowerProtect Data Manager assets cannot currently be queried. Try running the backup script at another time.

503

The service is not available. Try again later.

remediation timestamp path /api/v2/protection-policies

Protection policies cannot currently be queried. Try running the backup script at another time.

126 Backing Up VMware Cloud Foundation (VCF) on VxRail

Virtual Machine Best Practices and Troubleshooting

Topics:

Software and hardware requirements Scalability limits for vCenter server, VM Direct Engine, and DD systems PowerProtect Data Manager resource requirements in a VMware environment Best practices and additional considerations for the VM Direct Engine Best practices for vCenter server backup and restore Changing the vCenter server FQDN Replacing security certificates Troubleshooting network setup issues Troubleshooting virtual machine backup issues Troubleshooting virtual machine restore issues Troubleshoot virtual machine SQL application consistent policy issues Support for backup and restore of encrypted virtual machines Troubleshooting vSphere Plugin deployments VMware knowledge base articles and product documentation

Software and hardware requirements The following table lists the required components for PowerProtect Data Manager and the VM Direct protection engine.

Table 26. PowerProtect Data Manager and VM Direct engine requirements

Component Requirements Notes

PowerProtect Data Manager with the VM Direct Engine

Version 19.10 or later.

vCenter server vSphere and ESXi versions 6.5, 6.7, 7.0, 7.0 U1 or later. Refer to the VMware documentation ESXi 6.5 and later minimum requirements for physical host requirements for the ESXi hosts.

VMware has announced the end of general support for vSphere version 6.0. The Knowledge Base article at https:// kb.vmware.com/s/article/66977 provides more information.

Version 6.5 and later is required to perform Microsoft SQL Server application-aware protection. Also, file-level restore in the vSphere Client requires a minimum vCenter version 6.7 U1.

Any new virtual machine protection policies use Transparent Snapshot Data Mover (TSDM) as the default protection mechanism instead of VADP, provided that the vCenter/ESXi Server that hosts the virtual machines is a

A

Virtual Machine Best Practices and Troubleshooting 127

Table 26. PowerProtect Data Manager and VM Direct engine requirements (continued)

Component Requirements Notes

minimum version of 7.0 U3c and the policy options selected for the virtual machine crash- consistent protection policy are supported by TSDM.

VMware Tools Version 10 or later. Install VMware Tools on each virtual machine by using the vSphere Client. VMware Tools adds additional backup and recovery capabilities that quiesce certain processes on the guest operating system before backup.

Version 10.1 and later is required to perform Microsoft SQL Server application- aware protection.

PowerProtect DD System models and software

All models of PowerProtect DD System in production are supported.

DD Operating System (DDOS) version 6.2 or later and the PowerProtect DD Management Center (DDMC).

Make note of the hosts writing backups to your DD systems.

Web browser Google Chrome. The latest version of the Google Chrome browser is recommended to access the PowerProtect Data Manager user interface.

Scalability limits for vCenter server, VM Direct Engine, and DD systems The following limits have been tested successfully with PowerProtect Data Manager for vCenter server, VM Direct Engine, and DD systems.

NOTE: These numbers are not maximum or hard limits, but should be considered when scaling your environment.

Table 27. Scalability limits

Component Tested limits

Number of vCenter servers supported with a single PowerProtect Data Manager server

12 NOTE: The vCenter server limit is subject to the VM Direct Engine overall limit of 40 and the per vCenter server limit of 25. For example, using the maximum tested number of vCenter servers of 12, you could add an average of 3 VM Direct Engines per vCenter server.

Number of external VM Direct Engines supported with a single PowerProtect Data Manager server

40 NOTE: This number was tested across 10 vCenter servers. For example, 4 VM Direct Engines per vCenter server.

Number of DD systems supported per PowerProtect Data Manager server

10

Network latency between the PowerProtect Data Manager server and VM Direct Engines

200 ms

Network latency between the PowerProtect Data Manager server and the DD systems

200 ms

Number of virtual machines per PowerProtect Data Manager server

10,000

128 Virtual Machine Best Practices and Troubleshooting

PowerProtect Data Manager resource requirements in a VMware environment Review the following minimum system requirements for PowerProtect Data Manager in a VMware environment (ESXi server).

CPU10 CPU cores Memory24 GB RAM for PowerProtect Data Manager Seven disks with the following capacities:

Disk 1100 GB Disk 2500 GB Disks 3 and 410 GB each Disks 5 through 75 GB each

1 GB network interface card (NIC)

NOTE: If you plan to use Cloud DR, your system must also meet the following requirements:

CPU14 CPU cores

Memory28 GB

Best practices and additional considerations for the VM Direct Engine Review the following information for recommendations and best practices when adding a VM Direct protection engine in PowerProtect Data Manager.

VM Direct Engine performance and scalability

The VM Direct Engine performance and scalability of depends on several factors, including the number of vCenter servers and proxies and the number of concurrent virtual machine backups. The following table provides information on these scalability factors and maximum recommendations, in addition to concurrence recommendations for sessions created from backups using the VM Direct Engine.

The count of sessions is driven by the number of proxies and backups running through this server.

Table 28. Performance and scalability factors

Component Maximum limit

Recommended count Notes

Number of concurrent NBD and Preferred Hot Add backups per ESXi host

48 Ensure that your network has a bandwidth of 10 Gbps or higher. VMware uses Network File Copy (NFC) protocol to read VMDK using NBD transport mode. You need one VMware NFC connection for each VMDK file being backed up. The VMware Documentation provides more information on vCenter NFC session connection limits.

Concurrent VMDK backups per vCenter server

180 Can be achieved with a combination of the number of proxies multiplied by the number of configured Hot Add sessions per VM Direct Engine.

Number of proxies per vCenter server

25 7 A limit of 25 concurrent backup and recovery sessions.

Number of files and directories per file-level restore

200,000 File-level restores are recommended for quickly restoring a small set of files. Image-level or VMDK-level restores are optimized and recommended for restoring a large set of files and folders.

Virtual Machine Best Practices and Troubleshooting 129

When you reach the limit for concurrent backup sessions, a warning message displays. The remaining sessions will be queued. You can adjust the session limits by modifying the MAX_VC_BACKUP_SESSIONS and MAX_NBD_BACKUP_SESSIONS variables in the environment file, according to the recommendations. The Knowledge Base article 543253 at https:// support.emc.com/kb/543253 provides more information.

Table 29. Proxy session limits by proxy type

Component Total number of sessions (backup and recovery) maximum

Notes

Added (External) VM Direct Engine 25

Embedded VM Direct engine NOTE: The embedded VM Direct engine is pre-bundled with the PowerProtect Data Manager software.

4 The embedded VM Direct engine is only used as a fallback when all other proxies are disabled or in Failed state.

Transport mode considerations

Review the following information for recommendations and best practices when selecting a transport mode to use for virtual machine data protection operations and Tanzu Kubernetes guest cluster protection in PowerProtect Data Manager.

Hot Add transport mode recommended for large workloads

For workloads where full backups of large sized virtual machines or backups of virtual machines with a high data change rate are being performed, Hot Add transport mode provides improved performance over other modes. With Hot Add transport mode, a VM Direct Engine must be deployed on the same ESXi host or cluster that hosts the production virtual machines. During data protection operations, a VM Direct Engine capable of performing Hot Add backups is recommended. The following selection criteria is used during data protection operations:

If a VM Direct Engine is configured in Hot Add only mode, then this engine is used to perform Hot Add virtual machine backups. If one or more virtual machines are busy, then the backup is queued until the virtual machine is available.

If a virtual machine is in a cluster where the VM Direct Engine is not configured in Hot Add mode, or the VM Direct Engine with Hot Add mode configured is disabled or in a failed state, then PowerProtect Data Manager selects a VM Direct Engine within the cluster that can perform data protection operations in NBD mode. Any VM Direct Engine with Hot Add mode configured that is not in the cluster is not used.

Any VM Direct Engine that is configured in NBD only mode, or in Hot Add mode with failback to NBD, is used to perform NBD virtual machine backups. If every VM Direct Engine that is configured in NBD mode is busy, then the backup is queued until one of these engines is available.

