Contents

Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide PDF

1 of 171
1 of 171

Summary of Content for Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide PDF

PowerProtect Data Manager 19.12 Virtual Machine User Guide

December 2022 Rev. 03

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2021 - 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Preface......................................................................................................................................... 8

Chapter 1: PowerProtect Data Manager for Virtual Machines Overview........................................13 PowerProtect Data Manager overview........................................................................................................................ 13 Additional information and context................................................................................................................................13 Supported Internet Protocol versions...........................................................................................................................14 Terminology......................................................................................................................................................................... 15 Role-based security........................................................................................................................................................... 16 Firewall and port considerations.....................................................................................................................................16 PowerProtect Data Manager new deployment overview........................................................................................ 17 Access the PowerProtect Data Manager UI............................................................................................................... 17

Get Started window.................................................................................................................................................... 18

Chapter 2: Enabling Virtual Machine Protection.......................................................................... 20 About asset sources, assets, and protection storage.............................................................................................. 20 About vCenter server asset sources and virtual assets.......................................................................................... 20 Prerequisites for discovering asset sources............................................................................................................... 20

Discovering asset sources in a GCVE environment............................................................................................. 21 Enable an asset source..................................................................................................................................................... 21

Disable an asset source..............................................................................................................................................22 Delete an asset source............................................................................................................................................... 22

Adding a vCenter Server asset source........................................................................................................................ 23 Add a VMware vCenter server.................................................................................................................................23 Creating a dedicated vCenter user account.........................................................................................................25 Specify the required privileges for a dedicated vCenter user account ........................................................ 25

VM Direct protection engine overview........................................................................................................................ 28 Requirements for an external VM Direct Engine................................................................................................. 28 Protection engine limitations.................................................................................................................................... 29 Add a VM Direct Engine.............................................................................................................................................29 Additional VM Direct actions..................................................................................................................................... 31 Transparent Snapshot Data Mover protection mechanism.............................................................................. 33

Chapter 3: Managing Virtual Machine Assets and Protection....................................................... 36 Protection policies.............................................................................................................................................................36 Additional protection policy options............................................................................................................................. 36 Before you create a protection policy..........................................................................................................................36

Replication triggers..................................................................................................................................................... 38 Supported enhanced VMware topologies for virtual machine protection...........................................................38 Add a protection policy for virtual machine protection........................................................................................... 39 Managing virtual machine backups............................................................................................................................... 46

Add and remove the credentials for virtual machine assets.............................................................................46 Enable or disable Changed Block Tracking (CBT)...............................................................................................47 More options for managing virtual machine backups......................................................................................... 47 Snapshot freeze scripts and thaw scripts for virtual machine backups........................................................ 48

Contents

Contents 3

Add a service-level agreement.......................................................................................................................................49 Add or remove assets in a protection policy............................................................................................................... 51 Edit the retention period for backup copies............................................................................................................... 52 Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier).....52 Protection rules ................................................................................................................................................................55

Creating virtual machine tags in the vSphere Client.......................................................................................... 55 Add a protection rule..................................................................................................................................................56 Manually run a protection rule..................................................................................................................................57 Edit or delete a protection rule ...............................................................................................................................58 View assets applied to a protection rule................................................................................................................58 Change the priority of an existing protection rule ............................................................................................. 59 Configure protection rule behavior......................................................................................................................... 59

Chapter 4: Restoring Virtual Machine Data and Assets................................................................ 60 Prerequisites to restore a virtual machine.................................................................................................................. 60 Self-service restores........................................................................................................................................................ 60 View backup copies available for restore.....................................................................................................................61 Restoring a virtual machine or VMDK.......................................................................................................................... 62 Restoring a virtual machine backup with the storage policy association............................................................ 62 Image-level restores......................................................................................................................................................... 63

Restore to the original virtual machine.................................................................................................................. 63 Restore individual virtual disks................................................................................................................................. 65 Restore to a new virtual machine............................................................................................................................65 Direct restore to ESXi................................................................................................................................................ 68

Instant Access virtual machine restore........................................................................................................................68 Manage and monitor Instant Access sessions......................................................................................................70 Migrate an Instant Access session...........................................................................................................................71

File-level restores.............................................................................................................................................................. 72 Manually install the VM Direct agent on Linux..................................................................................................... 72 Manually install the VM Direct agent on Windows.............................................................................................. 74 File-level restore to the original virtual machine.................................................................................................. 74 File-level restore to alternate virtual machine......................................................................................................76 Virtual machine file-level restore from a search.................................................................................................. 77

Restore an application-aware virtual machine backup.............................................................................................80

Chapter 5: Protecting Virtual Machines Using the Transparent Snapshot Data Mover .................81 Overview of transparent snapshots for virtual machine protection......................................................................81 vSphere Installation Bundle monitoring and management....................................................................................... 81 Transparent snapshot data mover system requirements........................................................................................82 Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover............................. 82

Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover............................................................................................................................................................... 82

Creating VMkernel ports for TSDM........................................................................................................................83 Virtual machine transparent snapshot unsupported features and limitations.................................................... 84 Transparent Snapshot Performance and Scalability.................................................................................................86

Chapter 6: PowerProtect Functionality Within the vSphere Client.............................................. 88 PowerProtect functionality within the vSphere Client............................................................................................ 88 Overview of the PowerProtect plug-in for the vSphere Client.............................................................................88

4 Contents

Prerequisites for enabling the vSphere Client PowerProtect plug-in............................................................ 90 Monitor PowerProtect Data Manager virtual machine protection copies..................................................... 91 Perform a manual PowerProtect-policy backup in the vSphere Client.......................................................... 91 Perform an image-level restore of a PowerProtect backup in the vSphere Client.....................................92 File-level restores of a PowerProtect backup in the vSphere Client............................................................. 93

Overview of VASA and VMware Storage Policy Based Management ................................................................ 97 Register the VASA provider for policy association............................................................................................. 98 Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy............99 Monitor virtual machine protection policy compliance.......................................................................................99

Chapter 7: VMware Cloud (VMC) on Amazon Web Services (AWS)............................................ 100 PowerProtect Data Manager image backup and recovery................................................................................... 100 Supported PowerProtect Data Manager and DDVE deployment configurations............................................ 100 Deployment and configuration best practices and requirements......................................................................... 101 Configuring the VMC-on-AWS portal......................................................................................................................... 101 Interoperability with PowerProtect Data Manager features.................................................................................102 vCenter server inventory requirements..................................................................................................................... 102 Creating a dedicated cloud-based vCenter user account..................................................................................... 102

Specify the required privileges for a dedicated cloud-based vCenter user account ............................... 103 Add a VM Direct Engine.................................................................................................................................................104 Unsupported operations ............................................................................................................................................... 106

Chapter 8: Azure VMware Solution (AVS) on Microsoft Azure.................................................... 107 PowerProtect Data Manager image backup and recovery....................................................................................107 Supported PowerProtect Data Manager and DDVE deployment configurations............................................ 107 Deployment and configuration best practices and requirements........................................................................ 108 Configuring the AVS-on-Azure portal........................................................................................................................ 108 vCenter server inventory requirements..................................................................................................................... 109 Creating a dedicated cloud-based vCenter user account..................................................................................... 109

Specify the required privileges for a dedicated cloud-based vCenter user account ............................... 109 Add a VM Direct Engine.................................................................................................................................................. 111 Unsupported operations ................................................................................................................................................ 112

Chapter 9: Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)....................113 PowerProtect Data Manager image backup and recovery.................................................................................... 113 Supported PowerProtect Data Manager and DDVE deployment configurations............................................. 113 Deployment and configuration best practices and requirements......................................................................... 114 Configuring the GCVE-on-GCP portal........................................................................................................................ 114 vCenter server inventory requirements...................................................................................................................... 115

Discovering asset sources in a GCVE environment........................................................................................... 115 Creating a dedicated cloud-based vCenter user account...................................................................................... 115

Specify the required privileges for a dedicated cloud-based vCenter user account ................................115 Add a VM Direct Engine..................................................................................................................................................117 Unsupported operations................................................................................................................................................. 118

Chapter 10: Backing Up and Recovering a vCenter Server.......................................................... 120 Backing up and recovering a vCenter server............................................................................................................120 vCenter deployments overview................................................................................................................................... 120 Protecting an embedded PSC...................................................................................................................................... 120

Contents 5

Direct restore to ESXi............................................................................................................................................... 121 Protecting external deployment models.................................................................................................................... 122

vCenter server appliance with one external PSC where PSC fails............................................................... 122 vCenter server appliance is lost but the PSC remains..................................................................................... 123 vCenter server appliance with multiple PSCs where one PSC is lost but one remains............................123 vCenter server appliance remains but all PSCs fail........................................................................................... 123 vCenter server appliance remains but multiple PSCs fail................................................................................ 124 vCenter server appliance fails.................................................................................................................................124

vCenter server restore workflow................................................................................................................................ 125 Platform Services Controller restore workfow........................................................................................................ 126 Additional considerations............................................................................................................................................... 126 Command reference........................................................................................................................................................127

Chapter 11: Backing Up VMware Cloud Foundation (VCF) on VxRail............................................128 Backing up VCF on VxRail............................................................................................................................................. 128 VCF and VxRail overview...............................................................................................................................................128 VCF components and backup methods..................................................................................................................... 129 Check VMware certification......................................................................................................................................... 130 Backup prerequisites.......................................................................................................................................................130 The backup script............................................................................................................................................................ 130 Quick protection............................................................................................................................................................... 131 Selective protection: SDDC and NSX-T Managers................................................................................................. 132 Selective protection: vCenter servers........................................................................................................................133 Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual

machines........................................................................................................................................................................ 134 SFTP password change: SDDC and NSX-T Managers...........................................................................................135 SFTP password change: vCenter servers................................................................................................................. 135 Backup-script troubleshooting..................................................................................................................................... 136

Appendix A: Virtual Machine Best Practices and Troubleshooting.............................................. 138 Software and hardware requirements........................................................................................................................ 138 Scalability limits for vCenter server, VM Direct Engine, and DD systems.........................................................139 PowerProtect Data Manager resource requirements in a VMware environment............................................140 Best practices and additional considerations for the VM Direct Engine............................................................140

VM Direct Engine performance and scalability...................................................................................................140 Transport mode considerations...............................................................................................................................141 Change the limit of instant access sessions........................................................................................................142 Configuring a backup to support vSAN datastores...........................................................................................142 Configuration checklist for common issues.........................................................................................................142 Disable vCenter SSL certificate validation.......................................................................................................... 143 Uninstalling the VM Direct agent........................................................................................................................... 143 Updating the Microsoft Application Agent and VM Direct agent software................................................ 144 Supported file-level restore platforms and OS versions.................................................................................. 144 File-level restore and SQL restore requirements and limitations................................................................... 145 Virtual disk types supported....................................................................................................................................146 Virtual machine data change rate.......................................................................................................................... 147 VM Direct Engine data ingestion rate................................................................................................................... 147 VM Direct Engine limitations and unsupported features..................................................................................147 VM Direct Engine selection with virtual networks (VLANs)........................................................................... 150 Deploying VM Direct appliance to datastore cluster unsupported................................................................ 150

6 Contents

Best practices for vCenter server backup and restore..........................................................................................150 Changing the vCenter server FQDN...........................................................................................................................150

Change the vCenter server FQDN......................................................................................................................... 151 Replacing security certificates..................................................................................................................................... 152

Replacing the self-signed security certificates.................................................................................................. 152 Replace expired or changed certificates on an external server..................................................................... 152

Support for backup and restore of encrypted virtual machines.......................................................................... 154 Troubleshooting network setup issues.......................................................................................................................155 Troubleshooting virtual machine backup issues....................................................................................................... 155

Backup completes with a non-quiesced snapshot warning.............................................................................155 Backup fails when names include special characters ...................................................................................... 156 Deleting vCenter asset sources or moving ESXi to another vCenter server.............................................. 157 Failed to lock virtual machine for backup: Another vProxy operation 'Backup' is active on VM ..........158 Lock placed on virtual machine during backup and recovery operations continues for 24 hours if

VM Direct appliance fails..................................................................................................................................... 158 Managing command execution for VM Direct agent operations on Linux...................................................158 PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates......159 SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in

directory"................................................................................................................................................................. 159 Troubleshooting virtual machine restore issues....................................................................................................... 159

Network connection issues with cloud-based deployments after restore of virtual machine with NSX-T VDS port groups...................................................................................................................................... 162

Troubleshooting instant access restore failures................................................................................................ 162 Troubleshoot virtual machine SQL application consistent policy issues............................................................ 162

Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log backup...................................................................................................................................................................... 162

Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID variable..................................................................................................................................................................... 163

Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names.......................163 Troubleshooting vSphere Plugin deployments......................................................................................................... 163

Troubleshoot vSphere Plugin deployments......................................................................................................... 163 VMware knowledge base articles and product documentation........................................................................... 164

Glossary.................................................................................................................................... 165

Contents 7

As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in this document, contact Customer Support.

NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,

go to the Customer Support website.

Product naming Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the user interface has not yet been updated to reflect this change.

Language use This document might contain language that is not consistent with Dell Technologies current guidelines. Dell Technologies plans to update the document over subsequent future releases to revise the language accordingly.

This document might contain language from third-party content that is not under Dell Technologies control and is not consistent with the current guidelines for Dell Technologies own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.

Acronyms The acronyms used in this document might not be familiar to everyone. Although most acronyms are defined on their first use, a definition is not always provided with later uses of the acronym. For a list of all acronyms and their definitions, see the glossary at the end of the document.

Website links The website links used in this document were valid at publication time. If you find a broken link, provide feedback on the document, and a Dell Technologies employee will update the link in the next release as necessary.

Purpose This document describes how to configure and administer the Dell PowerProtect Data Manager software to protect and restore data on virtual machines.

The PowerProtect Data Manager Administration and User Guide provides additional details about configuration and usage procedures.

Audience This document is intended for the virtual machine administrator who is involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager software.

Preface

8 Preface

Revision History The following table presents the revision history of this document.

Revision Date Description

03 December 2, 2022 Updated the following sections: File-level restore and SQL restore

requirements and limitations Network connection issues with

cloud-based deployments after restore of virtual machine with NSX- T VDS port groups

02 November 18, 2022 Updated for the support of vSphere 8.0.

01 October 25, 2022 Initial release of this document for PowerProtect Data Manager version 19.13

Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided by the E-Lab Navigator.

Related documentation The following publications are available at Customer Support and provide additional information:

Table 1. Related documentation

Title Content

PowerProtect Data Manager Administration and User Guide Describes how to configure the software.

PowerProtect Data Manager Deployment Guide Describes how to deploy the software.

PowerProtect Data Manager Licensing Guide Describes how to license the software.