If there is no VM Direct Engine that is configured in NBD mode, or the VM Direct Engine with NBD mode configured is disabled or in a failed state, then the PowerProtect Data Manager embedded VM Direct engine is used to perform the NBD backup.

Other transport mode recommendations

Review the following additional transport mode recommendations:

Use Hot Add mode for faster backups and restores and less exposure to network routing, firewall, and SSL certificate issues. To support Hot Add mode, deploy the VM Direct Engine on an ESXi host that has a path to the storage that holds the target virtual disks for backup.

NOTE: Hot Add mode requires VMware hardware version 7 or later. Ensure all virtual machines that you want to back

up are using Virtual Machine hardware version 7 or later.

In order for backup and recovery operations to use Hot Add mode on a VMware Virtual Volume (vVol) datastore, the VM Direct proxy should reside on the same vVol as the virtual machine.

If you have vFlash-enabled disks and are using Hot Add transport mode, ensure that you configure the vFlash resource for the VM Direct host with sufficient resources (greater than or equal to the virtual machine resources), or migrate the VM Direct Engine to a host with vFlash already configured. Otherwise, backup of any vFlash-enabled disks fails with the error

130 Virtual Machine Best Practices and Troubleshooting

VDDK Error: 13: You do not have access rights to this file and the error on the vCenter server The available virtual flash resource '0' MB ('0' bytes) is not sufficient for the requested operation.

For sites that contain many virtual machines that do not support Hot Add requirements, Network Block Device (NBD) transport mode is used. This mode can cause congestion on the ESXi host management network. Plan your backup network carefully for large scale NBD installs, for example, consider configuring one of the following options: Setting up Management network redundancy. Setting up backup network to ESXi for NBD. Setting up storage heartbeats.

See https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmw-vsphere-high-availability- whitepaper.pdf for more information.

If performing NBD backups, ensure that your network has a bandwidth of 10 Gbps or higher.

Change the limit of instant access sessions

For DDOS versions 6.2 and higher, PowerProtect Data Manager uses the limit that the DD storage appliance reports, and manages concurrent instant access sessions based on the reported limit.

You can change the limit by modifying a configuration file to override the default value. Note that sessions that exceed the maximum concurrent sessions that are supported are canceled and retried. To change the number of concurrent sessions manually to match the capability of the underlying storage appliance, perform the following steps.

1. Log in to the PowerProtect Data Manager UI as a user with the Administrator role. 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.

NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown

in the following step.

3. In the application.yml file, change the instant access session parameter value to override the default value. For example:

recovery: queue: ia_session_allowance: 32

4. Run vmdm stop and then vmdm start to restart the vmdm service.

NOTE: Ensure that no other virtual machine operations are running, such as protection and recovery.

Configuring a backup to support vSAN datastores

Backup and recovery functionality is supported for vSAN virtual machines.

When performing backups or restores of virtual machines residing on vSAN datastores, it is highly recommended to deploy the VM Direct appliance on a vSAN datastore. A VM Direct appliance deployed on any one vSAN datastore can be used for backing up virtual machines from other vSAN or non-vSAN datastores by using Hot Add or nbdssl transport modes, as applicable.

Configuration checklist for common issues

The following configuration checklist provides best practices and troubleshooting tips that might help resolve some common issues.

Basic configuration

Review the following basic configuration requirements:

Synchronize system time between all vCenter and ESXi servers. Assign IPs carefully do not reuse any IP addresses. Use Fully Qualified Domain Names (FQDNs) where possible. For any network related issue, confirm that forward and reverse DNS lookups work for each host in the datazone.

Virtual Machine Best Practices and Troubleshooting 131

Virtual machine configuration

Review the following virtual machine configuration requirements:

Ensure that the virtual machine has access to and name resolution for the protection storage. Ensure that the virtual machine firewall has port rules for the protection storage. For application-aware backups, ensure that Microsoft SQL Server instances are enabled for data protection using a SYSTEM

account, as described in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.

Disable vCenter SSL certificate validation

If the vCenter server's SSL certificate cannot be trusted automatically, a dialog box appears when adding the vCenter server as an asset source in the PowerProtect Data Manager user interface, requesting certificate approval. It is highly recommended that you do not disable certificate enforcement.

If disabling of the SSL certificate is required, you can perform the following procedure.

CAUTION: These steps should only be performed if you are very familiar with certificate handling and the issues

that can arise from disabling a certificate.

1. Create a file named cbs_vmware_connection.properties in the /home/admin directory on the PowerProtect Data Manager appliance, with the following contents:

cbs.vmware_connection.ignore_vcenter_certificate=true 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.

NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown

in the following step.

3. In the application.yml file, add the following contents:

vmware_connection: ignore_vcenter_cert: true

discovery: ignore_vcenter_cert: true

4. Run cbs stop to stop the cbs service, and then cbs start to restart the service.

5. Run vmdm stop to stop the vmdm service, and then vmdm start to restart the service.

6. If the SSL certificate uses an FQDN, perform a test to determine if SSL certificate disabling was successful by adding a vCenter server using the vCenter server's IP address, and then verify that the asset source was added and virtual machine discovery was successful.

Dell EMC vProxy Agent for virtual-machine file-level restore

The Dell EMC vProxy Agent, previously known as the FLR Agent, is required for file-level restore operations and is installed automatically on the target virtual machine when you start the restore and provide the virtual machine credentials.

NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab

Navigator.

Dell EMC vProxy Agent installation on Linux virtual machines

The Dell EMC vProxy Agent installation on Linux virtual machines requires the root account, or that the user is in the local sudousers list of the operating system. If you provide any other user credentials for the target virtual machine, the Dell EMC vProxy Agent installation fails, even if this user has privileges similar to a root user.

To allow a non-root user or group to perform the Dell EMC vProxy Agent installation:

1. Provide sudo access to the following files at a minimum:

RPM command (SLES, Red Hat Enterprise Linux, CentOS) and dpkg command (Debian/Ubuntu)

/opt/emc/vproxyra/bin/postinstall.sh

132 Virtual Machine Best Practices and Troubleshooting

/opt/emc/vproxyra/bin/preremove.sh

Note the following additional requirements:

The sudo user or group must be configured for no password prompt.

The sudo user or group must be provided with the no requiretty option.

When user elevation is enabled for file-level restore: To browse files, you must have the appropriate authority in the guest virtual-machine operating system. For example,

you must be permitted to run vflrbrowse using sudo without being prompted for a password.

To perform the restore, the user account must have the appropriate authority. For example, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

NOTE: If the Run with Elevated Privileges file-level restore is unsuccessful, an error displays indicating Unable to perform FLR Agent operation 'recover_files' on VM virtual machine name. This might occur

when a typographical error has been made in the sudo commands. To determine if this has occurred, review the log file

output for the following text:

sudo: a password is required /etc/sudoers.d/admin: syntax error near line 1 sudo: no valid sudoers sources found, quitting

It is recommended that you test the sudo command before performing a file-level restore in order to resolve any

potential errors.

2. On the Linux system, create the file /etc/sudoers.d/linuxuser, where linuxuser is the Linux login user, and then add the following contents to this file.

On CentOS, Red Hat, SuSE, OpenSuSE, and Oracle Linux platforms:

username ALL=NOPASSWD: /usr/bin/sudo, /usr/bin/rpm, /opt/emc/ vproxyra/bin/postinstall.sh, /opt/emc/vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/ vflrbrowse, /opt/emc/vproxyra/bin/vflrcopy Defaults:username !requiretty

NOTE: On SuSE 12, the location is /bin/rpm instead of /usr/bin/rpm.

On Ubuntu platforms:

username ALL=NOPASSWD: /usr/bin/sudo, /usr/bin/dpkg, /opt/emc/ vproxyra/bin/postinstall.sh, /opt/emc/vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/ vflrbrowse, /opt/emc/vproxyra/bin/vflrcopy Defaults:username !requiretty

Once you complete the Dell EMC vProxy Agent installation on the target virtual machine using the root user account or a sudouser with the minimum file access requirements, you can perform file-level restore operations as a non-root user on supported Linux platforms. To determine which Linux platforms are supported, review the compatibility information at E-Lab Navigator.