PowerProtect Data Manager Release Notes Contains information about new features, known limitations, environment, and system requirements for the software.

PowerProtect Data Manager Security Configuration Guide Contains security information.

PowerProtect Data Manager Amazon Web Services Deployment Guide

Describes how to deploy the software to Amazon Web Services (AWS).

PowerProtect Data Manager Azure Deployment Guide Describes how to deploy the software to Microsoft Azure.

PowerProtect Data Manager Google Cloud Platform Deployment Guide

Describes how to deploy the software to Google Cloud Platform (GCP).

PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide

Describes how to deploy Cloud Disaster Recovery (Cloud DR), protect virtual machines in the AWS or Azure cloud, and run recovery operations.

PowerProtect Data Manager Cyber Recovery User Guide Describes how to install, update, patch, and uninstall the PowerProtect Cyber Recovery software.

PowerProtect Data Manager File System User Guide Describes how to configure and use the software with the File System agent for file-system data protection.

PowerProtect Data Manager Kubernetes User Guide Describes how to configure and use the software to back up and restore namespaces and PVCs in a Kubernetes cluster.

Preface 9

Table 1. Related documentation (continued)

Title Content

PowerProtect Data Manager Microsoft Exchange Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft Exchange Server environment.

PowerProtect Data Manager Microsoft SQL Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft SQL Server environment.

PowerProtect Data Manager Oracle RMAN User Guide Describes how to configure and use the software to back up and restore the data in an Oracle Server environment.

PowerProtect Data Manager SAP HANA User Guide Describes how to configure and use the software to back up and restore the data in an SAP HANA Server environment.

PowerProtect Data Manager Storage Direct User Guide Describes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.

PowerProtect Data Manager Network Attached Storage User Guide

Describes how to configure and use the software to protect and recover the data on network-attached storage (NAS) shares and appliances.

PowerProtect Data Manager Virtual Machine User Guide Describes how to configure and use the software to back up and restore virtual machines and virtual machine disks (VMDKs) in a vCenter Server environment.

VMware Cloud Foundation Disaster Recovery With PowerProtect Data Manager

Provides a detailed description of how to perform an end-to- end disaster recovery of a VMware Cloud Foundation (VCF) environment.

PowerProtect Data Manager Public REST API documentation Contains the Dell Technologies APIs and includes tutorials to guide you in their use.

vRealize Automation Data Protection Extension for Data Protection Systems Installation and Administration Guide

Describes how to install, configure, and use the vRealize Data Protection Extension.

Typographical conventions The following type style conventions are used in this document:

Table 2. Style conventions

Formatting Description

Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for: System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

10 Preface

Table 2. Style conventions (continued)

Formatting Description

... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Where to find product documentation The Customer Support website The Community Network The PowerProtect Data Manager Info Hub

Where to get support The Customer Support website provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Customer Support.

To access a product-specific page:

1. Go to the Customer Support website. 2. In the search box, type a product name, and then from the list that appears, select the product.

Support Library The Support Library contains a knowledge base of applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Support Library:

1. Go to the Customer Support website. 2. On the Support tab, click Support Library. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by

typing a product name in the search box, and then selecting the product from the list that appears.

Live chat To participate in a live interactive chat with a support agent:

1. Go to the Customer Support website. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.

Service requests To obtain in-depth help from a support agent, submit a service request. To submit a service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.

NOTE: To create a service request, you must have a valid support agreement. For details about either an account or

obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the

Service Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.

Preface 11

3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network. Interactively engage with customers, partners, and certified professionals online.

How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPADDocFeedback@dell.com.

12 Preface

PowerProtect Data Manager for Virtual Machines Overview

Topics:

PowerProtect Data Manager overview Additional information and context Supported Internet Protocol versions Terminology Role-based security Firewall and port considerations PowerProtect Data Manager new deployment overview Access the PowerProtect Data Manager UI

PowerProtect Data Manager overview Use PowerProtect Data Manager to perform the following operations: Automate the configuration of virtual machine backup policy and protection storage settings. Create a catalog of virtual machine backups. Then, monitor that catalog data to determine if retention policies are being

adhered to. Manage the life cycle of virtual machine backups. Ensure that the backups are marked for garbage collection, based on the

rules of the retention policy.

For virtual machines, PowerProtect Data Manager provides the following benefits:

Enables the data protection team to create data paths with provisioning, automation, and scheduling to embed protection engines into the infrastructure for high-performance backup and recovery.

Enables backup administrators of large-scale environments to schedule backups for VMware virtual machines from a central location on the PowerProtect Data Manager server.

Enables governed self-service and centralized protection by: Monitoring and enforcing service-level objectives (SLOs) Identifying violations of recovery-point objectives (RPO) Setting retention locks on backups for all asset types

Supports deploying an external VM Direct appliance to move data with the VM Direct Engine. The PowerProtect Data Manager software comes prebundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backup and restore operations when the added external proxies fail or are disabled. It is recommended that you always deploy external proxies, because the embedded proxy has limited capacity for performing parallel backups.

Supports the vRealize Automation DP extension, which enables provisioning of virtual machines with PowerProtect Data Manager protection, on-demand backup, and restore to the original or a new location. The vRealize Automation Data Protection Extension for PowerProtect Data Manager Installation and Administration Guide provides more information.

Additional information and context This guide contains content that is specific to protecting virtual machines and may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide. For example, because that information is also common to other asset types or is part of server administration.

The PowerProtect Data Manager Administration and User Guide provides important information about configuring PowerProtect Data Manager before and during use, including prerequisites such as adding protection storage and creating storage units.

1

PowerProtect Data Manager for Virtual Machines Overview 13

Supported Internet Protocol versions PowerProtect Data Manager and its components support IPv4 and IPv6 addresses in certain configurations.

Table 3. Supported configurations

Component Internet Protocol

PowerProtect Data Manager core

IPv4 only or both IPv4 and IPv6

VM Direct and Search IPv4 only or IPv6 only NOTE: Virtual machines that are backed up must use the same protocol that VM Direct uses. Virtual machines can use both IPv4 and IPv6, even though VM Direct cannot.

Application agents integrated with PowerProtect Data Manager:

NOTE: If both IPv4 and IPv6 are configured and the PowerProtect Data Manager FQDN is used, the agent uses IPv6 for network communication.

File System IPv4, IPv6, or both

Microsoft Exchange Server IPv4 only or both IPv4 and IPv6

Microsoft SQL Server (Application Direct)

IPv4, IPv6, or both

Microsoft SQL Server (VM Direct)

IPv4 only or IPv6 only

NOTE: Only the Microsoft SQL Server agent supports VM Direct.

Oracle RMAN IPv4, IPv6, or both

SAP HANA IPv4, IPv6, or both

Storage Direct IPv4 only

Standalone application agents IPv4 only

Network-attached storage (NAS)

IPv4 only

Kubernetes IPv4 only

PowerProtect Data Manager management

IPv4 or IPv6

PowerProtect DD communication

IPv4 or IPv6

Report Browser IPv4 only

SupportAssist IPv4, IPv6, or both

Syslog Log Server Gateway IPv4 or IPv6

The following limitations and considerations apply.

Communication with components

If PowerProtect Data Manager is configured to only use one protocol, all components it communicates with must also use that protocol. If some components that PowerProtect Data Manager communicates with use IPv4 and others use IPv6, PowerProtect Data Manager must be configured to use both IPv4 and IPv6.

DD systems and DDVE

If a DD system or a DDVE instance uses only IPv6, the required IPv6 interface must be manually selected when a protection policy is added or edited.

14 PowerProtect Data Manager for Virtual Machines Overview

Disaster recovery

Recovering a PowerProtect Data Manager server might result in a conflict with protection-policy configurations. For instance, if the recovered server is configured to use only IPv4, a protection policy that is configured to use IPv6 cannot run.

Name resolution

Name resolution and reverse IP lookup must be configured to ensure the following:

Fully qualified domain names of PowerProtect Data Manager, its components, and DD components resolve to a valid IPv4 or IPv6 address.

If both IPv4 and IPv6 addresses are used for DD, both addresses resolve to the same FQDN. All IPv4 and IPv6 addresses are valid and reachable.

Server updates

IPv6 is only supported with new installations. Using IPv6 after updating from PowerProtect Data Manager 19.11 or earlier is unsupported.

Storage Policy Based Management

If using vCenter or ESXi 7.0u2 or earlier with only IPv6, SPBM providers must be added using their PowerProtect Data Manager FQDN.

Service Unavailable messages with the vSphere Client PowerProtect plug-in

If vCenter uses the vSphere Client PowerProtect plug-in with IPv6 and the vCenter host is added to PowerProtect Data Manager using its IPv6 address or FQDN, Service Unavailable messages might be seen for the protected virtual machine. Backups and restores of the protected virtual machine are unaffected, and these messages can be ignored.

Uncompressed IPv6 formatting

Network interfaces that exist on a DD 7.4.x or earlier system and that are configured to use an uncompressed IPv6 format cannot be discovered. An example of an uncompressed IPv6 format is 2620:0000:0170:0597:0000:0000:0001:001a. An example of a compressed IPv6 format is 2620:0:170:597::1:1a. To use these network interfaces, reconfigure them to use either an IPv4 address or a compressed IPv6 address, and then initiate a discovery.

Terminology Familiarize yourself with the terminology for the PowerProtect Data Manager user interface and documentation.

The following table provides more information about names and terms that you should know to use PowerProtect Data Manager:

Table 4. Term list

Term Description

Application agent Application agents are installed on application or database host servers to manage protection using PowerProtect Data Manager. These agents are commonly known as DD Boost Enterprise Agents (DDBEAs) for databases and applications.

Application-aware A virtual machine protection policy that includes additional application-aware data protection for Microsoft SQL Servers. An application-aware virtual machine protection policy provides

PowerProtect Data Manager for Virtual Machines Overview 15

Table 4. Term list (continued)

Term Description

the ability to quiesce the application during virtual machine image backup to perform a full backup of Microsoft SQL Server databases. You can also schedule Microsoft SQL Server log backups for the virtual machines in the policy.

Asset Assets are objects in PowerProtect Data Manager for which you want to manage protection, including virtual machines, databases, and file systems.

Asset source Assets that PowerProtect Data Manager protects reside within asset sources, which include vCenter servers, application or database hosts, and file servers.

Cloud Tier storage Cloud Tier storage can be added to a protection storage system to expand the deduplication storage capacity onto less expensive object storage in public or private object storage clouds, including secure Elastic Cloud Storage appliances.

Copy A PowerProtect Data Manager copy is a point-in-time backup copy of an asset.

Copy Map The PowerProtect Data Manager Copy Map is a visual representation of backup copy locations on your protection storage and is available for all protected assets that have copies.

Discovery Discovery is an internal process that scans asset sources to find new assets to protect and scans infrastructure components to monitor their health and status.

Instant Access PowerProtect Data Manager virtual machine backup copies can be accessed, mounted, and booted directly from the protection storage targets as running virtual machines. This operation is called Instant Access. Copies can also be moved to a production VMware datastore using vMotion. PowerProtect Data Manager Virtual machine application-aware backup copies can be mounted directly from protection storage as running Microsoft SQL Server databases, which includes the ability to roll forward log backups. These Microsoft SQL Server database disks can also be moved to a production VMware datastore using vMotion.

PowerProtect Data Manager agent

An agent that is included in PowerProtect Data Manager and installed on each application agent host server so that you can monitor and manage the application agent through PowerProtect Data Manager.

Protection policy Protection policies configure and manage the entire life cycle of backup data, which includes backup types, assets, backup start and stop times, backup devices, and backup retention.

Service-level agreement (SLA) An optional policy that you can layer on top of a protection policy. An SLA performs additional checks on protection activities to ensure that protection goals meet the standards of an organization. SLAs are made up of one or more service-level objectives.

Service-level objective (SLO) A definable rule that sets the criteria for recovery-point objectives (RPOs), encryption, and the location of backups according to company requirements.

Role-based security PowerProtect Data Manager provides predefined user roles that control access to areas of the user interface and to protected operations. Some of the functionality in this guide is reserved for particular roles and may not be accessible from every user account.

By using the predefined roles, you can limit access to PowerProtect Data Manager and to backup data by applying the principle of least privilege.

The PowerProtect Data Manager Security Configuration Guide provides more information about user roles, including the associated privileges and the tasks that each role can perform.

Firewall and port considerations The PowerProtect Data Manager Security Configuration Guide provides more details about the port requirements. Verify the requirements between the following components:

PowerProtect Data Manager

16 PowerProtect Data Manager for Virtual Machines Overview

Configured DD systems VM Direct appliances (embedded and external) Web and REST API clients Callhome (SupportAssist) ESXi vCenter

PowerProtect Data Manager new deployment overview Familiarize yourself with the high-level steps required to protect virtual machines.

Steps

1. Design how to group the backups based on the storage requirements and retention policies.

The account team can help with backup storage design.

2. Deploy PowerProtect Data Manager.

The PowerProtect Data Manager Deployment Guide for the appropriate platform provides instructions. Review all prerequisites.

3. Configure PowerProtect Data Manager settings.

For example, configure additional users, identity providers, or virtual networks.

The PowerProtect Data Manager Administration and User Guide and PowerProtect Data Manager Security Configuration Guide provide instructions.

4. Add protection storage.

The PowerProtect Data Manager Administration and User Guide provides instructions.

5. Configure any required storage units.

The PowerProtect Data Manager Administration and User Guide provides instructions.

6. Deploy any required VM Direct Engine appliances.

7. Add a protection policy for groups of assets that you want to back up.

8. Add Service Level Objectives to the protection policy to verify that the protected assets meet the Service Level Agreements (SLAs).

The PowerProtect Data Manager Administration and User Guide provides instructions.

9. Perform a full backup.

Without a full backup, PowerProtect Data Manager treats the backups as partial and assumes that you are out of compliance.

10. Monitor protection compliance in the PowerProtect Data Manager dashboard.

Access the PowerProtect Data Manager UI PowerProtect Data Manager provides a web-based UI that you can use to manage and monitor system features and settings from any location over a network.

Steps

1. From a host that has network access to the virtual appliance, use Google Chrome to connect to the appliance:

https://<appliance_hostname> NOTE: You can specify the hostname or the IP address of the appliance.

2. Log in with your username and password.

Usernames follow the format user[@domain], where domain is an optional identifier that associates the user with a particular identity provider.

PowerProtect Data Manager for Virtual Machines Overview 17

For example: jsmith or administrator@test-lab.

If you do not supply a domain, the authentication service checks the default identity provider. If you supply a domain, the authentication service consults the external identity provider for that domain and determines

whether to allow the login.