Dell EMC vProxy Agent installation on Windows virtual machines

Dell EMC vProxy Agent installation on Windows virtual machines requires that you use administrative privileges. If the provided credentials for the target virtual machine do not have administrative privileges, the Dell EMC vProxy Agent installation fails.

On Windows, to perform a file-level restore using a non-administrator user, ensure that the Dell EMC vProxy Agent is already installed on the target machine using administrative privileges. Otherwise, ensure that an administrative user is specified, and click OK.

Installation of the Dell EMC vProxy Agent on User Account Control (UAC) enabled Windows virtual machine requires you to either provide the credentials of the administrator user, or to disable UAC during the Dell EMC vProxy Agent installation and then re-enable upon completion.

On Windows versions 8, 10, and 11, the administrator account is disabled by default. To enable the account, complete the following steps:

1. To activate the account, open a command prompt in administrative mode, and then type net user administrator / active: yes.

Virtual Machine Best Practices and Troubleshooting 133

2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.

3. In the User Accounts pane, right-click the user and select Properties, and then clear the Account is disabled option.

To disable UAC during the Dell EMC vProxy Agent installation and then re-enable on completion of the installation, complete the following steps:

1. Initiate a file-level restore to launch the Dell EMC vProxy Agent installation window. The Dell EMC vProxy Agent installation is automatically started during a mount operation if it is not already installed on the destination virtual machine.

2. In the Dell EMC vProxy Agent installation window, select the Keep VM Direct FLR on target virtual machine option. 3. Open regedit and change the EnableLUA registry key value at

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0x00000000. By default, this is set to 1.

4. Proceed with the Dell EMC vProxy Agent installation. 5. Open regedit and reset the EnableLUA registry key to the previous value to re-enable UAC.

Uninstalling the Dell EMC vProxy Agent

If you no longer require the Dell EMC vProxy Agent on the target virtual machine, the agent must be properly uninstalled. If you manually delete Dell EMC vProxy Agent files instead of uninstalling the agent, and at some point reinstall the agent, subsequent mount attempts to perform restores will fail.

To uninstall the Dell EMC vProxy Agent on Linux:

1. Execute the following command: /opt/emc/vproxyra/bin/preremove.sh.

2. Uninstall the Dell EMC vProxy Agent package by running rpm -e emc-vProxy-FLRAgent.

3. If the uninstall fails due to a broken installation or other issue, you can force removal of the package by running rpm -e --force emc-vProxy-FLRAgent.

To uninstall the Dell EMC vProxy Agent on Windows:

1. Select Control Panel > Programs > Programs and Features. 2. Locate Dell EMC vProxy Agent. 3. Right-click the program and select Uninstall.

Updating the Microsoft Application Agent and Dell EMC vProxy Agent software

The Microsoft Application Agent and Dell EMC vProxy Agent software required to perform SQL application-aware data protection and file-level restore operations will be automatically updated on the target virtual machine by the VM Direct appliance during the file-level restore operation. The VM Direct appliance detects the available software on the client and updates the Agent software with the new version of software from its repository. If the update does not occur automatically, contact a Dell EMC Customer Support representative for a procedure to update the VM Direct software repository with the latest version of the Agent software packages.

FLR-supported platform and OS versions for virtual machine restores

File-level restore is supported for the following platforms and operating system versions only.

Platforms/operating systems are qualified for file-level restore support using the default file system for these platforms:

NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided in the E-Lab

Navigator.

RedHat Enterprise Linux versions 7.x, and 8.x SuSE Linux Enterprise Server versions 11.x and 12.x Ubuntu version 17.10 Oracle Enterprise Linux version 7.2 and later Windows 7, 8, 10, Server 2008, 2012, 2016 (all 64-bit platforms and R2, where applicable), 2019 for FAT, and NTFS.

Ensure that the latest supported version of VMware Tools or open-vm-tools is installed on the guest operating system.

134 Virtual Machine Best Practices and Troubleshooting

Support for Debian or Ubuntu operating system

vProxy file-level restore is supported on the Debian/Ubuntu operating system. To configure the Debian or Ubuntu guest operating system for file-level restore, perform the following steps.

About this task

NOTE: File-level restore is not supported on Debian ext4 file systems.

Steps

1. Log in to the system console as a non-root user.

2. Run the sudo passwd root command.

Enter the new password twice to set a password for the root account.

3. Run the sudo passwd -u root command to unlock the root account.

4. Specify the root user credentials in the Dell EMC Data Protection Restore Client and proceed to complete the file-level restore operation at least once.

While performing the file-level restore operation for the first time, remember to select Keep FLR agent.

5. After performing the above steps at least once, you can revert the root account to the locked state and use non-root account for future file-level restore requests. Non-root user can lock the root account with the sudo passwd -l root command.

Operating system utilities required for file-level restore

On Linux and Windows, the installed operating system must include several standard utilities in order to use file-level restore. Depending on the target operating system for restore and the types of disks or file systems in use, some of these standard utilities, however, may not be included.

The following utilities and programs may be required for performing file-level restore.

On Windows:

msiexec.exe diskpart.exe cmd.exe

On Linux:

blkid udevadm readlink rpm bash

NOTE: On Linux LVM, LVM2 rpm version 2.02.117 or later is required. Also, additional binaries required on Linux LVM

include dmsetup, lvm, and vgimportclone.

File-level restore and SQL restore troubleshooting and limitations

This section provides a list of requirements and limitations that apply to file-level restores and individual SQL database and instance restores.

Consider the following:

Ensure that the target virtual machine's SCSI Controller 0, SCSI(0:0) slot is not empty by attaching the slot to a virtual disk. Otherwise, the file-level restore is unable to mount the disks from the backup copy.

Ensure that the virtual machine has enough free slots to accommodate the disks that will mounted as part of the restore. The total number of supported disks is 60 (4 scsi controllers with 15 disks each).

Windows 2012 R2 and earlier versions do not support paths longer than 255 characters. To reduce the number of characters in the restore path, you might be required to remove the Windows drive letter, the colon, the slash, and the trailing null character. Since the Windows Dell EMC vProxy Agent mount point already uses around 90 characters, you might need to select a folder at a higher directory level for the restore.

Virtual Machine Best Practices and Troubleshooting 135

For Windows 2016 and later, an option to enable support for longer file paths is available. See the following article.

When performing a file-level restore, VMDKs fail to mount with the following error if the Dell EMC vProxy Agent service is not running on the target virtual machine: "Cannot connect to vProxy Agent: dial tcp <127.0.0.1: : connectex: No connection could be made because the target machine actively refused it."

When a file-level restore or SQL-restore operation is in progress on a virtual machine, no other backup or recovery operation can be performed on this virtual machine. Wait until the file-level restore session completes before starting any other operation on the virtual machine.

Clean up from a suspended or cancelled mount operation requires a restart of the virtual machine before you can initiate a new mount for the file-level restore.

When you enable Admin Approval Mode (AAM) on the operating system for a virtual machine (for example, by setting Registry/FilterAdministratorToken to 1), the administrator user cannot perform a file-level restore to the end user's profile, and an error displays indicating "Unable to browse destination." For any user account control (UAC) interactions, the administrator must wait for the mount operation to complete, and then access the backup folders located at C:\Program Files (x86)\EMC\vProxy FLR Agent\flr\mountpoints by logging into the guest virtual machine using Windows Explorer or a command prompt.

When you perform file-level restore on Windows 2012 R2 virtual machines, the volumes listed under the virtual machine display as "unknown." File-restore operations are not impacted by this issue.

When you perform file-level restore on Ubuntu/Debian platforms, you must enable the root account in the operating system. By default, the root account will be in locked state.

You can only restore files and/or folders from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

You must install VMware Tools version 10 or later. For best results, ensure that all virtual machines run the latest available version of VMware Tools. Older versions are known to cause failures when you perform browse actions during file-level restore or SQL restore operations.

You can perform file-level restores across vCenter servers as long as the vCenters are configured in PowerProtect Data Manager, and the source and target virtual machine have the same guest operating system. For example, Linux to Linux, or Windows to Windows.

File-level restores do not support the following virtual disk configurations: LVM thin provisioning Unformatted disks FAT16 file systems FAT32 file systems Extended partitions (Types: 05h, 0Fh, 85h, C5h, D5h) Two or more virtual disks mapped to single partition Encrypted partitions Compressed partitions

File-level restores of virtual machines with Windows dynamic disks are supported with the following limitations: The restore can only be performed when recovering to a virtual machine different from the original. Also, this virtual

machine cannot be a clone of the original. The restore can only be performed by virtual machine administrator users. If Windows virtual machines were created by cloning or deploying the same template, then all of these Windows virtual

machines may end up using the same GUID on their dynamic volumes. File-level restores do not restore or browse symbolic links. File-level restores of Windows 8, Windows Server 2012 and Windows Server 2016 virtual machines are not supported on the

following file systems: Deduplicated NTFS Resilient File System (ReFS) EFI bootloader

Virtual disk types supported

When planning your protection policies, ensure that PowerProtect Data Manager supports the disk types that you use in the environment.

PowerProtect Data Manager does not support the following disk types:

First Class Disks

136 Virtual Machine Best Practices and Troubleshooting

Independent (persistent and nonpersistent) RDM Independent - Virtual Compatibility Mode RDM Physical Compatibility Mode

Additionally, Dell EMC recommends to avoid deploying VMs with IDE virtual disks, which degrades backup performance. Use SCSI virtual disks instead whenever possible. Note that you cannot use Hot Add mode with IDE Virtual disks. Backup of IDE Virtual disks is performed using NBD mode.

Virtual machine data change rate

The data change rate is the percentage of a virtual machine's data that changes between backups.

Data change rates directly impact the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window. A daily data change rate of 3-4% is typical in a vSphere environment. Higher data change rates will require either a longer window to complete the backup, additional VM Direct Engines, or both.

VM Direct Engine data ingestion rate

The VM Direct Engine data ingestion rate is another parameter that directly impacts the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window.

By default, each VM Direct Engine processes approximately 500 GB to 1TB of data per hour, subject to the deduplication and read throughput on the primary stack. A number of additional factors, however, can impact the actual data ingestion rate, including the following:

The protection storage system being used for data protection operations. The type of storage media used for VM Direct Engine storage. Your network and/or SAN infrastructure and connectivity speed.

If data ingestion rates at your site are typically lower or higher than 500 GB per hour, you can add or delete VM Direct Engines as needed. You can also shorten or lengthen the backup window. By default, each VM Direct Engine is configured to handle the optimal number of concurrent VMDK backup jobs. Configuring each VM Direct Engine to allow fewer concurrent backup jobs would typically require deploying additional VM DirectEngines, but can result in more evenly distributed backup jobs among each VM Direct Engine.

Full (Level-0) backups typically take longer and consume more VM Direct Engine resources. Therefore, large new virtual machine deployments can impact the ability to complete all required backups within the time specified for the backup window. In order to allow the system to perform these full backups without interruption, where possible ensure that you implement a phased approach for large new virtual machine deployments. If a phased deployment is not possible, and the full backups do not complete before timeout of the backup window, you can also enable automatic retry of failed backups. For instructions, see the PowerProtect Data Manager Administration and User Guide. It is recommended that an administrator user monitor such workloads to ensure that the system can handle these workloads when the demand on resources begins to decrease, and that the virtual machine backups then complete successfully.

VM Direct Engine limitations and unsupported features

Review the following limitations and unsupported features related to the VM Direct Engine.

Backup of individual folders within a virtual machine is not supported

PowerProtect Data Manager only supports image-level backup and disk-level backup. You cannot perform backups of individual folders within the virtual machine.

Backups fail for resource pools recreated with the same name as deleted pool

When you delete a resource pool from a vCenter server and then create a resource pool with the same name, backups fail. Reconfigure the protection group with the newly created resource pool.

Virtual Machine Best Practices and Troubleshooting 137

Datastore names cannot contain special characters

Using special characters in datastore names can cause problems with the VM Direct Engine, such as failed backups and restores. Special characters include the following: % & * $ # @ ! \ / : * ? " < > | ;, and so on.

DD Boost over fibre channel not supported

PowerProtect Data Manager does not support DD Boost over fibre channel (DFC).

Error when changing configuration of many virtual machines at the same time

When configuring or unconfiguring many virtual machines (300 or more) in a protection policy, an error message might display indicating that the request is too large. You can click OK and proceed, but system performance will be impacted due to the size of the request. As a best practice, it is recommended to use protection rules to automatically determine which assets are assigned to protection policies when the assets are discovered.

Hot Add backups fail when datacenter names contain special characters

Virtual machine backups fail when the datacenter name contains special characters and the transport mode specified for VM Direct backups is Hot Add only. Avoid using special characters in the datacenter name, for example, "Datacenter_#2@3", or specify Hotadd with fallback to Network Block Device for the transport mode.

Hot Add backups fail when virtual machine protection policy configured with Virtual Flash Read Cache value

When using Hot Add transport mode for a virtual machine protection policy, the backup fails with the following error if configured with the Virtual Flash Read Cache (vFRC) value:

"Backup has FAILED. Failed to backup virtual disk \"Hard disk \". Failed to initialize Block Reader. Failed to open source VMDK \ / \": VDDK Error: 13: You do not have access rights to this file. (500)".

I/O contention when all Virtual Machines on a single data store

I/O contention may occur during snapshot creation and backup read operations when all Virtual Machines reside on a single datastore.

Limitations to SQL Server application consistent data protection

Review the SQL Server application-consistent protection support limitations in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.

Network configuration settings are not restored with virtual machine after recovery of a vApp backup

Network configuration settings are not backed up with the virtual machine as part of a vApp backup. As a result, when you restore a vApp backup, you must manually reconfigure the network settings.

138 Virtual Machine Best Practices and Troubleshooting

NFC log level settings

To assist with I/O performance analysis, set the NFC log level in the VM Direct proxy configuration file to its highest value, for example, vixDiskLib.nfc.LogLevel=4. Setting the log level in the server for NFC asynchronous I/O is not required. You can then run the VDDK sample code and evaluate I/O performance by examining the vddk.log and the vpxa log file.

NOTE: Virtual Machines with very high I/O might stall during consolidation due to the ESXi forced operation called

synchronous consolidate. Plan your backups of such Virtual Machines according to the amount of workload on the Virtual

Machine.

Protection fails for virtual machine name containing { or }

A PowerProtect Data Manager virtual machine protection policy fails to back up virtual machines that contain the special characters { or } in the name. This limitation exists with vSphere versions previous to 6.7. If you do not have vSphere 6.7 or later deployed, avoid using these two characters in virtual machine names.

SAN transport mode not supported

PowerProtect Data Manager supports only the Hot Add and NBD transport modes. The Hot Add mode is the default transport mode. For a protection policy, you can specify to use only Hot Add mode, only NBD mode, or Hot Add mode with fallback to NBD of Hot Add is not available.

Specify NBD for datastores if VM Direct should use NBD mode only

For a VM Direct Engine that will only use NBD transport mode, you must also specify the datastores for which you want the proxy to perform only NBD backups to ensure that any backups of virtual machines running on these datastores are always performed using NBD mode. This also ensures that the same NBD-only proxies are never used for backups of virtual machines residing on any other datastores.

Thin provisioning not preserved during NFS datastore recovery

When backing up thin-provisioned virtual machines or disks for virtual machines on NFS datastores, an NFS datastore recovery does not preserve thin provisioning. VMware knowledge base article 2137818 at https://kb.vmware.com/kb/2137818 provides more information.