NOTE:

If the user interface is left unattended for more than 30 minutes and times out, the login page might display with the

error 503: Unknown Error. If this occurs, dismiss the error and log in again with your username and password.

If you log in with an expired password, reset the password immediately. Clicking Cancel, closing the browser, or

navigating away from the page before changing your password disables your credentials for subsequent logins. If you log

in and receive a prompt to change your password because of outdated login credentials, provide your current password,

a new password, and confirmation of the new password to continue.

When the identity provider validates the credentials, the authentication service issues a user token. The PowerProtect Data Manager UI uses the token information to authorize activities.

Unless you have changed the system configuration, the default identity provider is the local identity provider.

The PowerProtect Data Manager Security Configuration Guide provides more information about the available user roles and their associated permissions. The associated roles for an account determine what parts of the UI a user can see and use, and what operations a user can perform.

If this is your first time accessing the PowerProtect Data Manager UI, an unsigned certificate warning might appear in the web browser.

The security certificate that encrypts communication between the PowerProtect Data Manager UI and the web browser is self-signed. A self-signed certificate is signed by the web server that hosts the secure web page. There is nothing wrong with this certificate. This certificate is sufficient to establish an encrypted channel between the web browser and the server. However, it is not signed by a trusted authority.

The Get Started window appears with configuration options that are required on first deployment. To skip this window and go right to the Dashboard, click Launch.

From the Dashboard window:

The left pane provides links to the available menu items. Expand a menu item for more options. The icons in the PowerProtect Data Manager banner provide additional options.

Get Started window

The Get Started window provides configuration options that are required when the PowerProtect Data Manager system is first deployed. This window continues to display by default each time you log in until you click Launch.

You can access the Get Started window at any time, or view any getting started options that have yet to be configured, by

clicking , and then selecting Getting Started.

The Get Started window enables you to configure or edit the following menu items:

Table 5. PowerProtect Data Manager Get Started menu items

Options Description

License Launches the License window, which prompts you to add a license file to PowerProtect Data Manager. Once a license is uploaded, you can view license details, such as capacity usage and software ID.

Support Launches the Support window, which enables you to configure SupportAssist, AutoSupport, and set up the email server for application notifications and messages.

Assets Launches the Asset Sources window, where you can enable any of the asset source types that PowerProtect Data Manager supports. After enabling an asset source, you can add and register the source for the protection of assets.

18 PowerProtect Data Manager for Virtual Machines Overview

Table 5. PowerProtect Data Manager Get Started menu items (continued)

Options Description

Storage Launches the Add Storage window, where you can add a PowerProtect DD System or PowerProtect DD Management Center as protection storage for primary backup and replicated copies.

PowerProtect Data Manager for Virtual Machines Overview 19

Enabling Virtual Machine Protection

Topics:

About asset sources, assets, and protection storage About vCenter server asset sources and virtual assets Prerequisites for discovering asset sources Enable an asset source Adding a vCenter Server asset source VM Direct protection engine overview

About asset sources, assets, and protection storage In PowerProtect Data Manager, assets are the basic units that PowerProtect Data Manager protects. Asset sources are the mechanism that PowerProtect Data Manager uses to manage assets and communicate with the protection storage where backup copies of the assets are stored.

For virtual machines, the vCenter server is the asset source and the virtual machines are the assets. Before you can add an asset source, you must enable the source within the PowerProtect Data Manager UI.

Add and configure protection storage to use as a target for protection policies. The PowerProtect Data Manager Administration and User Guide provides instructions.

About vCenter server asset sources and virtual assets After you add a vCenter server as an asset source in PowerProtect Data Manager, an automatic discovery of VMware entity information from the vCenter server is initiated.

The virtual assets of the vCenter server appear in the Assets window of the PowerProtect Data Manager user interface under the Virtual Machine tab.

The initial vCenter server discovery identifies all ESXi clusters, hosts, and virtual machines within the vCenter server. Subsequent discoveries can be performed to identify any additional or changed VMware entities since the last discovery operation. You can also manually initiate a discovery of VMware entities at any time from the vCenter tab of the Asset Sources window by selecting a vCenter server and clicking Discover.

After vCenter server and virtual asset discovery, the PowerProtect Data Manager VM Direct protection engine facilitates the management of virtual assets as PowerProtect Data Manager resources for the purposes of backup and recovery. It is recommended that you also add an external VM Direct Engine in the Protection Engines window. You can protect virtual machine assets by manually adding the assets to a virtual machine protection policy, or by creating and applying protection rules to determine which assets are included in a protection policy based on rule definitions.

Prerequisites for discovering asset sources Perform these tasks before you discover an asset source. Ensure that the PowerProtect Data Manager is deployed and configured in the environment. The PowerProtect Data

Manager deployment guides provide information. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. For a new system, enable one or more asset sources for the types of assets that you want to protect. Enable an asset

source provides more information. Configure all asset sources with an NTP server. Before you register a Microsoft SQL Server application, ensure that the DD system has been discovered successfully. For discovery of application agents and File System asset sources:

2

20 Enabling Virtual Machine Protection

Ensure that all clocks on the application and File System hosts and PowerProtect Data Manager are time-synchronized to the local NTP server to ensure discovery of the backups.

Ensure that the application and File System hosts and the PowerProtect Data Manager network can see and resolve each other.

Ensure that port 7000 is open on the application and File System hosts. Discovery of a vCenter Server asset source excludes the following:

Virtual machines with a status of Inaccessible, Invalid, or Orphaned. The virtual machine template. The shadow or standby virtual machine created by RecoverPoint for Virtual Machines, also referred to as the vRPA copy. The vSphere Cluster Service (vCLS) virtual machine.

NOTE: Virtual machines created by the vCLS are managed by VMware, and do not require PowerProtect Data

Manager protection. Even when selected as part of a container, they are automatically excluded from protection.

The vmdm-discovery.log provides a list of vCLS virtual machines that are excluded from protection.

Prior to performing the vCenter discovery, verify the status of any virtual machines that you want to discover.

Discovering asset sources in a GCVE environment

There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.

Ensure the following permissions of any GCVE-located vCenter server:

The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the

vSphere object hierarchy.

Enable an asset source An asset source must be enabled in PowerProtect Data Manager before you can add and register the asset source for the protection of assets.

About this task

Only the Administrator role can manage asset sources.

In some circumstances, the enabling of multiple asset sources is required. For example, a vCenter Server and a Kubernetes cluster asset source must be enabled for Tanzu Kubernetes guest cluster protection.

There are other circumstances where enabling an asset source is not required, such as the following:

For application agents and other agents such as File System and Storage Direct, an asset source is enabled automatically when you register and approve the agent host. For example, if you have not enabled an Oracle asset source but have registered the application host though the API or the PowerProtect Data Manager user interface, PowerProtect Data Manager automatically enables the Oracle asset source.

When you update to the latest version of PowerProtect Data Manager from an earlier release, any asset sources that were previously enabled appear in the PowerProtect Data Manager user interface. On a new deployment, however, no asset sources are enabled by default.

Steps

1. From the PowerProtect Data Manager user interface, select Infrastructure > Asset Sources, and then click + to reveal the New Asset Source tab.

2. In the pane for the asset source that you want to add, click Enable Source. The Asset Sources window updates to display a tab for the new asset source.

Results

You can now add or approve the asset source for use in PowerProtect Data Manager. For a vCenter server, Kubernetes cluster, SMIS Server, or PowerProtect Cloud Snapshot Manager tenant, select the appropriate tab in this window and click Add. For an application host, select Infrastructure > Application Agents and click Add or Approve as required.

Enabling Virtual Machine Protection 21

NOTE: Although you can add a Cloud Snapshot Manager tenant to PowerProtect Data Manager in order to view its health,

alerts, and the status of its protection, recovery, and system jobs, you cannot manage the protection of its assets from

PowerProtect Data Manager. To manage the protection of its assets, use Cloud Snapshot Manager. For more information,

see the PowerProtect Cloud Snapshot Manager Online Help.

Disable an asset source

If you enabled an asset source that you no longer require, and the host has not been registered in PowerProtect Data Manager, perform the following steps to disable the asset source.

About this task

NOTE: An asset source cannot be disabled when one or more sources are still registered or there are backup copies of the

source assets. For example, if you registered a vCenter server and created policy backups for the vCenter Server virtual

machines, then you cannot disable the vCenter Server asset source. But if you register a vCenter server and then delete it

without creating any backups, you can disable the asset source.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab of the asset source that you want to disable. If no host registration is detected, a red Disable button appears.

2. Click Disable.

Results

PowerProtect Data Manager removes the tab for this asset source.

Delete an asset source

If you want to remove an asset source that you no longer require, perform the following steps to delete the asset source in the PowerProtect Data Manager UI.

About this task

Only the Administrator role can manage the asset sources.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab for the type of asset source that you want to delete.

2. Select the asset source name in the asset source list, and then click Delete.

3. At the warning prompt that appears, click Continue. The asset source is deleted from the list.

Results

PowerProtect Data Manager removes the specified asset source in the Asset Sources window.

For all asset sources except the vCenter Server, any associated assets that are protected by the protection policy are removed from the protection policy and their status is changed to deleted. These assets are removed automatically as part of daily PowerProtect Data Manager cleanup after all associated backup copies have been deleted. These assets can also be removed manually. The PowerProtect Data Manager Administration and User Guide provides details on how to remove assets from PowerProtect Data Manager.

The copies of assets from the asset source are retained (not deleted). You can delete the copies from the copies page, if required.

22 Enabling Virtual Machine Protection

Adding a vCenter Server asset source After you register a vCenter server with PowerProtect Data Manager, you can use the Asset Sources window in the PowerProtect Data Manager user interface to add a vCenter Server asset source to the PowerProtect Data Manager environment.

Adding a vCenter Server asset source is required if you want to schedule a backup through PowerProtect Data Manager.

Add a VMware vCenter server

Perform the following steps to add a vCenter server as an asset source in the PowerProtect Data Manager UI for virtual machine protection and Tanzu Kubernetes guest cluster protection.

Prerequisites

Ensure that the asset source is enabled. Enable an asset source provides instructions. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. By default, PowerProtect Data Manager enforces SSL certificates during communication with vCenter server. If a certificate

appears and you trust the certificate, click Verify.

The SSL certificate enforcement requires that the common name (cn) of the x509 certificate on the vCenter server matches the hostname of the vCenter URL. The common name of the x509 certificate is typically the vCenter server fully qualified domain name (FQDN), but it could be the vCenter server IP address. You can inspect the vCenter server SSL certificate to determine whether the x509 common name is an FQDN or IP. When creating an asset source resource, in order to pass SSL certificate enforcement, the asset source resource hostname must match the common name of the x509 certificate on the vCenter server.

NOTE: It is recommended that you do not disable certificate enforcement. If disabling the certificate is required,

carefully review the instructions in the section Disable vCenter SSL certificate validation.

Steps

1. From the left navigation pane, select Infrastructure > Asset Sources.

The Asset Sources window appears.

2. Select the vCenter tab.

3. Click Add. The Add vCenter dialog displays.

4. Specify the source attributes:

a. In the Name field, specify the vCenter server name. b. In the Address field, specify the fully qualified domain name (FQDN) or the IP address.

NOTE: For a vCenter server, it is recommended that you use the FQDN instead of the IP address.

c. In the Port field, specify the port for communication if you are not using the default port, 443.

5. Under Host Credentials, choose an existing entry from the list to use for the vCenter user credentials. Alternatively, you can click Add from this list to add new credentials, and then click Save.

NOTE: Ensure that you specify the credentials for a user whose role is defined at the vCenter level, as opposed to being

restricted to a lower-level container object in the vSphere object hierarchy.

6. If you want to make a subset of the PowerProtect Data Manager UI functionality available within the vSphere Client, select vSphere Plugin.

Available functionality includes: The monitoring of active virtual machine/VMDK protection policies, and Restore options such as Restore to Original, Restore to New, and Instant Access.

NOTE: You can unregister the vSphere plug-in at any time by clearing vSphere Plugin.

7. By default, the vCenter discovery occurs automatically after adding the vCenter server, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, move the Schedule Discovery slider to the right, and then specify a time.

Enabling Virtual Machine Protection 23

8. If there is no hosting vCenter server and you want to make this the vCenter server that hosts PowerProtect Data Manager, select Add as hosting vCenter server. If a vCenter server has already been added as the hosting vCenter server, this option will be greyed out.

The PowerProtect Data Manager Administration and User Guide provides more information about adding a host vCenter server and specifying the PowerProtect Data Manager host.

9. If the vCenter server SSL certificate cannot be trusted automatically, a dialog box appears requesting certificate approval. Review the certificate, and then click Verify.

10. Click Save.

The vCenter server information that you entered now appears as an entry in a table on the Asset Sources window. You can click the magnifying glass icon next to the entry to view more details, such as the next scheduled discovery, the number of assets within the vCenter server, and whether the vSphere Plugin is enabled.

NOTE: Although PowerProtect Data Manager automatically synchronizes with the vCenter server under most

circumstances, certain conditions might require you to initiate a manual discovery.

After discovery, PowerProtect Data Manager starts an incremental discovery in the background periodically to keep updating PowerProtect Data Manager with vCenter changes. You can always do an on-demand discovery.

NOTE: When you add a host with existing virtual machines to PowerProtect Data Manager, or read a host with virtual

machines that was removed from one vCenter and added to another, an incremental discovery does not discover these

virtual machine assets. Wait for the next scheduled full discovery, or initiate a discovery within the PowerProtect Data

Manager UI.

11. Optionally, you can set warning and failure thresholds for the available space on the datastore. Setting these thresholds enables you to check if enough storage space is available in the datastore to save the snapshot of the virtual machine during the backup process. The backup completes with a warning in the logs if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Warning Threshold. The backup fails if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Failure Threshold. To add Datastore Free Space Warning and Failure Thresholds:

a. Click the gear icon to open the vCenter Settings dialog. b. Type a percentage value to indicate when a warning message should display due to low datastore free space. c. Type a percentage value to indicate when a virtual machine backup failure should occur due to low datastore free space. d. Click Save.

NOTE: Datastore free space thresholds are disabled by default.

12. Select Infrastructure > Assets.

The Assets window appears.

13. If not already selected, click the Virtual Machine tab.

Results

After a successful discovery of the vCenter asset source, the virtual machine assets in the vCenter server display in the Infrastructure > Assets window.

You can modify the details for the vCenter asset source by selecting the vCenter server in the Infrastructure > Asset Sources window and clicking Edit. You cannot, however, clear the Add as hosting vCenter check box when editing an asset source if this vCenter server has already been added as the hosting vCenter server. For this operation, use the Hosting vCenter window, as described in the PowerProtect Data Manager Administration and User Guide section for specifying the PowerProtect Data Manager host.