Virtual machine alert "VM MAC conflict" may appear after successful recovery of virtual machine

After performing a successful recovery of a virtual machine through vCenter version 6, an alert may appear indicating a "VM MAC conflict" for the recovered virtual machine, even though the new virtual machine will have a different and unique MAC address. You must manually acknowledge the alert or clear the alert after resolving the MAC address conflict. Note that this alert can be triggered even when the MAC address conflict is resolved.

The VMware release notes at https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u2-release- notes.html provide more information.

VM Direct Engine configuration settings cannot be modified after adding the VM Direct Engine

After adding a VM Direct Engine, the only field you can modify is the Transport Mode. Any other configuration changes require you to delete and then re-add the VM Direct Engine. Additional VM Direct actions on page 28 provides more information.

Virtual Machine Best Practices and Troubleshooting 139

VM Direct Engine configured with dual stack is not supported

The VM Direct Engine does not support dual stack (IPv4 and IPv6) addressing. If you want to run backups and restores using the VM Direct Engine, use IPv4 only addressing.

VMware Distributed Resource Scheduler cluster support limitations

The PowerProtect Data Manager server is supported in a VMware Distributed Resource Scheduler (DRS) cluster, with the following considerations:

During backup of a virtual machine, host-vmotion or storage-vmotion is not permitted on the virtual machine. The option to migrate will be disabled in the vSphere Client UI.

If the VM Direct proxy is in use for a backup or restore with Hot Add disks attached, then storage-vmotion of the vProxy is not permitted during these operations.

VMware limitations by vSphere version

VMware limitations for vSphere 6.0 and later versions are available at https://configmax.vmware.com/home. For vSphere 5.5, go to https://www.vmware.com/pdf/vsphere5/r55/vsphere-55-configuration-maximums.pdf.

VMware snapshot for backup is not supported for independent disks

When using independent disks you cannot perform VMware snapshot for backup.

VM Direct Engine selection with virtual networks (VLANs)

PowerProtect Data Manager typically selects a VM Direct Engine by accounting for availability, transport mode settings, and engine load. This selection optimizes data throughput.

When you configure virtual networks for PowerProtect Data Manager and VM Direct Engine to isolate backup traffic, you can define routes to the protection storage system interface for each virtual network. The routes that you configure can influence VM Direct Engine selection. PowerProtect Data Manager ensures that the selected engine has a network interface that can send traffic for a specific virtual network to the protection storage system.

The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks, including prerequisites and supported topologies and traffic types that can influence selection.

Deploying VM Direct appliance to datastore cluster unsupported

VM Direct appliance deployment to a datastore cluster is not supported. The deployment fails with a ServerFaultCode error.

Best practices for vCenter server backup and restore Review the following recommendations and best practices when planning a vCenter server backup and restore.

NOTE: Backups will not save distributed switch configurations.

It is recommended to schedule the backup of the vCenter server when the load on the vCenter server is low, such as during off-hours, to minimize the impact of vCenter virtual machine snapshot creation and snapshot commit processing overhead.

Ensure that there are no underlying storage problems that might result in long stun times. Keep the vCenter virtual machine and all of its component virtual machines in one single isolated protection policy. The

protection policy should not be shared with any other virtual machines. This is to ensure that the backup times of all vCenter server component virtual machines are as close to each other as possible.

Ensure that the backup start time of the vCenter server does not overlap with any operations for other protected virtual machines being managed by this vCenter server so that there is no impact on other protected virtual machines during snapshot creation and snapshot commit of the vCenter virtual machine.

140 Virtual Machine Best Practices and Troubleshooting

If the vCenter server and Platform Services Controller instances fail at the same time, you must first restore the Platform Services Controller and then the vCenter server instances.

Changing the vCenter server FQDN If you change the fully qualified domain name (FQDN) of the vCenter server, PowerProtect Data Manager must be reconfigured to accommodate this change without any issues.

When the FQDN of the vCenter server changes, so does its SSL certficate. In order to continue to administer the vCenter server and maintain uninterrupted protection of its assets, the new certificate must be imported into the PowerProtect Data Manager trust store.

Change the vCenter server FQDN

When the FQDN of the vCenter server changes, its new SSL certificate must be imported into the PowerProtect Data Manager trust store.

About this task

This procedure uses REST API commands that are run on the PowerProtect Data Manager server.

NOTE: In the following steps, replace 192.168.1.204 with the IP address of the PowerProtect Data Manager server and

a022-renamed-ppdm.vmware.com with the new FQDN of the vCenter server.

Steps

1. Get the current information from the vCenter server, and make a note of the value of id, which corresponds to the new FQDN certificate:

GET https://192.168.1.204:8443/api/v2/certificates?host=a022- renamed.ppdm.vmware.com&port=443&type=Host For example, the output might look like this:

fingerprint: "43FF8FBA82D1DD68E630AE9DB8BA7DF21549CE39" host: " a022-renamed-ppdm.vmware.com" id: "dmNlbnRlci12bWRtLTA0LmFzbC5sYWIuZW1jLmNvbTo0NDM6aG9zdA==" issuerName: "OU=VMware Engineering, O= a022-renamed-ppdm.vmware.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA" notValidAfter: "Mon Mar 11 17:39:09 PDT 2030" notValidBefore: "Mon Mar 16 17:39:09 PDT 2020" port: "443" state: "UNKNOWN" subjectName: "C=US, CN=vcenter-vmdm-04.asl.lab.emc.com" type: "HOST"

2. Import the new certificate into the PowerProtect Data Manager trust store:

PUT https://192.168.1.204:8443/api/v2/certificates/{newCertID}

Replace {newCertID} with the value of id displayed in step 1. Only use the text that was displayed between the quotation marks.

3. Get the ID of the vCenter server:

GET https://192.168.1.204:8443/api/v2/inventory-sources/ All vCenter servers that are configured in PowerProtect Data Manager are displayed.

For example, the output might look like this:

"id": "6ffdb6e9-b864-56f4-8ec8-fe1c214c6fef",

"name": "VC",

"version": "7.0.2",

"type": "VCENTER",

Virtual Machine Best Practices and Troubleshooting 141

"lastDiscovered": "2021-08-10T07:03:41.624Z",

"lastDiscoveryResult": {

"status": "OK",

4. Record the new FQDN of the vCenter server in PowerProtect Data Manager:

PUT https://192.168.1.204:8443/api/v2/inventory-sources/{vCenter-id}

Replace {vCenter-id} with the value of id displayed for the vCenter server in step 3. Only use the text that was displayed between the quotation marks.

5. Get the current list of certificates:

GET https://192.168.1.204:8443/api/v2/certificates Both the old and new FQDN certificates are displayed. There might also be additional certificates displayed.

6. Search the certificate entries displayed in step 5, and locate the entry where the value of host matches the old FQDN of the vCenter server. Make a note of the corresponding id value.

7. Delete the old certificate from the PowerProtect Data Manager :

DELETE https://192.168.1.204:8443/api/v2/certificates/{oldCertID}

Replace {oldCertID} with the value of id noted in step 6. Only use the text that was displayed between the quotation marks.

Replacing security certificates You can replace the default self-signed security certificates for the PowerProtect Data Manager user interface, or replace changed or expired security certificates on an external server.

The PowerProtect Data Manager Security Configuration Guide provides more information.

Replacing the self-signed security certificates

If you want to use certificates for the PowerProtect Data Manager user interface that are signed by a certificate authority (CA) of your choice, you can replace them.

The PowerProtect Data Manager Security Configuration Guide provides more information.

Replace expired or changed certificates on an external server

Use this procedure to replace expired or change certificates on an external server. Only the Administrator role can replace certificates.

About this task

If a certificate on an external server has expired or been changed, connection to the server fails with the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX Perform the following steps using cURL or any REST API client, such as Postman.

Steps

1. Log in to the external server as an administrator:

POST https://server hostname:REST port number/api/v2/login Provide the following request payload in JSON format:

{ "username": "username", "password": "password" }

142 Virtual Machine Best Practices and Troubleshooting

where username is a user with the Administrator role and password is the password for this user.