NOTE: Discovery time is based on networking bandwidth. The resources that are discovered and the resources that

are performing the discovery impact performance each time that you initiate a discovery process. It might appear that

PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.

Next steps

Add a VM Direct appliance to facilitate data movement, and then create virtual machine protection policies to back up these assets. The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that external proxies be deployed since the embedded VM Direct Engine has limited capacity for performing backup streams. To add a VM Direct Engine, select Infrastructure > Protection Engines.

24 Enabling Virtual Machine Protection

Creating a dedicated vCenter user account

It is recommended that you set up a separate vCenter user account at the root level that is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose role is defined at the vCenter level and not restricted to a lower level container object in the vSphere object hierarchy.

vSphere permissions to support discovery of distributed vCenter deployments

In a distributed vCenter deployment, such as one vCenter server with datacenters in multiple geographic locations, it is highly recommended to use permission-based discovery if a local PowerProtect Data Manager instance is protecting virtual machines in that location. The benefit of permission-based discovery is that, instead of discovering the entire vCenter, only a subset of virtual machines, hosts, and other related vSphere entities in the vCenter is discovered, which reduces the discovery time, latency impact, and chance of discovery failures.

The permission-based discovery requires a scoped vSphere service account, which is an account with privileges that are defined by PowerProtect Data Manager that are required for accessing local virtual machines, hosts, and other related vSphere entities. This account can be a new account, or you can use an existing account by adding permissions.

Once the account is created, you can apply the required permissions. The following example demonstrates the account permissions steps a user in location A is required to perform to protect virtual machines inside a container, such as a datacenter or a cluster:

Provide the account permissions to ancestor containers of the container, such as the vCenter and folders, with Propagate to children unselected.

Provide the account permissions to the container, with Propagate to children selected Provide the account permissions to all vSphere entities that relate to the virtual machines in the container, such as folders,

datastores, and networks, with Propagate to children selected

It is recommended to work with a virtual administrator within your organization to configure this service account so that the vSphere account added to PowerProtect Data Manager has its account permissions adjusted on the vCenter to resources that are mapped to the same site as the PowerProtect Data Manager instance.

NOTE: When adding or configuring this user account, note the following:

Each vCenter Server can only be added once to each PowerProtect Data Manager instance. This behavior is common to

PowerProtect Data Manager.

Setting up a user account with permissions to some remote virtual machines in addition to local ones, although possible,

is not recommended.

Specify the required privileges for a dedicated vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering PowerProtect Data Manager in a cloud environment, see Specify the

required privileges for a dedicated cloud-based vCenter user account . For the additional privileges required when using the

Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine crash-consistent data protection, see

Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover.

Enabling Virtual Machine Protection 25

Table 6. Minimum required vCenter user account privileges

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.AddDisk', 'Cryptographer.Access', 'Cryptographer.Encrypt', 'Cryptographer.Migrate', 'Cryptographer.RegisterVM', 'Datastore.Rename', 'Datastore.Move', 'Datastore.Delete', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Extension.Register', 'Extension.Unregister', 'Extension.Update', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'Global.Licenses', 'Global.Settings', 'Global.DisableMethods', 'Global.EnableMethods', 'Host.Config.Storage', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Config', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.Update', 'StorageProfile.View', 'Task.Create', 'Task.Update', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware',

Cryptographic operations

Add disk Direct Access Encrypt Migrate

NOTE: This privilege applies only to virtual machines enabled with Microsoft virtualization-based security (VBS) or Virtual Trusted Platform Module (vTPM).

Register VM

Datastore Allocate space Browse datastore Configure datastore Low level file operations Move datastore Remove datastore Remove file Rename datastore

Extension Register extension Unregister extension Update extension

Folder Create folder

Global Cancel task Disable methods Enable methods Licenses Log event Manage custom attributes Set custom attribute Settings

Host Configuration > Storage partition configuration

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network Configure

Profile-driven storage

(for SPBM policy restore in vCenter versions 7.0 U3 and earlier)

Profile-driven storage update Profile-driven storage view

26 Enabling Virtual Machine Protection

Table 6. Minimum required vCenter user account privileges (continued)

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

VM storage policies

(for SPBM policy restore in vCenter versions 8.0 and later)

'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot', )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Update VM storage policies View VM storage policies

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

Tasks Create task Update task

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction

Enabling Virtual Machine Protection 27

Table 6. Minimum required vCenter user account privileges (continued)

Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges

Guest operating system management by VIX API

Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

VM Direct protection engine overview The VM Direct protection engine provides two functions within PowerProtect Data Manager:

A virtual machine data protection solutionDeploy a VM Direct Engine in the vSphere environment to perform virtual machine snapshot backups, which improves performance and reduces network bandwidth utilization by using the protection storage source-side deduplication.

A Tanzu Kubernetes guest cluster data protection solutionDeploy a VM Direct Engine in the vSphere environment for protection of vSphere CSI-based persistent volumes, for which it is required to use a VM proxy instead of the cProxy, for the management and transfer of backup data.

The VM Direct protection engine is enabled after you add a vCenter server in the Asset Sources window, and allows you to collect VMware entity information from the vCenter server and save VMware virtual machines and Tanzu Kubernetes guest cluster namespaces and PVCs as PowerProtect Data Manager resources for the purposes of backup and recovery.

To view statistics for the VM Direct Engine, manage and monitor VM Direct appliances, and add an external VM Direct appliance to facilitate data movement, select Infrastructure > Protection Engines. Add a VM Direct Engine provides more information.

NOTE: In the VM Direct Engines pane, VMs Protected refers to the number of assets protected by PowerProtect Data

Manager. This count does not indicate that all the virtual machines have been protected successfully. To determine the

success or failure of asset protection, use the Jobs window.

When you add an external VM Direct appliance, the VM Direct Engines pane provides the following information:

The VM Direct appliance IP address, name, gateway, DNS, network, and build version. This information is useful for troubleshooting network issues.

The vCenter and ESXi server hostnames. The VM Direct appliance status (green check mark if the VM Direct appliance is ready, red x if the appliance is not fully

operational). The status includes a short explanation to help you troubleshoot the VM Direct Engine if the VM Direct appliance is not in a fully operational state.

The transport mode that you selected when adding the VM Direct appliance (Hot Add, Network Block Device, or the default setting Hot Add, Failback to Network Block Device).

Requirements for an external VM Direct Engine

When adding an external VM Direct Engine, note the following system requirements:

CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket) Memory: 8 GB RAM Disks: 2 disks (59 GB and 98 GB) Internet Protocol: Either only IPv4 or only IPv6 SCSI controller: maximum of 4 NIC: One vmxnet3 NIC with one port

28 Enabling Virtual Machine Protection

Protection engine limitations

Observe the following points when planning and working with protection engines: Deploy protection engines with fully qualified domain names (FQDNs) or IP addresses only. Short names are no longer

supported. Existing protection engines which were deployed with short names are deprecated. A future release will require you to delete and redeploy these protection engine with FQDNs or IP addresses instead.

When you deploy protection engines with FQDNs, each FQDN must have a DNS record. Protection engines are part of server disaster recovery backups. However, the disaster-recovery process does not

automatically redeploy protection engines.

Add a VM Direct Engine

Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies, Kubernetes cluster protection policies that require a VM proxy instead of the cProxy, and network attached storage (NAS) protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct Engine has limited capacity for backup streams. The embedded VM Direct Engine is not supported for VMware Cloud on AWS operations.

An external VM Direct Engine is not required for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism. For these policies, the embedded VM Direct Engine is sufficient.

NOTE: Cloud-based OVA deployments of PowerProtect Data Manager do not support the configuration of data-traffic

routing or VLANs. Those deployments skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.

vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

Enabling Virtual Machine Protection 29

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. On the Networks Configuration page:

If this is a cloud-based OVA deployment of PowerProtect Data Manager, click Next and proceed to step 7.

The Networks Configuration page configures the virtual network (VLAN) to use for Data traffic. To continue without virtual network configuration, leave the Preferred Network Portgroup selection blank and then click Next.

a. From the Preferred Network Portgroup list, select a VST (Virtual Switch Tagging) or VGT (Virtual Guest Tagging) network. If you select a VGT portgroup, the list displays all virtual networks within the trunk range. If you select a VST portgroup, the list displays only the virtual network for the current VLAN ID.

b. Select one or more virtual networks from the list.

A protection engine requires an IP address from the static IP pool for each selected virtual network. If there are not enough IP addresses in a pool, the wizard prompts you to supply additional addresses for that network.

Ensure that the selected virtual networks support a traffic type that is compatible with protection engines. The PowerProtect Data Manager Administration and User Guide provides more information about traffic types.

c. If required, type an available static IP address or IP address range in the Additional IP Addresses column for the indicated virtual network.

For convenience when working with multiple virtual networks, you can also use one of the Auto Expand options:

Expand Last IPThe wizard increments the host portion of the last IP address in the static IP pool. Click Apply. Same Last DigitThe wizard adds the network portion of the IP address to the specified value. Type the host

portion of the IP address and then click Apply.

The wizard updates the value in the Additional IP addresses column for each selected network. Verify the proposed IP addresses.

d. Click Next.

6. When adding a VM Direct Engine for Kubernetes guest cluster protection, add a second network interface card (NIC) if the PowerProtect controller pod running in the guest cluster cannot reach the VM Direct Engine on the primary network. Provide information for the second NIC, and then click Next.

7. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct Engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct Engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.

NOTE: The external VM Direct Engine is always required for VMware Cloud on AWS operations, Kubernetes cluster

protection policies that require a VM proxy instead of the cProxy, and NAS protection policies. If no external VM Direct

Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute- ResourcePool.

30 Enabling Virtual Machine Protection

Additional VM Direct actions

For additional VM Direct actions, such as enabling, disabling, redeploying, or deleting the VM Direct Engine, or changing the network configuration, use the Protection Engines window in the PowerProtect Data Manager UI. To throttle the capacity of a VM Direct Engine, use a command-line tool on PowerProtect Data Manager.

To get external VM Direct Engine credentials, see the procedure in the PowerProtect Data Manager Security Configuration Guide.

Disable a VM Direct Engine

You can disable an added VM Direct Engine that you do not currently require for virtual machine backup and recovery. To disable a VM Direct Engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to disable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable.

NOTE: A disabled VM Direct Engine is not used for any new protection activities, and is not automatically updated during a

PowerProtect Data Manager update.

Delete a VM Direct Engine

When you disable a VM Direct Engine, the Delete button is enabled. If you no longer require the VM Direct Engine, perform the following steps to delete the engine:

1. On the Protection Engines window, select the VM Direct Engine that you want to remove from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable. 4. Click Delete.

Enable a disabled VM Direct Engine

When you want to make a disabled VM Direct Engine available again for running new protection activities, perform the following steps to re-enable the VM Direct Engine.

1. On the Protection Engines window, select the VM Direct Engine that you want to re-enable from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Enable.

NOTE: If a PowerProtect Data Manager version update occurred while the VM Direct Engine was disabled, a manual

redeployment of the VM Direct Engine is also required.

Redeploy a VM Direct Engine

If a PowerProtect Data Manager software update occurred while a VM Direct Engine was disabled, or an automatic update of the VM Direct Engine did not occur due to network inaccessibility or an environment error, the Redeploy option enables you to manually update the VM Direct Engine to the version currently in use with the PowerProtect Data Manager software. Perform the following steps to manually redeploy the VM Direct Engine.

1. On the Protection Engines window, select the VM Direct Engine that you want to redeploy from the table in the VM Direct Engines pane.

2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. If the VM Direct Engine is not yet enabled, select Enable from the menu. 4. When the VM Direct Engine is enabled, select Redeploy from the menu.

The VM Direct Engine is redeployed with its previous configuration details.

Enabling Virtual Machine Protection 31

Update the DNS or gateway during redeployment

Optionally, if you want to update the VM Direct Engine DNS or gateway during the VM Direct Engine redeployment, you can use one of the following commands:

To update both the gateway and DNS, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IP address -updateGateway Gateway IP4 address

To update the gateway only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateGateway Gateway IP address

To update DNS only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IP address

Edit the vCenter server for a VM Direct Engine configuration

If a VM Direct Engine configuration is unsuccessful, you can change the vCenter server selection.

Perform the following steps to change the vCenter server:

1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. On the Protection Engine Configuration page, select a vCenter server from the list. Make sure that the selected

vCenter is running the ESXi host for this VM Direct Engine. 4. Click Next until you reach the Summary page. 5. On the Summary page, verify the new selection, and then click Finish.

Edit the Capacity setting for a VM Direct Engine

After adding the VM Direct Engine, you can change the percentage of the protection engine capacity that will be used. For example, you might want to change the Capacity setting to a lower value to avoid network bandwidth issues.

Perform the following steps to change the maximum percentage of the VM Direct Engine that will be used:

1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. On the Protection Engine Configuration page, type a maximum percentage value for Capacity. 4. Click Next until you reach the Summary page. 5. On the Summary page, verify the new value, and then click Finish.

Edit the network configuration for a VM Direct Engine

The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

For example, if VM Direct Engine deployment failed because of a virtual network configuration problem, you can update the configuration to add additional IP addresses to the static IP pool. You can also add the VM Direct Engine to a virtual network in the same VGT port group.

Perform the following steps to change the network configuration:

1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. Click Next to navigate to the Networks Configuration page.

4. Virtual networks with a warning symbol ( ) beside the network name require attention and review. For example, if you changed the network configuration, the configured traffic types may not support VM Direct Engines. Clear any interfaces which no longer apply to the VM Direct Engine.

Select the row that corresponds to the virtual network with the configuration error, or the virtual network to which you want to add the VM Direct Engine.

5. Type an available static IP address or IP address range in the Additional IP Addresses column. 6. Click Next. 7. On the Summary page, verify the network settings, and then click Finish.

To change other network configuration settings, delete the VM Direct Engine and then deploy a new VM Direct Engine.

32 Enabling Virtual Machine Protection

Throttle the capacity of a VM Direct Engine

In performance-limited environments, you can use a command-line tool on PowerProtect Data Manager to reduce the maximum capacity of a VM Direct Engine.

The default value for VM Configured Capacity Units of an external VM Direct Engine is 100. The minimum value is 4. A VM Direct Engine can backup one disk with 4 units of capacity at a time.