NOTE: Add the following header key with your REST call request:

'Content-type: application/json'

The response returns the following information:

{ "access_token": "token_type": "expires_in": "jti": "scope": "refresh_token": }

Copy the access_token value from the response above. This value will be required in the header key Authorization for all the REST calls in subsequent steps.

2. On the REST API client, run the following to obtain the old or expired external server certificate:

GET https://server hostname:REST port number/api/v2/certificates NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns a list of certificate entries, each containing the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "type": }]

NOTE: Make note of the host, port and type of each certificate, as this information will be required in Step 4. If you

supply incorrect information in Step 4, requests that use these external hosts might fail.

3. On the REST API client, delete the old or expired external server certificate from the PowerProtect Data Manager datastore, using the ID obtained from the response in step 2:

DELETE https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Ensure that you delete only the external server certificate that you want to remove.

4. On the REST API client, obtain the new certificate from the external server, using the host, port, and type obtained from the response in step 2:

GET https://server hostname:REST port number/api/v2/certificates? host=host&port=port&type=type

NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter":

Virtual Machine Best Practices and Troubleshooting 143

"fingerprint": "subjectName": "issuerName": "state": "UNKNOWN", "type": }]

5. On the REST API client, accept the new certificate, using the ID obtained in the response from step 4:

PUT https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Also, copy the response payload from step 4 in JSON format and change the state from "UNKNOWN" to "ACCEPTED".

6. On the REST API client, verify that the new certificate has been accepted, using the ID obtained in the response from step 4:

GET https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

If the certificate was accepted, the response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "ACCEPTED", "type": }]

Next steps

If you replaced a vCenter security certificate, restart the virtual machine protection services. Restart the virtual machine protection services on page 144 provides instructions.

Restart the virtual machine protection services

As part of PowerProtect Data Manager maintenance, perform the following steps when directed.

Prerequisites

Verify that there are no active backup and restore operations. The PowerProtect Data Manager Administration and User Guide provides instructions for canceling jobs and disabling protection policies.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Restart the virtual machine data mover service:

/usr/local/brs/lib/vmdm/bin/vmdm restart 3. Restart the protection engine service:

systemctl restart vproxyd 4. If required, re-enable protection policies. The PowerProtect Data Manager Administration and User Guide provides

instructions.

144 Virtual Machine Best Practices and Troubleshooting

Troubleshooting network setup issues vCenter registration and proxy deployment fails if the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network.

PowerProtect Data Manager uses an internal private Docker network. If the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network, or if some data sources have already been deployed within the private network, PowerProtect Data Manager fails to protect the data sources.

To resolve this issue, deploy the PowerProtect Data Manager server and other data sources in a different network. If you cannot modify the deployed network, run a script tool within PowerProtect Data Manager to switch the private Docker network to a different network.

To switch the private Docker network to a different network:

1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Modify the Docker network by running the following command:

/usr/local/brs/puppet/scripts/docker_network_switch.sh subnet gateway Where:

subnet describes the new network in the format 172.25.0.0/24 gateway is the gateway for the private network. For example: 172.25.0.1

Ensure that you specify a subnet and gateway that is not in use.

Troubleshooting virtual machine backup issues This section provides information about issues related to virtual machine backup operations with the VM Direct protection engine.

Backup completes with a non-quiesced snapshot warning

A virtual-machine backup completes, but with a warning that a non-quiesced snapshot was used. Although most data will be protected, using a non-quiesced snapshot can result in some data being out of date or missing altogether.

The following warning is seen after a backup completes:

Warnings occurred during snapshot creation. Non-quiesced snapshot was used, quiesced snapshot was unsuccessful. Unable to create quiesced snapshot: An error occurredwhilequiescing the virtual machine. See the virtual machine's event logfordetails. This can happen with backups of both Windows and Linux virtual machines. Refer to the following procedures for common methods of resolving the issue.

Troubleshooting non-quiesced Windows snapshots

There is a common method of resolving this issue on Windows.

Steps

1. Confirm that the virtual machine has VMware Tools 10.1.0 or higher installed. If the virtual machine does not have VMware Tools 10.1.0 or higher installed, then install it.

2. Confirm that the VMware Snapshot Provider service is installed on the virtual machine. If the VMware Snapshot Provider service is not installed, then install it by reinstalling VMware Tools.

NOTE: Antivirus software might interfere with the installation of this service. If it is still not installed after reinstalling

VMware Tools, then temporarily disable any antivirus software and reinstall VMware Tools again.

Virtual Machine Best Practices and Troubleshooting 145

Troubleshooting non-quiesced Linux snapshots

There is a common method of resolving this issue on Linux.

Steps

1. At a shell prompt of the virtual machine, run the command cat /etc/vmware-tools/tools.conf, and look for the value of enableSyncDriver:

[root]# cat /etc/vmware-tools/tools.conf [vmbackup] enableSyncDriver = false

2. If the value of enableSyncDriver is false, perform the following steps:

a. Edit /etc/vmware-tools/tools.conf, and change enableSyncDriver = false to enableSyncDriver = true.

b. At the shell prompt, run the command systemctl restart vmtoolsd.service.

Backup fails when names include special characters

When spaces or special characters are included in the virtual machine name, datastore, folder, or datacenter names, the .vmx file is not included in the backup.

The VM Direct appliance does not back up objects that include the following special characters (format: character/escape sequence): & %26 + %2B / %2F = %3D ? %3F % %25 \ %5C ~ %7E ] %5D

Deleting vCenter asset sources or moving ESXi to another vCenter server

When you delete a vCenter asset source from PowerProtect Data Manager without removing any vProxy or Search nodes that the vCenter servers are hosting, the nodes will become non-operational and move into a Failed status upon the next health check. As a result, PowerProtect Data Manager updates will fail. This issue also occurs when you move the ESXi server hosting the vProxy and Search nodes between vCenter servers.

To correct this issue, you can perform one of the following actions:

Manually delete the vProxy and Search nodes. The section Delete vProxy or Search nodes when a vCenter server asset source is no longer required on page 147 provides the required steps.

Return the vProxy and Search Nodes to an Operational or Ready state using the vproxymgmt and infranodemgmt tools. Choose this action if you want to add the vCenter server again, or you want to add the vCenter server that the ESXi has been moved to. The section Return vProxy or Search nodes to an operational state when re-adding a vCenter server on page 147 provides the required steps.

146 Virtual Machine Best Practices and Troubleshooting

Delete vProxy or Search nodes when a vCenter server asset source is no longer required

Perform the following procedure when you delete a vCenter server as an asset source in PowerProtect Data Manager and you will not be re-adding the vCenter server:

About this task

NOTE: Manual cleanup of the virtual machine for the vProxy or Search node has to be performed from the vCenter server.

Steps

1. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 2. For vProxy removal:

a. Obtain the list of vProxies that require removal by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any vProxy that needs to be deleted. c. Use the vproxymgmt tool to delete vProxies by running /opt/emc/vmdirect/bin/vproxymgmt delete

-vproxy_id ProxyID 3. For Search Node removal:

a. Obtain the list of Search nodes that require removal by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be deleted. c. Use the infranodemgmt tool to delete Search nodes by running /opt/emc/vmdirect/bin/infranodemgmt

delete -node_id NodeID 4. In the PowerProtect Data Manager user interface, ensure that any sessions have been removed for both the vProxy or

Search nodes.

Return vProxy or Search nodes to an operational state when re-adding a vCenter server

When you want to re-add a vCenter server that you deleted from PowerProtect Data Manager, or you want to add a vCenter server that an ESXi server has been moved to, perform the following procedure in order to return the vProxy or Search nodes to an Operational or Ready state.

Steps

1. Re-add the deleted vCenter server as an asset source in the PowerProtect Data Manager user interface, or note the name of the new vCenter server to where the ESXi server has been moved.

2. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 3. For vProxy updates:

a. Obtain the list of vProxies that require updating by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any vProxy that needs to be updated. c. Use the vproxymgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/vproxymgmt

modify -vcenter_hostname vCenter-FQDN -vproxy_id ProxyID 4. For Search node updates:

a. Obtain the list of Search nodes that require updating by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be updated. c. Use the infranodemgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/infranodemgmt

modify -vcenter_hostname vCenter-FQDN -node_id NodeID 5. In the PowerProtect Data Manager user interface, ensure that any sessions for the vProxy or Search node and cluster have

changed to an Operational or Ready state.