Perform these steps to throttle the capacity of a VM Direct Engine:

1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Type: source /opt/emc/vmdirect/unit/vmdirect.env 3. To view the list of every VM Direct Engine and its ID, type: /opt/emc/vmdirect/bin/vproxymgmt get -list 4. To change the capacity of a VM Direct Engine, type (once per engine): /opt/emc/vmdirect/bin/vproxymgmt

modify -vproxy_id [VProxy ID] -capacity [percentage] 5. To verify the change in VM Configured Capacity Units, type: /opt/emc/vmdirect/bin/vproxymgmt get -list

Transparent Snapshot Data Mover protection mechanism

The Protection Engines window in the PowerProtect Data Manager UI includes a pane for Transparent Snapshot Data Movers. Introduced in PowerProtect Data Manager 19.9, Transparent Snapshot Data Mover (TSDM) is a protection mechanism for data movement during virtual machine protection operations. Previously, the only protection mechanism available in PowerProtect Data Manager for virtual machine protection was the VMware vStorage API for Data Protection (VADP). Any new virtual machine protection policies use TSDM as the default protection mechanism instead of VADP when the version of the vCenter and ESXi servers that host the virtual machines is a minimum version of 7.0 U3c.

Figure 1. Virtual machine backup using TSDM

A vSphere Installation Bundle (VIB) is included with the software deployment and update packages for PowerProtect Data Manager to facilitate the use of TSDM, and is enabled at the vCenter level after the PowerProtect Data Manager deployment or update. The VIB installation occurs automatically at the cluster level when a virtual machine protection policy is created, with no requirement to restart the ESXi hosts or put the hosts into maintenance mode. When updating to PowerProtect Data Manager 19.12 from a 19.9 or later release where TSDM-enabled policies were in use, the VIB has been optimized to detect if the software already exists in a datastore and only upload the VIB where the software is not shared across ESXi hosts. Also, the VIB will now update on the respective ESXi hosts concurrently instead of sequentially, in batches of 25, skipping any ESXi hosts that are powered off or in maintenance mode

Within the PowerProtect Data Manager UI, the Transparent Snapshot Data Movers pane provides a hierarchy view of the vCenter Server asset sources that have been added in PowerProtect Data Manager. Use this view to determine if the vCenter or ESXi server is enabled for VIB management, and if the hosts have the VIB installed or are eligible for VIB installation. A vSphere host cluster can have one of the following statuses:

InstalledThe VIB installation on this vSphere host is completed, and TSDM is enabled as the default protection mechanism for the virtual machines on the vSphere host.

Ready for installThe vSphere host requirements for VIB installation have been met, and the installation will proceed automatically on the vSphere host when a virtual machine running on the cluster is added to a protection policy.

Enabling Virtual Machine Protection 33

Ready for upgradeThis status displays when the VIB is installed on the vSphere host and PowerProtect Data Manager is updated, but the VIB is being managed manually. In this case, the VIB will not be updated automatically on the vSphere host.

Not eligibleThe vSphere host does not meet the requirements for VIB installation. When TSDM cannot be used, the VADP protection mechanism is used for virtual machine protection operations on this host.

FailedThe VIB installation on the vSphere host did not complete successfully. The Jobs window provides more information about the issue that caused the failure.

Use the filter icon in the status column to display only vSphere hosts with a certain status. For example, you can choose to display only hosts that are ready for VIB installation or update.

When the VIB installation is started, the Protection Engines window updates to display the progress. Also, an entry for the job Performing Host Configuration (vib_install) appears in the Jobs window.

NOTE: Any virtual machine assets that were added to a virtual machine protection policy in PowerProtect Data Manager

19.8 and earlier currently use the VADP protection mechanism. After the VIB installation on the vSphere host that contains

these virtual assets, you can migrate these assets to the TSDM protection mechanism. Migrating assets to use the

Transparent Snapshot Data Mover provides more information.

Disable or re-enable VIB on an ESXi host

In the PowerProtect Data Manager UI, you can disable VIB management on a vCenter server to prevent automatic installation or update of the VIB on the ESXi host. To disable VIB management on the vCenter server:

1. Go to Infrastructure > Protection Engines, and then select the Transparent Snapshot Data Movers pane.

2. Click to the right of the vCenter server. 3. Scroll down to the text box that displays Auto vSphere Installation Bundled (VIB) management is

enabled and click Disable.

To re-enable VIB management on a vCenter server that currently has the VIB disabled:

1. Go to Infrastructure > Protection Engines, and then select the Transparent Snapshot Data Movers pane.

2. Click to the right of the vCenter server. 3. Scroll down to the text box that displays Auto vSphere Installation Bundled (VIB) management is

disabled and click Enable.

If a VIB installation or update is required, the status indicates Ready for install or Ready for upgrade. 4. Select the check box next to this host and click Install to manually perform the VIB install or update, or wait for the

automatic VIB installation. 5. When performing a manual VIB installation, if one or more of the selections are not eligible or the VIB is already installed, a

dialog appears. Click OK to proceed.

Migrating assets to use the Transparent Snapshot Data Mover

Transparent Snapshot Data Mover (TSDM) is the recommended protection mechanism for environments with vCenter and ESXi version 7.0 U3c or later deployed, and is the default protection mechanism used for virtual machine assets protected by virtual machine crash-consistent policies in PowerProtect Data Manager 19.9 or later.

PowerProtect Data Manager defaults to using the VADP protection mechanism when one or more of the following conditions are true:

The ESXi host and vCenter server versions are earlier than 7.0 U3c The protection policy is an application-consistent policy. The protection policy is configured with the Exclude swap files from backup and Enable guest file system quiescing

enabled. PowerProtect Data Manager 19.8 or earlier is deployed.

NOTE: For existing virtual machine crash-consistent policies created with PowerProtect Data Manager version 19.8 and

earlier, modifying the Exclude swap files from backup and Enable guest file system quiescing policy options to

meet the TSDM requirements will migrate virtual machines on vSphere version 7.0 U3c and later clusters managed by a

vCenter server running version 7.0 U3c or later to use the TSDM protection mechanism.

You can manually migrate virtual machine assets from the VADP protection mechanism to the TSDM protection mechanism by using the Infrastructure > Assets window of the PowerProtect Data Manager UI.

34 Enabling Virtual Machine Protection

Before migrating assets to use TSDM, the vSphere Installation Bundle (VIB) is required. This installation occurs automatically, unless the use of TSDM is disabled on the vCenter server asset source. Go to Infrastructure > Protection Engines, select the Transparent Snapshot Data Movers pane, and verify that the VIB is enabled on the vCenter server. You can also expand the vCenter hierarchy view to confirm that the VIB installation has occurred on the vSphere hosts. Transparent Snapshot Data Mover protection mechanism provides more information.

Migrate asset protection mechanism from VADP to TSDM

To migrate VADP virtual machine assets to use TSDM in the PowerProtect Data Manager UI:

1. Go to Infrastructure > Assets and select the Virtual Machine tab. 2. Filter the view to display the Protection Mechanism column. 3. Select one or more virtual machine assets with the VADP protection mechanism. 4. Select More Actions > Protection Mechanism > Migrate to TSDM.

Migrating assets to use the TSDM protection mechanism forces a new, full backup of these assets. This backup may take several minutes.

Enabling Virtual Machine Protection 35

Managing Virtual Machine Assets and Protection

Topics:

Protection policies Additional protection policy options Before you create a protection policy Supported enhanced VMware topologies for virtual machine protection Add a protection policy for virtual machine protection Managing virtual machine backups Add a service-level agreement Add or remove assets in a protection policy Edit the retention period for backup copies Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier) Protection rules

Protection policies Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each policy type has its own set of user objectives.

Users with the Administrator role can create protection policies for VMware virtual machines. For other policy types, including specific applications within VMware virtual machines, refer to the user guide for the specific agent or application agent.

Additional protection policy options This chapter contains content that is specific to protecting virtual machines.

The PowerProtect Data Manager Administration and User Guide provides other important information about configuring settings and available actions that apply to all protection policies. These topics include cloud tiering, manual backups, and service level agreements.

This guide may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide.

Before you create a protection policy Consider the following best practices before creating a protection policy. An asset can be protected by only one policy at a time. Assets can be moved from one policy to another policy based on the

priority of protection rules. In cases where protection rules result in assets moving from one policy to another, any assets that were manually selected for inclusion in the policy, however, will not be moved to a different policy.

NOTE: If a SQL Server is hosted on a virtual machine, you can protect the SQL database with an application-consistent

backup without interfering with the SQL agent-based backup.

When creating a policy, limit the number of database assets within the policy to under 500 and stagger the start time of replication policies to avoid potential replication failures.

Before adding replication to a protection policy, ensure that you add remote protection storage as the replication location. The PowerProtect Data Manager Administration and User Guide provides instructions about adding protection storage.

3

36 Managing Virtual Machine Assets and Protection

Before you perform any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.

Understanding backup terminology and managing backup frequency

When scheduling backups in a protection policy, be aware of the following: Different backup policy types can use different terminology to describe available backup levels. This terminology can differ

not only between policy types, but also from traditional terminology. To avoid high CPU usage that can lead to failure issues, do not schedule backups more often than recommended.

Refer to the following table to understand the different backup levels provided by each protection policy and to manage backup frequencies.

Table 7. Backup terminology and frequency

Protection-policy backup types

Available backup levels

Description Equivalent traditional terminology

Minimum frequency recommendation

VMware application-aware

Full Backs up all the blocks. Full Monthly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

VMware crash- consistent

Full Backs up all the blocks. Full Monthly

Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.

A differential backup is performed, followed by a merge operation that produces a full backup in storage.

12 hours

Log Backs up the transaction logs. 30 minutes

NOTE: In some situations, a full backup might be performed even though a synthetic-full backup was scheduled. Possible

reasons for this include, but are not limited to, the following:

There is no existing full backup.

The size of a volume has changed.

There has been a file path change.

The asset host has been rebooted.

Managing Virtual Machine Assets and Protection 37

Replication triggers

PowerProtect Data Manager orchestrates protection policy replication objectives independently of the primary backup. When you add a replication objective to a policy, select one of the available triggers.

The default replication trigger is a schedule window that you define by setting a recurrence period plus start and end times. Replication occurs during the defined window. For example, every day between 8 p.m. and 12 a.m.

You can also trigger replication immediately after the completion of the associated primary backup, whether scheduled or manual. At the start of the primary backup, PowerProtect Data Manager generates an associated replication job that remains queued until the end of the protection job. If the backup fails or completes with exception, the associated replication job is skipped. Restarting the protection job queues the associated replication job again.

When you create a replication objective, you can specify either scheduled replication or replication after backup completion, which is applicable to both centralized and self-service protection policies.

NOTE: For replication after backup completion, PowerProtect Data Manager 19.12 or later and application agents 19.10 or

later are required. It is recommended that you update the application agents to the latest version.

Using a schedule can help you manage network traffic by replicating during off-peak hours. However, for larger backup sets, the primary backup may not finish before the start of the replication schedule, which creates a replication backlog. Replication after backup completion prevents a replication backlog from forming.

To prevent data loss, the replication after backup completion trigger replicates new backups from the primary objective and any outstanding backups that have not yet replicated.

A job status of Completed with Exceptions during replication

After a triggered replication job, you might see a job status message similar to the following:

Completed with Exceptions ABA0017: plc_linux_rac: Backup was successful for the ORACLE_DATABASE asset ORCLPP on the host blrv009d132.blr.lab.emc.com but the copy metadata information is currently unavailable.

The backup of this asset completed successfully but the copy metadata information has not yet been discovered by PowerProtect Data Manager. If the 'Replicate immediately upon backup completion' option is enabled for this protection policy, the replication job for the copy might appear in 'Unknown' or 'Cancel' state. Once the copy metadata is discovered by PowerProtect Data Manager, the copy will be replicated.

Review the backup copy details in the View Copies pane of the PowerProtect Data Manager UI Infrastructure > Assets window to determine when the discovery is complete.

If you see this message, the replication backup is not immediately available.

To correct this issue, either wait for the next automatic discovery or initiate a discovery.

Supported enhanced VMware topologies for virtual machine protection PowerProtect Data Manager provides protection for clustered ESXi server storage, networking, and enterprise management. Understanding what topologies are supported in these environments aids in the design of your network infrastructure.

Supported enhanced topologies

Supported topologies of clustered ESXi server storage, networking, and enterprise management include the following:

vSAN operations NSX-T port groups Enhanced Link Mode vCenter servers

For more information, see the E-Lab Navigator.

38 Managing Virtual Machine Assets and Protection

vSAN operations

Standard clusters, stretched clusters, two-node clusters, and HCI Mesh datastores support the following operations:

Backing up and restoring virtual machines Search Engines VM Direct Engines HA failover of Search Engines and VM Direct Engines Post-failover protection

NSX-T port groups

PowerProtect Data Manager supports the use of NSX-T with up to 2,000 port groups. These can be default VDS port groups or N-VDS port groups, and they support the following components:

PowerProtect Data Manager servers VM Direct Engines Search nodes Workload virtual machines

Enhanced Link Mode vCenter servers

Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers (PSCs). PowerProtect Data Manager supports the protection of workload virtual machines running inside Enhanced Linked Mode vCenter servers. This protection also applies during and after any vMotion operation of the virtual machines.

To support virtual machine protection workflows for vCenter servers that are in Enhanced Linked Mode, PowerProtect Data Manager requires you to add all of the linked vCenter servers as asset sources, and also to install the PowerProtect vSphere Plugin on all of these vCenter servers.

Add a protection policy for virtual machine protection A protection policy enables you to select a specific group of assets that you want to back up and replicate. Perform the following steps to create a virtual machine protection policy in the PowerProtect Data Manager UI.

Prerequisites

Dell Technologies recommends distributing virtual machine asset protection workloads over multiple ESXi hosts so that you do not exceed the ESXi Network Block Device (NBD) session limit. If the limit is reached, you can manage the workload by deploying an external VM Direct Engine on the host or cluster using Hot Add transport mode. Also, it is recommended during policy configuration to assign virtual machines to a protection policy based on logical grouping to allow for better scheduling of backups. Grouping helps avoid resource contention and creates more organized logs for review.

To create application-aware protection policies for virtual machines, ensure that:

You manually update the VMX configuration parameter disk.EnableUUID to True by using the vSphere Web Client. The vSphere version that you are running uses a supported version of VMware Tools. Software compatibility information for

the PowerProtect Data Manager software is provided by the E-Lab Navigator. The virtual machine has direct access to the DD client. The virtual machine uses SCSI disks only, and the number of available SCSI slots matches at least the number of disks. The Windows account that is used for the protection policy is limited to the local system Administrator or the domain

Administrator. This user requires both Microsoft Windows administrative rights and Microsoft SQL Server login and sysadmin rights.

SQL configuration support is limited to Microsoft SQL Server stand-alone instances, a Microsoft SQL Server Always On availability group (AAG) configured with file share witness, and Microsoft SQL Server cluster-less AAG configurations. Unsupported configurations include Microsoft SQL Server failover cluster instances that are configured with shared drives, as well as Microsoft SQL Server cluster-less AAG configurations.