Virtual Machine Best Practices and Troubleshooting 147

Failed to lock virtual machine for backup: Another EMC vProxy operation 'Backup' is active on VM

This error message appears when a backup fails for a virtual machine or when a previous backup of the virtual machine was abruptly ended and the VM annotation string was not cleared.

To resolve this issue, clear the annotation string value for the virtual machine.

1. Connect to the vCenter server, and then select Home > Inventory > Hosts and Clusters. 2. Select the virtual machine, and then select the Summary tab. 3. Clear the value that appears in the EMC Proxy Session field.

Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails

During VM Direct backup and recovery operations, a lock is placed on the virtual machine. If a VM Direct appliance failure occurs during one of these sessions, the lock is extended to a period of 24 hours, during which full backups and transaction log backups will fail with the following error until the lock is manually released:

Cannot lock VM 'W2K8R2-SQL-2014' (vm-522): Another EMC vProxy operation 'Backup' is active on VM vm-522.

Workaround

To manually release the lock on the virtual machine:

1. Open the vSphere Web Client. 2. Select the virtual machine and select Summary. 3. Select Custom attribute and click Edit. 4. Remove the attribute EMC vProxy Session.

Managing command execution for VM Proxy Agent operations on Linux

The VM Proxy Agent automatically creates a PAM service file named vproxyra in the /etc/pam.d system directory, if the file does not already exist.

This file, which enables you to manage command execution through the VM Proxy Agent, is modeled on the corresponding vmtoolsd file. The settings in this file permit command execution by any user who is able to perform VM Direct operations on the guest virtual machine. A system administrator can further modify this file to specify which users can perform VM Direct operations, for example, file-level restore and SQL application-aware protection. For more information on the configuration of PAM service files, see the system documentation for your specific guest virtual machine operating system.

PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates

After you replace the default self-signed security certificates, you may see errors in the vSphere client PowerProtect portlet when you select virtual machines:

Service Unavailable: Please contact your administrator. No healthy upstream. Reinstall the PowerProtect plug-in to apply the new certificates. The PowerProtect Data Manager Security Configuration Guide provides more information.

148 Virtual Machine Best Practices and Troubleshooting

SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"

SQL Server application-consistent virtual machine backups might fail with the following error when the disk.EnableUUID variable for the virtual machine is set to False.

Unable to find VSS metadata files in directory C:\Program Files\DPSAPPS\MSVMAPPAGENT\tmp\VSSMetadata.xxxx. To resolve this issue, ensure that the disk.EnableUUID variable for the virtual machines included in a SQL Server application- consistent backup is set to True.

Troubleshooting virtual machine restore issues The following topics provide information on troubleshooting virtual machine restore failures and virtual machine restore limitations.

Removal of pre-existing snapshots required before running virtual machine restore

A virtual machine restore cannot be completed when a pre-existing VMware snapshot is present on the virtual machine. An error similar to the following appears:

Session 'session ID' is unsuccessful: There are 1 pre-existing snapshot present on this VM. Recover is not possible. Remove snapshot(s) and try again. Verify that no pre-existing snapshots exist on the virtual machine, and then retry the restore operation from the System Jobs window of the PowerProtect Data Manager UI.

Some operations fail for vTPM virtual machine in a DRS-enabled cluster with dedicated vCenter user account

The following operations fail for virtual Machines with a Virtual Trusted Platform Module (vTPM) when the virtual machines are in a DRS-enabled cluster and using a dedicated vCenter user account:

The vTPM virtual machines cannot be powered on after a restore to the original virtual machine or restore to a new virtual machine , with the error Permission to perform this operation was denied displaying.

For an instant access restore, migration is unsuccessful, with the error Unable to complete vMotion task Task:task-3785. Permission to perform this operation was denied displaying.

To avoid these issues, ensure that the privilege Cryptographic operations > Migrate is included as part of the dedicated vCenter user role. Specify the required privileges for a dedicated vCenter user account on page 23 provides more information.

Virtual machine restores fail when vProxyd or vrecoverd disruption occurs

A virtual machine restore hangs and VPOD will not be able to reconnect to the restore session when the following scenarios occur:

A disruption to the vrecoverd process on any external VM Direct Engine.

A disruption to the vProxyd process during a Restore to Original Folder and Overwrite Original Files or Create and Restore to New VM operation that uses Transparent Snapshot Data Mover (TSDM) as the protection mechanism.

After several retry attempts, VPOD marks the restore session as "Failed" and releases the vProxy associated with the restore.

If this failure occurs during a Create and Restore to New VM, you can delete the new virtual machine and restart the restore operation.

If this failure occurs during a Restore to Original Folder and Overwrite Original Files, you must remove the vProxy lock on the virtual machine from the vCenter server, and then retry the restore operation. In the vSphere Client, the vProxy lock appears as a custom attribute with the name Dell EMC vProxy Session.

Virtual Machine Best Practices and Troubleshooting 149

NOTE: If this attribute contains any value after a vProxyd process failure, backup and restore operations on this virtual

machine cannot be performed. Clean up of this attribute and then running a successful restore operation is a requirement in

order to avoid any potential data loss or corruption of the virtual machine, otherwise subsequent backups might also contain

corrupted data.

Virtual machine restores directly to NFS datastores on ESXi fail

When attempting to restore a virtual machine directly to an NFS datastore on ESXi, you might see an error message similar to the following:

Unable to find datastore "/mnt/pool1": "ServerFaultCode: The object 'vim.Datastore:/mnt/ pool1' has already been deleted or has not been completely created."

Restore the virtual machine to a non-NFS datastore.

DD NFS share not removed after restore to original

The NFS share might not be removed after a successful virtual machine restore to original. When this occurs, the restore hangs and the following NFS clients appear enabled in the DD system.

Figure 8. DD NFS clients still enabled after restore

If you encounter this issue, you can wait 24 hours for PowerProtect Data Manager to clean up the DD NFS shares, or you can stop the restore and clean up the DD NFS clients manually by performing the following steps:

1. Restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

2. Clean up DD NFS clients by typing nfs del .

3. In the vSphere Client's Configuration tab, manually unmount the EMC-vProxy-vm-qa-xxxxx DDNFS datastore that is mounted on the ESXi host.

IP address change required after successful image-level restore to a new virtual machine

After performing a successful image-level restore to a new virtual machine, ensure that you change the IP address immediately in order to avoid IP conflicts with the original virtual machine. If you do not change the IP to a unique value, subsequent data protection operations might fail on the restored virtual machine, even if that virtual machine's network interfaces are disconnected.

Virtual machine protection copy does not display under available copies

If a virtual machine protection copy does not display under the available copies in PowerProtect Data Manager, verify the following:

Ensure that protection of the virtual machine completed successfully. Check that the desired copy has not expired according to the PowerProtect Data Manager protection policy.

Virtual machine restore fails with name resolution error

A virtual machine restore might fail with the following error due to network issues between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server:

com.emc.brs.vmdm.http.HttpsConnector - null: Temporary failure in name resolution java.net.UnknownHostException : null: Temporary failure in name resolution

150 Virtual Machine Best Practices and Troubleshooting

Ensure that you have proper name resolution between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server.

Virtual machine restore fails when the previous restore of this virtual machine is in progress or did not complete

A virtual machine restore fails with the following error if the previous restore operation for the same virtual machine is still in progress or did not complete successfully:

Error : There is another running restore operation that conflicts with this request.