For Microsoft SQL Server AAG configurations, the database administrator specifies the AAG backup preferences for backup in the Microsoft SQL Server Management Studio (SSMS). These preferences control which AAG node is selected as the preferred node when you perform a transaction log backup of AAG databases.

Managing Virtual Machine Assets and Protection 39

vCenter 7.0 U1 or later is required to protect virtual machines that use virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM).

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy. The PowerProtect Data Manager Administration and User Guide provides more information.

The PowerProtect Data Manager Administration and User Guide provides more information about working with storage units, including applicable limitations and security considerations.

NOTE: The option to create a storage unit during protection policy configuration does not support compliance mode

retention locking, only governance mode. To use compliance mode retention locking, create and configure a storage unit

before you configure an associated protection policy. If you enable retention locking and select a storage unit where

the retention lock mode is None, the retention lock defaults to governance mode. The PowerProtect Data Manager

Administration and User Guide provides more information.

Before performing any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.

About this task

For virtual machine protection policies, data is moved using one of two types of protection mechanisms:

Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual machine policies when the following requirements are met: vCenter and ESXi version 7.0 U3c or later is deployed in the environment. Clear the Exclude swap files from backup and Enable guest file system quiescing check boxes when adding or

editing the protection policy. VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware

virtual machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.

The section Transparent Snapshot Data Mover protection mechanism provides more information about TSDM.

Steps

1. From the left navigation pane, select Protection > Protection Policies.

The Protection Policies window appears.

2. In the Protection Policies window, click Add.

The Add Policy wizard appears.

3. On the Type page, specify the following fields, and then click Next:

NameType a descriptive name for the protection policy. DescriptionType a description for the policy. TypeSelect Virtual Machine, which includes protection for SQL application-aware virtual machines.

4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:

Crash ConsistentSelect this type for point-in-time backup of virtual machines. Application AwareFor virtual machines with a SQL application installed, select this type to quiesce the application to

perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection-policy level or the virtual machine asset level. When you provide the credentials at both levels, the virtual machine asset credentials override the policy credentials.

ExclusionSelect this type if there are assets within the protection policy that you plan to exclude from data protection operations.

By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is appropriate for backups. If the file system cannot be quiesced on the first attempt, the snapshot and backup are performed without quiescing.

VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.

5. On the Assets page, select the assets for inclusion in this policy by choosing one of the following options from the list:

40 Managing Virtual Machine Assets and Protection

View by HostThis option enables you to view all assets within a specific host, and then select individual assets or a group of assets at a host or container level for policy inclusion. For example: Select a stand-alone host to include all assets under this host.

NOTE: If you select a host in a cluster, no assets are selected. For a host in a cluster, ensure that you select the

cluster or other containers (for example, a resource pool or vApp) under the cluster host.

Expand the tree and select a container level in the vCenter hierarchy (for example, the data center, cluster, host, or resource pool) to include all assets under that level. If assets at any level are protected by another policy, a label with the name of that policy appears next to the level.

The following types of virtual assets are saved in PowerProtect Data Manager but excluded from protection:

VMProductType.DDVE - DD Virtual Edition VMProductType.VPROXY - VM Direct protection engine VMProductType.ECDM VMProductType.VCENTER - VMware vCenter Server appliance VMProductType.VIRTUAL_HOST - Nested_ESXi appliance VMProductType.DDMC - DD Management Center VMProductType.REPORT - PowerProtect Data Manager Reporting appliance VMProductType.SEARCH - PowerProtect Data Manager Search appliance VMProductType.VRPA - RecoverPoint for VMs

When you select a container level in the View by Host view, a protection rule is automatically created to ensure that these container level selections will be retained, even if changes occur from movements within the vSphere environment or the names of resource pools or folders change. This rule is managed by the PowerProtect Data Manager system, and cannot be modified. The rule will also be updated automatically if you make changes to container selections when editing the policy, or when assets are moved into or out of a selected container.

To view this rule after policy creation, go to Protection > Protection Rules. The name in the Protection Rule Name column for this new rule matches the policy name.

If this new rule results in an overlap of protection with an existing rule, you can resolve these conflicts by changing the policy protection rule priority in the Selection Overlap page. Step 7 provides more information.

NOTE: The behavior of automatic rule creation that allows assets to move into or out of policies can only

be modified in the REST API. After updating from a previous release, if View by Host is not visible you can

enable this view by manually changing the /api/v2/common-settings/DYNAMIC_FILTER_SETTING. The

PowerProtect Data Manager Public REST API documentation provides instructions.

Expand the tree and select individual assets within containers.

When you select individual assets within this view, these selections are considered static, and no protection rule is automatically created. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

View Asset TableThis option enables you to view all unprotected assets in the vCenter server within a table, and then select individual unprotected assets that you want to back up as part of this protection policy. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

When you select a virtual machine asset in this view, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of these assets. To dismiss the dialog for other selections, select the check box and click OK.

Both views provide additional information about the virtual machines, such as any currently associated tags, protection rules, and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add. If the virtual machines that you want to protect are not listed, use the Search box to search by asset name.

NOTE: When you configure a virtual machine application-aware protection policy to protect a Microsoft SQL Server

Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure

proper protection. Failure to do so might result in missed transaction log backups.

For the virtual machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.

6. Optionally, if you want to exclude nonproduction VMDKs such as network shares or test disks from a protection policy:

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

Managing Virtual Machine Assets and Protection 41

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from

the protection policy.

7. Click Next.

If any virtual objects or assets that were selected in the previous page overlap with assets that are already protected by another policy, the Selection Overlap page appears. Overlap can occur, for example, when two policies (the new policy and an existing policy) use the View by Host view for asset selection by container level.

a. To switch protection of any virtual objects listed in the Protection Priority Overlap table from an existing policy, update the Policy Priority field to a level equal to or higher than the other policy currently protecting these objects. The lower the value, the higher the priority. For example, 1 is the highest priority. When you change this value, the priority of the rule that is associated with this policy is also changed.

b. To switch protection of any assets that are listed in the Asset Protection Overlap table to this policy, select the check box next to one or more assets. Selecting these assets for inclusion in this policy removes the assets from the other policy.

When you change the priority or the selected assets, the protection rule is updated automatically.

8. Click Next. The Objectives page appears.

9. On the Objectives page, select a policy-level Service Level Agreement (SLA) from the Set Policy Level SLA list, or select Add to open the Add Service Level Agreement wizard and create a policy-level SLA.

Add a service-level agreement provides instructions.

10. Click Add under Primary Backup. The Add Primary Backup dialog appears.

11. On the Schedules pane of the Add Primary Backup dialog:

a. Specify the following fields to schedule the synthetic full backup of this protection policy:

Create a Synthetic Full...Specify how often to create a synthetic full backup. A Synthetic Full backs up only the changed blocks since the last backup to create a new full backup.

Retain ForSpecify the retention period for the synthetic full backup. NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For

example, the synthetic full or transaction log backups are chained to their base full backup. The backups do not

expire until the last backup in the chain expires. This ensures that all synthetic full and transaction log backups

are recoverable until they have all expired.

Start and EndFor the activity window, specify a time of day to start the synthetic full backup, and a time of day after which backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

b. Click Add Backup if you want to periodically force one or more full (level 0) backups, and then specify the following fields to schedule the full backups of this protection policy:

NOTE: When you select this option, the backup chain is reset.

Create a Full...Specify whether you want to create an hourly, daily, weekly, monthly, or yearly full backup. Repeat onDepending on the frequency of the full backup schedule, specify the hour of the day, the day of the

week, or the date of the month for the full backup. Retain ForSpecify the retention period for the full backup. This can be the same value as the synthetic full backup

schedule, or a different value. Start and EndFor the activity window, specify a time of day to start the full backup, and a time of day after which

backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

c. Click Add Backup and repeat the procedure for creating full backups if you want to create additional backup copies at different intervals with different retention periods.

Within this protection policy, when a full schedule conflicts with another full backup schedule, a message appears, indicating that there is a conflict. Schedule occurrences can conflict with each other when the activity windows are identical or occur entirely within the same time range. To avoid full schedule conflicts in a policy, edit the activity windows.

If you proceed with conflicting schedules, the backup of the lower priority schedule will be skipped. Schedule priority is ranked according to the following criteria:

42 Managing Virtual Machine Assets and Protection

Full schedules have a higher priority than Synthetic Full schedules. For schedules of the same backup type, the schedules that run less frequently have a higher priority than schedules

that run more frequently. For schedules with the same backup type and frequency, the schedule with the longest activity window has the

higher priority. If the activity windows are also identical, only one of these schedules will run.

NOTE: When a schedule conflict between full backups occurs, PowerProtect Data Manager retains the full backup

with the longest retention period.

d. To create a log backup for virtual machine application-aware protection policies, click Add Backup again, and then specify the following fields:

Create a Log...For application-aware protection policies, specify the interval in minutes for log generation. NOTE: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences

for a transaction log backup in the Microsoft SQL Server Management Studio.

Retain ForSpecify the retention period for the log backup. This can be the same retention value that is specified for the synthetic full or full schedule, or a different value.

NOTE: Setting a shorter retention period for log backups than the full backup can result in data loss and the

inability to restore point-in-time copies.

Start and EndFor the activity window, specify a time of day to start the log backup, and a time of day after which log backups cannot be started.

NOTE: Any backups started before the End Time occurs continue until completion.

Click Save to save and collapse the backup schedule.

12. On the Target pane of the Add Primary Backup dialog, specify the following fields:

a. Storage NameSelect a backup destination from the list of existing protection storage systems, or select Add to add a system and complete the details in the Storage Target window.

NOTE: The Space field indicates the total amount of space, and the percentage of available space, on the

protection storage system.

b. Storage UnitSelect whether this protection policy should use a New storage unit on the selected protection storage system, or select an existing storage unit from the list. Hover over a storage unit to view the full name and statistics for available capacity and total capacity, for example, testvmplc-ppdm-daily-123ab (300 GB/1 TB) When you select New, a new storage unit in the format policy name host name unique identifier is created in the storage system after policy completion. For example, testvmplc-ppdm-daily-123cd.

c. Network InterfaceSelect a network interface from the list, if applicable. d. Retention LockMove the Retention Lock slider to the right to enable retention locking for these backups.

The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.

Setting a retention lock applies to the current backup copy only, and does not impact the retention lock setting for existing backup copies.

NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are

not assigned a default retention lock period. If you enable Retention Lock for a replicated backup, ensure that you

set the Retain for field in the Add Replication dialog to a minimum number of 14 days so that the replicated backup

does not expire before the primary backup.

e. SLASelect an existing service level agreement that you want to apply to this objective from the list, or select Add to create an SLA within the Add Service Level Agreement wizard.

Add a service-level agreement provides instructions.

13. Click Save to save your changes and return to the Objectives page.

The Objectives page updates to display the name and location of the target storage system under Primary Backup.

After completing the objective, you can change any details by clicking Edit next to the objective.

14. Optionally, replicate the backups:

NOTE:

To enable replication, ensure that you add remote protection storage as the replication location. The PowerProtect Data

Manager Administration and User Guide provides detailed instructions about adding remote protection storage.

Managing Virtual Machine Assets and Protection 43

When creating multiple replicas for the same protection policy, it is recommended to select a different storage system

for each copy. If you select a storage unit that is the target of another objective for the same policy, the UI issues

a warning. The PowerProtect Data Manager Administration and User Guide provides information about replicating to

shared protection storage to support PowerProtect Cyber Recovery. Verify the storage targets and the use case before

you continue.

When you create a replication objective, you can specify either scheduled replication or replication after backup completion.

NOTE: For replication after backup completion, PowerProtect Data Manager 19.12 or later and application agents 19.10

or later are required. It is recommended that you update the application agents to the latest version.

For replicas of centralized backups, when you set retention periods for different backup types, any undefined types use the full backup retention period. For example, if you do not define a log backup in the primary objective, the log backup for the replication objective is also undefined. After you run a manual log backup, replicas of that log backup use the same retention period as the full backup.

a. Click Replicate next to Primary Backup. An entry for Replicate is created to the right of the primary backup objective. b. Under Replicate, click Add.

The Add Replication dialog appears, with information in the left pane for each schedule that has been added for the primary backup objective of this protection policy.

NOTE: Backups for all of the listed schedules will be replicated. You cannot select individual schedules for

replication.

c. Select a storage target:

Storage NameSelect a destination from the list of protection storage. Or, select Add to add a protection storage system and complete the details in the Storage Target window.

Storage UnitSelect an existing storage unit on the protection storage system. Or, select New to automatically create a storage unit.

Network InterfaceSelect a network interface from the list, if applicable. Retention LockMove the Retention Lock slider to the right to enable retention locking for these replicas.

The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.

SLASelect an existing replication service level agreement that you want to apply to this schedule from the list. Or, select Add to create a replication SLA within the Add Service Level Agreement wizard.

The PowerProtect Data Manager Administration and User Guide provides more information about replication targets, such as SLAs.

d. Select when to replicate the backups:

Replication triggers provides more information.

To replicate after the backup finishes, move the Replicate immediately upon backup completion slider to on. For scheduled replication, move the Replicate immediately upon backup completion slider to off, and then

complete the schedule details in the Add Replication dialog.

For replication of the primary backup, the schedule frequency can be every day, week, month, or x hours.

For daily, weekly, and monthly schedules, the numeric value cannot be modified. For hourly, however, you can edit the numeric value. For example, if you set Create a Full backup every 4 hours, you can set a value of anywhere from 1 to 12 hours.

By default, all replicas of the primary backup objective inherit the retention period from the Retain For value of the synthetic full and full backup schedules.

e. To specify a different retention period for individual synthetic full and full replicas, clear Set the same retention time for all replicated copies, click Edit in the row of each schedule that you want to change, update the value in the Retain For field, and then click Save.

CAUTION: Setting a retention period for the replicas of other backup types (such as log backups,

incremental, and differential backups, where applicable) that is shorter than the retention period of the

corresponding full backup may result in being unable to recover from those replicas.

f. Click Save to save your changes and return to the Objectives page.

44 Managing Virtual Machine Assets and Protection

15. Optionally, to move backups from protection storage to Cloud Tier, add a Cloud objective for the primary or replication objective:

NOTE: To move a backup or replica to Cloud Tier, objectives must have a retention time of 14 days or more.