If the previous restore operation for this virtual machine is still in progress, monitor the progress in PowerProtect Data Manager until the restore completes. If the virtual machine restore is complete but the task stops responding, then you must manually cancel the restore in PowerProtect Data Manager by restarting the VMDM service. You can restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

Virtual machine restore fails with error due to VM Direct corruption

A virtual machine restore might fail with the following error due to corruption of the VM Direct Engine that is running in PowerProtect Data Manager:

com.emc.dpsg.vproxy.client.VProxyManager - Error(createSession): javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

Ensure that the vproxyd service is running in PowerProtect Data Manager by typing the following command.

ps xa | grep vproxy Ensure that the vproxy rpm is installed as expected in PowerProtect Data Manager by typing the following command.

rpm -qa | grep vProxy When logged in as the root user, restart the vproxyd service on PowerProtect Data Manager by typing the following command.

systemctl restart vproxyd

Virtual machine restore fails with error "User UserEARA does not have proper privileges"

A virtual machine restore fails with the error "User UserEARA does not have proper privileges" when the user does not have adequate privileges to perform the restore operation.

Ensure that the PowerProtect Data Manager user performing the restore belongs to System Tenant and has the Administrator or Restore Administrator role.

Filtering virtual machine copies by File Indexing column is not available

When you select a virtual machine for restore in the PowerProtect Data Manager UI and then click View Copies to select from one of the available copies, using the filter in the File Indexing column does not return any results. Use the filters from other columns to locate the virtual machine asset copies that you want to restore.

Virtual Machine Best Practices and Troubleshooting 151

Network connection issues after restore of virtual machine with NSX-T VDS port groups

A network connection cannot be established after performing a restore of virtual machines with NSX-T VDS port groups. This issue occurs even when the Connect at Power On option is selected in the Networks page of the PowerProtect Data Manager UI Restore wizard.

VMware is investigating this issue, and a fix might be provided in the future. Until a fix is made available, perform the following as a workaround to reconnect the restored virtual machines to the NSX-T VDS port group:

1. In the vSphere Client, right-click the restored virtual machine and select Edit Settings. 2. Change the network of the vNIC to a different NSX-T VDS port group, and then click OK to save the changes to exit the

window. 3. Right-click the restored virtual machine and select Edit Settings again. 4. Change the network of the vNIC back to the original NSX-T VDS port group. 5. Select Connected and Connect at power on, and then click OK.

Troubleshooting instant access restore failures

An instant access restore consists of two stages. First, a virtual machine is made available in the UI as an instant access virtual machine without moving the virtual machine to permanent storage. Second, storage vMotion is initiated to migrate the virtual machine to permanent storage.

If at any point during the migration a restore failure occurs, the instant access session is not automatically removed until after the expiration period for an instant access virtual machine restore, which is 7 days by default. This behavior is intentional for the following reasons:

To avoid data loss, since changes might have been made to the virtual machine during that time To provide you with the opportunity to fix the issue (for example, to free up space on the restore destination or choose a

different datastore) and then take the appropriate action

When the cause of the failure is determined and/or fixed, you can use the Instant Access Sessions window of the UI to retry the migration, or save the data and delete the instant access virtual machine, as required. The section Manage and monitor Instant Access Sessions provides detailed information about these actions.

Troubleshoot virtual machine SQL application consistent policy issues Review the following topics related to troubleshooting virtual machine SQL application-consistent protection policies.

Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log backup

When an advanced application-consistent policy is enabled with transaction log backup, the msvmagent_appbackup.exe program evaluates databases to determine if transaction log backup is appropriate.

If transaction log backup is not appropriate for a database, the database will automatically be skipped. Databases are skipped for the reasons outlined in the following table.

Table 30. Microsoft SQL Server skipped database cases and descriptions

Case Description

Database has been restored

When a database has been restored, this database will be skipped during transaction log backup because there is no backup promotion.

System Database System databases are automatically skipped for transaction log backup.

Database State Database is not in a state that allows backup. For example, the database is in the NORECOVERY state.

152 Virtual Machine Best Practices and Troubleshooting

Table 30. Microsoft SQL Server skipped database cases and descriptions (continued)

Case Description

Recovery Model Database is in SIMPLE recovery model, which does not support transaction log backup

Other Backup Product

Most recent backup for the database was performed by a different backup product.

New Database Database was created after most recent full backup.

Backup Failure Database was in state to allow backup, backup was attempted, but backup failed.

All skipped databases will be backed up as part of the next full backup. Also, a skipped database will not result in msvmagent_appbackup.exe failure. The only instance in which msvmagent_appbackup.exe would potentially fail is if all databases failed to back up.

The msvmagent_appbackup.exe program generates a history report of the databases, if the database backup status was success/skipped/failed, and a reason if they were skipped or failed if applicable. This history report is visible in the action logs for the VM Direct Engine, which are available as part of the appbackup logs.

NOTE: For virtual machine application-consistent data protection, the Microsoft SQL Server and operating system versions

follow the support matrix available at E-Lab Navigator.

Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID variable

A Microsoft SQL Server application-aware virtual machine backup succeeds but displays the following error when the disk.EnableUUID variable for the virtual machine is set to TRUE:

VM ' ' configuration parameter 'disk.EnableUUID' cannot be evaluated. Map item 'disk.EnableUUID' not found. (1071) To resolve this issue, set the disk.EnableUUID variable to TRUE and then reboot the virtual machine.

Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names

Due to a VSS limitation, you cannot use trailing spaces within the names of Microsoft SQL Server databases protected by an application-consistent data protection policy.

Support for backup and restore of encrypted virtual machines Backup and restore of encrypted virtual machines is supported in PowerProtect Data Manager, with the following limitations:

Restoring encrypted virtual machines to a different vCenter server is not supported. You must perform the restore to the original virtual machine or a new virtual machine on the same vCenter server.

Restoring an encrypted virtual machine backup to a new virtual machine on the original vCenter server will restore the virtual machine disks (VMDKs) in clear text if the VMDKs are not encrypted. The article "Virtual Machine Encryption" at https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-E6C5CE29- CD1D-4555-859C-A0492E7CB45D.html provides more information about manually changing the virtual machine policy to enable encryption of VMDKs.

In order to use Hot Add transport mode, all VM proxies with access to the encrypted virtual machines datastore must be encrypted as well. For example, if encrypted virtual machines reside in an ESXi cluster, all VM proxies deployed on the cluster must also be encrypted.

In order to backup and restore encrypted virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM) virtual machines, vCenter 7.0 U1 or later is required.

Virtual Machine Best Practices and Troubleshooting 153

Troubleshooting vSphere Plugin deployments When investigating issues with the vSphere Plugin deployments, you might need to troubleshoot its deployment.

Troubleshoot vSphere Plugin deployments

In some circumstances, issues can occur during the deployment of the PowerProtect Data Manager vSphere Plugin.

About this task

If deployment of the vSphere Plugin fails, the plugin displays SSL errors or other errors such as 503 Service Not Available or No Healthy Upstream, or you need to force the removal and re-installation of the plugin, perform the following steps:

Steps

1. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources.

2. Select the vCenter asset source, and then click Edit.

3. Unselect vSphere Plugin, and then click Save.

4. Log in to the vCenter MOB, for example, http://vcenter.example.com/mob.

5. Navigate to a new window to unregister the extension, for example, http://vcenter.example.com/mob/? moid=ExtensionManager&method=unregisterExtension

6. On this window, type 'com.emc.dpsg.ppdm.plugin', and then click Invoke Method.

7. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources, select the vCenter server, and then click Edit.

8. Select vSphere Plugin, and then click Save.

9. Log out of the vCenter server, and then log back in again.

NOTE: If Refresh is displayed, click it.

Next steps

If the PowerProtect Data Manager vSphere Plugin is not deployed in vCenter after performing these steps, you might be required to restart the vSphere Web Client service.

To restart the vSphere Web Client service on a vCenter Server Appliance (VCSA), perform the following steps:

1. Run the following commands:

service-control --stop vsphere-ui service-control --start vsphere-ui

2. Log out of the vSphere Client, and then log

Manualsnet FAQs

If you want to find out how the PowerProtect Dell works, you can view and download the Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide on the Manualsnet website.

Yes, we have the Virtual Machine User Guide for Dell PowerProtect as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Virtual Machine User Guide should include all the details that are needed to use a Dell PowerProtect. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.10 Data Manager Virtual Machine User Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.