PowerProtect Data Manager also requires the discovery of protection storage with a configured Cloud unit.

a. Click Cloud Tier next to Primary Backup. Or, if adding a Cloud objective for a replication objective that you have added, click Cloud Tier under Replicate. An entry for Cloud Tier is created to the right of the primary backup objective, or below the replication objective.

b. Under the entry for Cloud Tier, click Add. The Add Cloud Tier Backup dialog appears, with summary information for the parent objective to indicate whether you are adding this Cloud Tier objective for the primary backup objective or the replication objective.

c. Keep the All applicable full backups slider to the right if you want to tier the backups from all of the full primary backup or replication schedules of this policy. Otherwise, move the slider to the left and select the full schedule(s) that you want to tier.

NOTE: If the retention period of a schedule is less than the minimum 14 days required before tiering occurs, or is less

than the value in the Tier After field, you can still select this schedule for tiering. However, if you do not edit the

retention period of this schedule or its backup or replication copy to a value greater than the Tier After field before

the retention period of the copy expires, the backup or replication copy of this schedule will not be cloud tiered.

d. Complete the objective details in the Add Cloud Tier Backup dialog, and then click Save to save your changes and return to the Objectives page.

The PowerProtect Data Manager Administration and User Guide provides detailed instructions for adding a Cloud objective for a primary or replication objective.

16. Optionally, if Cloud Disaster Recovery is configured in the Infrastructure > Storage window, you can add a Cloud DR objective for virtual machine protection policies:

a. Click Cloud DR next to Primary Backup or, if adding a Cloud objective for a replication objective that you have added, click Cloud DR under Replicate. An entry for Cloud DR is created to the right of the primary objective, or below the replication objective.

b. Under the entry for Cloud DR, click Add. The Add Cloud DR Backup dialog appears, with summary information for the parent node to indicate whether you are adding this Cloud DR objective for the primary backup objective or the replication objective.

c. Complete the objective details in the Add Cloud DR Backup dialog, and then click Save to save your changes and return to the Objectives page.

The PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide provides detailed instructions for adding a Cloud DR objective for a primary or replication objective.

17. Click Next. The Options page appears.

18. On the Options page:

a. For Optimize For, select from one of the following backup optimization modes:

PerformanceOptimize for backup and replication speed. Selecting this mode results in more storage consumption. CapacityOptimize for backup size. Selecting this mode results in less storage consumption, but backups take

longer to complete.

NOTE: Changing the optimization mode after the first backup of the protection policy forces the next backup to

be a full backup, and results in increased storage capacity usage due to differences in how each mode uses data

deduplication. This increase continues until all backups performed using the previous optimization mode expire and

have been deleted.

b. Exclude swap files from backupSelect to exclude the C:\swapfile.sys, C:\pagefile.sys, and C: \hiberfil.sys swap and memory files of Microsoft Windows virtual machines, in the virtual machine backup. By default, this check box is cleared.

When using the Transparent Snapshot Data Mover protection mechanism, do not select the Exclude swap files from backup check box.

NOTE: Including swap and memory files in a backup unnecessarily increases the size of the backup and the time to

restore to original during recovery. These files are rebuilt by the Microsoft Windows operating system after restart,

and not required for recovery.

c. Enable indexing for file search and restoreSelect to enable indexing. This option is visible only after activating the search cluster node.

Managing Virtual Machine Assets and Protection 45

d. Enable guest file system quiescingSelect to enable VMware Tools to quiesce the file system during crash- consistent virtual machine backups.

When using the Transparent Snapshot Data Mover protection mechanism, do not select the Enable guest file system quiescing check box.

19. Click Next. The Summary page appears.

20. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.

For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine that is included with PowerProtect Data Manager. Subsequent backups are performed according to the schedule specified.

NOTE: If the target virtual machine datastore for backup is running low on free space and the datastore free space

threshold is configured in vCenter Settings, a warning message appears or a backup failure occurs. When the

Datastore Free Space Warning Threshold is reached, the backup proceeds with a warning message in the logs.

When the Datastore Free Space Failure Threshold is reached, the backup fails.

To check the warning and failure threshold values, select Infrastructure > Asset Sources and click the vCenter tab.

Click the gear icon to open the vCenter Settings dialog.

21. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.

Managing virtual machine backups The following sections describe the options that are available for virtual machine assets that are backed up as part of a protection policy.

Add and remove the credentials for virtual machine assets

You can optionally add and remove the credentials for multiple virtual machine assets simultaneously in the PowerProtect Data Manager UI. With previous versions, you could add and remove the credentials for one virtual machine asset at a time.

About this task

NOTE: The asset-level credentials take precedence over policy-level credentials for virtual machines. Asset-level

credentials have the highest precedence. Virtual machines do not support the asset source-level (host) credentials.

Use the following procedure to add or remove one or more credentials for virtual machine assets.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets, and then click the Virtual Machine tab. A list of discovered virtual machine assets displays.

2. Select one or more assets by clicking the check box next to each required asset name.

3. Select More Actions > Set Credential.

4. In the Set Credential dialog box, add or remove the credentials for the selected virtual machine assets:

To add the credentials for the assets, select the appropriate value from the drop-down list in the Credential field:

To create new credentials, select Create New.

In the Add Credentials dialog box that appears, specify the required field values and then click Save. To add existing credentials, select the credentials name from the credentials list.

To remove the credentials for the assets, select Remove Credentials.

5. Click Save in the Set Credential dialog box.

46 Managing Virtual Machine Assets and Protection

Results

After you add the credentials by using these steps, the asset-level credentials are used for the selected assets during the virtual machine centralized backups, overriding the policy-level credentials.

Enable or disable Changed Block Tracking (CBT)

The Changed Block Tracking (CBT) feature is used to identify areas of the virtual machine backup that have changed since the last backup and only process those changed areas during the next backup. CBT is enabled by default.

About this task

To set Changed Block Tracking (CBT) for virtual machines, complete the following steps:

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. From the Assets window, select the Virtual Machine tab. If a policy has been assigned, the virtual machine assets that have been discovered in the vCenter server display, along with the associated protection policy.

3. Select one or more virtual machine assets from the list, and click More Actions > Changed Block Tracking.

The Changed Block Tracking dialog box appears.

4. Clear the check box to disable CBT, or select the check box to enable CBT.

If there are high change rates on the virtual machine, CBT can sometimes cause backups to take longer than expected. If the backups are taking too long to complete, you can disable CBT for virtual machines. Also, if you encounter an issue with CBT, you can disable it on the virtual machine.

NOTE: If CBT is enabled in PowerProtect Data Manager but is disabled in VMware vSphere, PowerProtect Data

Manager tries to back up the virtual machine with CBT enabled. If PowerProtect Data Manager cannot enable CBT, the

backup completes with a warning that indicates CBT data is not available.

5. Click Save.

NOTE: When CBT is disabled for a virtual machine, subsequent backups no longer use CBT.

More options for managing virtual machine backups

After you create a virtual machine protection policy, additional options become available for virtual machine assets that are backed up as part of the policy.

To access these options:

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets. 2. From the Assets window, select the Virtual Machine tab.

If a policy has been assigned, the virtual machine assets that have been discovered in the vCenter server display, along with the associated protection policy.

NOTE: You can click the link in the Disk Excluded column next to a virtual machine asset to view VMDKs that have

been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion from this window. To

change the disks that are excluded for a protected asset, select the policy from the Protection Policies window and

click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the VM icon, for example, DD. The table in the right pane lists the backup copies.

Depending on whether the asset is retention locked, you can perform the following functions from this window:

Edit the retention period of backup copies to extend or shorten the amount of time that backups are retainedSelect one or more backup copies from the table and click Edit Retention. To select a calendar date as the expiration date for backups, select Retention Date.

Managing Virtual Machine Assets and Protection 47

To define a fixed retention period in days, weeks, or months after the backup is performed, select Retention Value. For example, you could specify that backups expire after 6 months.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

Delete a backup copyIf you no longer require a copy and the retention lock is not enabled, select the copy from the table and click Delete.

Snapshot freeze scripts and thaw scripts for virtual machine backups

You can use custom scripts to back up a Windows or Linux virtual machine which runs an application that PowerProtect Data Manager does not directly support. These scripts run before and after the snapshot to place the virtual machine and application into a state where you can perform a backup.

NOTE: Use of these scripts is not supported for virtual machines with the Transparent Snapshot Data Mover (TSDM)

protection mechanism enabled.

Table 8. Script descriptions and related terms

Script Related terms Description

Freeze Quiesce Pre-freeze This script runs before the snapshot initialization to quiesce the virtual machine and place the application in a frozen state. Quiescing ensures that the data within the guest file system is in a consistent state that is appropriate for backups.

Thaw Unquiesce Post-thaw This script runs after the snapshot finalization to unquiesce the virtual machine, thaw the application, and then return the virtual machine to normal operation.

PowerProtect Data Manager uses the VMware Tools package to quiesce the virtual machine. The VMware documentation provides more information. Before you deploy the freeze and thaw scripts, install the latest version of the VMware Tools package on the virtual machine.

The freeze and thaw scripts are specific to each application. If the freeze script returns a nonzero exit code, snapshot creation fails.

After you create your custom scripts, deploy the scripts to the correct location on the virtual machine, as specified in the following tables.

Table 9. Script locations for Windows virtual machines

ESXi version Freeze script location Thaw script location

ESXi 6.5 or later C:\Program Files\VMware\VMware Tools\backupScripts.d\

All scripts are invoked in ascending alphabetical order with freeze as the first argument.

C:\Program Files\VMware\VMware Tools\backupScripts.d\

All scripts are invoked in descending alphabetical order with thaw or freezeFail as the first argument.

Table 10. Script locations for Linux virtual machines

ESXi version Freeze script location Thaw script location

ESXi 6.5 or later /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script

For Linux virtual machines, set the script ownership and permissions after you deploy the scripts:

sudo chown root:root /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script sudo chmod 0700 /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script

48 Managing Virtual Machine Assets and Protection

Add a service-level agreement SLA Compliance in the PowerProtect Data Manager UI enables you to add a service-level agreement (SLA) that identifies your service-level objectives (SLOs). You use the SLOs to verify that your protected assets are meeting the service-level agreements (SLAs).

About this task

NOTE: When you create an SLA for Cloud Tier, you can include only full backups in the SLA. Also, the Extended Retention

SLA applies to protection policies created in PowerProtect Data Manager 19.11 and earlier only. The Extended Retention

objective was removed in PowerProtect Data Manager 19.12. When updating to PowerProtect Data Manager 19.12 from a

previous release, any protection policies created in the earlier release with the Extended Retention SLA will continue to be

supported, however, you will not be able to edit the Extended Retention SLA in these policies.

In the SLA Compliance window, you can export compliance data by using the Export All functionality.

Steps

1. From the PowerProtect Data Manager UI, select Protection > SLA Compliance.

The SLA Compliance window appears.

2. Click Add or, if the assets that you want to apply the SLA to are listed, select these assets and then click Add.

The Add Service Level Agreement wizard appears.

3. Select the type of SLA that you want to add, and then click Next. Policy. If you choose this type, go to step 4. Backup. If you choose this type, go to step 5. Replication. If you choose this type, go to step 6. Cloud Tier. If you choose this type, go to step 7.

You can select only one type of Service Level Agreement.

4. If you selected Policy, specify the following fields regarding the purpose of the new Policy SLA:

a. The SLA Name. b. If applicable, select Minimum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. c. If applicable, select Maximum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. d. If applicable, select Available Location and select the applicable locations. To add a location, click Add Location.

Options include the following: InInclude locations of all copies in the SLO locations. Selecting this option does not require every SLO location to

have a copy. Must InInclude locations of all copies in the SLO locations. Selecting this option requires every SLO location to

have at least one copy. ExcludeLocations of all copies must be non-SLO locations.

e. If applicable, select Allowed in Cloud through Cloud Tier/Cloud DR. f. Click Finish, and then go to step 9.

5. If you selected Backup, specify the following fields regarding the purpose of the new Backup SLA:

a. The SLA Name. b. If applicable, select Recovery Point Objective required (RPO), and then set the duration. The purpose of an RPO is

business continuity planning, and indicates the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

NOTE: You can select only Recovery Point Objective required to configure as an independent objective in the

SLA, or select both Recovery Point Objective required and Compliance Window for copy type. If you select

both, the RPO setting must be one of the following:

Greater than 24 hours or more than the Compliance window duration, in which case RPO validation occurs

independent of the Compliance Window.

Less than or equal to the Compliance Window duration, in which case RPO validation occurs within the

Compliance Window.

c. If applicable, select Compliance Window for copy type, and then select a schedule level from the list, for example, All, Full, Cumulative, and set the duration. Duration indicates the amount of time necessary to create the backup

Managing Virtual Machine Assets and Protection 49

copy. Ensure that the Start Time and End Time of backup copy creation falls within the Compliance Window duration specified.

This window specifies the time during which you expect the specified activity to take place. Any specified activity that occurs outside of this Start Time and End Time triggers an alert.

d. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

e. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives. For example, if you set the synthetic full

backup Retain For to 30 days but set the full backup Retain For to 60 days, the Retention Time Objective must be

set to the lower value, in this case, 30 days.

f. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. g. Click Finish, and go to step 9.

The SLA Compliance window appears with the new SLA.

6. If you selected Replication, specify the following fields regarding the purpose of the new Replication SLA:

a. The SLA Name. b. If applicable, select the Compliance Window, and specify the Start Time and End Time.

This window specifies the times that are permissible and during which you can expect the specified activity to occur. Any specified activity that occurs outside of this start time and end time triggers an alert.

c. If applicable, select the Verify expired copies are deleted option.

Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

d. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives.

e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.

The SLA Compliance window appears with the newly added SLA.

7. If you selected Cloud Tier type SLA, specify the following fields regarding the purpose of the new Cloud Tier SLA:

a. The SLA Name. b. If applicable, select the Verify expired copies are deleted option.

This option is a compliance check to determine if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.

c. If applicable, select Retention Time Objective and specify the number of Days, Months, Weeks, or Years.

NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest

retention value set for the backup levels of this policy's target objectives.

d. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. e. Click Finish.

8. If the SLA has not already been applied to a protection policy:

a. Go to Protection > Protection Policies. b. Select the policy, and then click Edit.

9. In the Objectives row of the Summary window, click Edit.

10. Do one of the following, and then click Next: Select the added Policy SLA from the Set Policy Level SLA list. Create and add the SLA policy from the Set Policy Level SLA list. The Summary window appears.

11. Click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

12. Click Go to Jobs to open the Jobs window to monitor the backup and compliance results, or click OK to exit.

50 Managing Virtual Machine Assets and Protection

NOTE: Compliance checks occur automatically every day at 2 a.m. Coordinated Universal Time (UTC). If any objectives

are out of compliance, an alert is generated at 2 a.m. UTC. The Validate job in the System Jobs window indicates the

results of the daily compliance check.

For a backup SLA with a required RPO setting that is less than 24 hours, PowerProtect Data Manager performs real-time compliance checks. If you selected Compliance Window for copy type and set the backup level to All, the real-time compliance check occurs every 15 minutes only within the compliance window. If the backup level is not All, or if a compliance window is not specified, the real-time compliance check occurs every 15 minutes without stop.

NOTE: If the backup SLA has a required RPO setting of 24 hours or greater, compliance checks occur daily at 2 a.m.

UTC. Real-time compliance checks do not occur for backup SLAs with an RPO setting of 24 hours or greater.

Real-time compliance-check behavior

If the interval of time between the most recent backup of the asset and the compliance check is greater than the RPO requirement, then an alert indicates the RPO of the asset is out of compliance. This alert is generated once within an RPO period. If the same backup copy is missed when the next compliance check occurs, no further alerts are generated.

If the interval of time between the most recent backup of the asset and the compliance check is less than the RPO requirement, the RPO of the asset is in compliance.

If multiple assets in a policy are out of compliance at the same time when a compliance check occurs, a single alert is generated and includes information for all assets that are out of compliance in the policy. In the Alerts window, the asset count next to the alert summary indicates the number of assets that are out of compliance in the policy.

13. In the Jobs window, click next to an entry to view details on the SLA Compliance result.

Add or remove assets in a protection policy Perform the following steps in the PowerProtect Data Manager UI to add or remove an asset in a protection policy.

About this task

When a protection policy is edited and new assets are added, backups for the new assets start from the next scheduled FULL backup job for the protection policy.

Steps

1. From the left navigation pane, select Protection > Protection Policies.

The Protection Policies window appears.

2. Select the protection policy that you want to modify, and click Edit.

The Edit Policy window opens on the Summary page.

3. In the Assets row, click Edit. The Assets page appears.

NOTE: For virtual machine protection policies, the view that you selected when creating the policy is retained in

this page, and cannot be changed. For example, if you set up this policy with View Asset Table selected, all assets

protected by this policy will display in a table on this page, and the option to select View by Host will be disabled. Both

views provide additional information about the virtual machines, such as any currently associated tags, protection rules,

and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add

or remove from this policy.

4. To remove containers or assets from the protection policy, select the object and click Remove.

The Assets page updates with the changes.

5. To add a container or asset to the protection policy:

a. Click + Add.

The Add Unprotected Assets dialog displays any objects that are unprotected.

b. Select the individual unprotected assets that you want to add to the policy, or select a container level within the hierarchy to add all assets within that level, and then click Add.

The Assets page updates with the changes.

6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:

Managing Virtual Machine Assets and Protection 51

a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.

The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.

b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from

the protection policy.

7. Click Next to save the changes and go to the Summary page.

8. In the Summary page, click Finish An informational dialog box appears.

9. Click OK to exit the dialog box, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.

Edit the retention period for backup copies You can edit the retention period of one or more backup copies to extend or shorten the amount of time that backups are retained.

About this task

You can edit retention for all asset types and backup types.

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.

2. On the Assets window, select the tab for the asset type for which you want to edit retention. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.

NOTE: For virtual machine assets, you can click the link in the Disk Excluded column next to a virtual machine asset to

view VMDKs that have been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion

from this window. To change the disks that are excluded for a protected asset, select the policy from the Protection

Policies window and click Edit.

3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.

4. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.

5. Select one or more backup copies from the table and click Edit Retention.

6. Choose one of the following options: To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, months, or years after the backup is performed, select Retention

Value. For example, you could specify that backups expire after 6 months.

NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention

period.

7. When satisfied with the changes, click Save. The asset is displayed in the list with the changes. The Retention column displays both the original and new retention period, and indicates whether the retention period has been extended or shortened.

Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier)

NOTE: This section applies to protection policies created in PowerProtect Data Manager 19.11 and earlier only. For

protection policies created in PowerProtect Data Manager 19.12, instead of using the Extend Retention objective to

extend the retention period of certain full copies, you can now add multiple full schedules for primary backup and replication

objectives. When updating to PowerProtect Data Manager 19.12 from a previous release, any protection policies created

in the earlier release with the Extend Retention objective will continue to be supported, however, you will not be able

52 Managing Virtual Machine Assets and Protection

to edit existing extended retention objectives, or add new extended retention objectives, in these policies. The Knowledge

Base article 000204454 at https://www.dell.com/support/ provides detailed information about specific Extend Retention

objective migration scenarios when updating to PowerProtect Data Manager 19.12.

For protection policies created in PowerProtect Data Manager 19.11 and earlier, the Extend Retention objective allows you to extend the retention period for the primary backup copy for long-term retention. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can extend the retention period to keep the full backups taken on Mondays for 10 weeks.

Both centralized and self-service protection policies support weekly, monthly, and yearly recurrence schedules to meet the demands of your compliance objectives. For example, you can retain the last full backup containing the last transaction of a fiscal year for 10 years. When you extend the retention period of a backup in a protection policy, you can retain scheduled full backups with a repeating pattern for a specified amount of time.

For example:

Retain full yearly backups that are set to repeat on the first day of January for 5 years. Retain full monthly backups that are set to repeat on the last day of every month for 1 year. Retain full yearly backups that are set to repeat on the third Monday of December for 7 years.

Preferred alternatives

When you define an extended retention objective for a protection policy, you define a set of matching criteria that select preferred backups to retain. If the matching criteria do not identify a matching backup, PowerProtect Data Manager automatically retains the preferred alternative backup according to one of the following methods:

Look-backRetain the last available full backup that was taken before the matching criteria. Look-forwardRetain the next available full backup that was taken after the matching criteria.

For example, consider a situation where you configured a protection policy to retain the daily backup for the last day of the month to extended retention. However, a network issue caused that backup to fail. In this case, look-back matching retains the backup that was taken the previous day, while look-forward matching retains the backup that was taken the following day.

By default, PowerProtect Data Manager uses look-back matching to select the preferred alternative backup. A grace period defines how far PowerProtect Data Manager can look in the configured direction for an alternative backup. If PowerProtect Data Manager cannot find an alternative backup within the grace period, extended retention fails.

You can use the REST API to change the matching method or the grace period for look-forward matching. The PowerProtect Data Manager Public REST API documentation provides instructions. If there are no available backups for the defined matching period, you can change the matching method to a different backup.

For look-forward matching, the next available backup can be a manual backup or the next scheduled backup.

Selecting backups by weekday

This section applies to centralized protection policies. Self-service protection policies have no primary backup objective configuration.

When you configure extended retention to match backups by weekday, PowerProtect Data Manager may identify a backup that was taken on one weekday as being taken on a different weekday. This behavior happens where the backup window does not align with the start of the day. PowerProtect Data Manager identifies backups according to the day on which the corresponding backup window started, rather than the start of the backup itself.

For example, consider a backup schedule with an 8:00 p.m. to 6:00 a.m. backup window:

Backups that start at 12:00 a.m. on Sunday and end at 6:00 a.m. on Sunday are identified as Saturday backups, since the backup window started on Saturday.

Backups that start at 8:01 p.m. on Sunday and end at 12:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.

Backups that start at 12:00 a.m. on Monday and end at 6:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.

In this example, when you select Sunday backups for extended retention, PowerProtect Data Manager does not retain backups that were taken between 12:00 a.m. and 8:00 p.m. This behavior happens even though the backups occurred on Sunday. Instead, PowerProtect Data Manager selects the first available backup that started after 8:00 p.m. on Sunday for extended retention.

Managing Virtual Machine Assets and Protection 53

If no backups were created between 8:01 p.m. on Sunday and 6:00 a.m. on Monday, PowerProtect Data Manager retains the next alternative to extended retention. In this example, the alternative was taken after 6:00 a.m. on Monday.

Extended retention backup behavior

When PowerProtect Data Manager identifies a matching backup, automatic extended retention creates a job at the beginning of the backup window for the primary objective. This job remains queued until the end of the backup window and then starts.

The following examples describe the behavior of backups with extended retention for centralized and self-service protection.

Centralized protection

For an hourly primary backup schedule that starts on Sunday at 8:00 p.m. and ends on Monday at 6:00 p.m. with a weekly extended retention objective that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup starting after 8:00 p.m. on Sunday for long-term retention.

The following diagram illustrates the behavior of backups with extended retention for a configured protection policy. In this example, full daily backups starting at 10:00 p.m. and ending at 6:00 a.m. are kept for 1 week. Full weekly backups are set to repeat every Sunday and are kept for 1 month.

Figure 2. Extend retention backup behavior

Self-service protection

For self-service backups, PowerProtect Data Manager uses a default backup window of 24 hours. For a backup schedule that starts on Sunday at 12:00 p.m and ends on Monday at 12:00 p.m. with a weekly extended retention objective that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup that is taken between 12:00 p.m. on Sunday and 12:00 p.m. on Monday for long-term retention.

Replication of extended retention backups

You can change the retention time of selected full primary backups in a replication objective by adding a replication objective to the extended retention backup. The rules in the extended retention objective define the selected full primary backups. Review the following information about replication of extended retention backups.

Before you configure replication of extended retention backups, create a replication objective for the primary backup. Configure the replication objective of the extended retention and match this objective with one of the existing replication

objectives based on the primary backup. Any changes to a new or existing storage unit in the extended retention replication objective or the replication objective of the primary backup is applied to both replication objectives.

The replication objective of extended retention backups only updates the retention time of replicated backup copies and does not create any new backup copies in the replication storage.

54 Managing Virtual Machine Assets and Protection

Protection rules Protection rules comprise one or more conditions that select matching assets and automatically assign them to a corresponding protection policy. PowerProtect Data Manager applies these rules to assets at discovery time.

When you define a protection rule, note the following requirements:

Creating protection rules requires at least one existing protection policy. An asset can only belong to one protection policy. Assets can move from one policy to another policy based on the priorities of the protection rules. Virtual machine tags created in the vSphere Client can only be applied to a protection rule. To ensure the protection of homogeneous assets, the protection rule must specify a storage asset type. A virtual machine application-aware protection policy that protects a Microsoft SQL Server Always On availability group

(AAG) must include all the virtual machines of the AAG in the same protection group. Failure to meet this requirement might result in Microsoft SQL Server transaction log backups being skipped. Ensure that the protection rules are designed to include all the AAG virtual machines.

NOTE: Ensure that Oracle protection rules do not use the DB ID and Oracle SID Name field settings that were supported

with versions prior to PowerProtect Data Manager 19.6.

You can manually move an asset into a protection policy and override automatic placement through protection rules. Manual assignment protects the asset through the specified policy but protection rules no longer apply to that asset. To apply protection rules again, remove the asset from the protection policy.

Creating virtual machine tags in the vSphere Client

Creating virtual machine tags in the vSphere Client is supported by PowerProtect Data Manager with vSphere versions 6.5 and later. Tags enable you to attach metadata to the virtual assets in the vSphere inventory, which makes assets easier to sort and search for when creating a protection policy.

Asset inclusion in a PowerProtect Data Manager protection policy is based on the filtering criteria that you specify when creating a protection rule.

When you create a tag in the vSphere Client, the tag must be assigned to a category in order to group related tags together. When defining a category, you can specify the object types to which the tags will be applied and whether more than one tag in the category can be applied to an object. Within a single rule, you can apply up to 50 rule definitions to tags and categories, as shown in the following example where Category is the category name and Bronze is the tag name:

Category:Category1,Tag:Bronze1 Category:Category2,Tag:Bronze2 Category:Category3,Tag:Bronze3 ... Category:Category50,Tag:Bronze50

In the above example, category names and tag names that exceed 9 or 7 characters respectively reduce the limit for rule definitions in a single rule to less than 50. When rule definitions exceed the maximum limit, no virtual machines are backed up as part of the group, because no members are associated with the group. As a best practice, keep the number of rule definitions within a single rule to 10 or fewer and, in cases where there are a large number of rule definitions within a single rule, keep the number of characters in category or tag names to 10 or fewer.

To view existing tags for vCenter in the vSphere Client, select Menu > Tags & Custom Attributes, and then select the Tags tab. Click a tag link in the table to view the objects associated with this particular tag.

For PowerProtect Data Manager to include tagged assets in a protection rule based on the tags created for vCenter, you must assign at least one tag to at least one virtual machine. Note that tags associated with containers of virtual machines (for example, a virtual machine folder) are not currently supported for tag associations to assets.

NOTE: Once virtual machines are associated with tags, the association is not reflected in the PowerProtect Data Manager

user interface until the timeout period has completed. The default timeout to fetch the latest inventory from the vCenter

server is 15 minutes. When adding a protection rule and using tags as the asset filter, you must select VM Tags.

Managing Virtual Machine Assets and Protection 55

Add a protection rule

Select a protection policy and then define one or more conditions. Where applicable, create compound rules by linking multiple conditions through logical operators.

About this task

Compound rules enable you to combine multiple selection criteria through AND and OR operators for higher precision. For example, assets in a particular data center with particular tags. Compound rules must have at least one condition.

The Add Protection Rule wizard displays compound rules in containers. Grouping rules in the same container represents a logical AND of those rules. Placing rules in separate containers represent a logical OR of those rules. For example, the compound rule (A AND B) OR (C) corresponds to one container with rules A and B, and another container with rule C.

The wizard validates fields as you type. As you define the protection rule, the wizard also displays a count of assets which match the entire protection rule, next to View Filtered Assets.

Steps

1. From the PowerProtect Data Manager UI, select Protection > Protection Rules. The Protection Rules window appears.

2. Click the tab to select the type of host for which you would like to add the protection rule, and then click Add. For example, Virtual Machines. The Add Protection Rule window opens to the Select Protection Policy page.

3. Select the target protection policy for the protection rule and then click Next. The Add Rule Description page appears.

4. Define the purpose of the protection rule:

a. Name. For example, Rules Prod Finance. The name must be unique.

b. Description. For example, Finance department production servers c. Click Next.

The Add Conditions page appears.

5. Define the protection rule:

a. Select an attribute. The available attributes depend on the selected host type and include names (such as Datacenter Name or Host Name), characteristics (such as asset size), tags (VM tags or namespace labels). The Power State attribute enables filtering of virtual machine hosts based on the state of the host (such as Power On, Power Off, or Suspended).

NOTE: If using the Host Name for the protection rule to determine which assets get included, ensure that you do

not specify a host in a cluster. If you specify a host in a cluster, PowerProtect Data Manager will not protect the

virtual machine assets under this host because although these assets are currently running within this host, they are

not owned by the host and can be switched to another host under the same cluster at any time.

b. Select a matching criteria. The available matching criteria depend on the selected attribute:

For names, matching criteria include options such as Begins with, Ends with, Contains, Does not contain, Equals, Match Regular Expression, and Does Not Match Regular Expression.

The VM Folder Name and VM Resource Pool attributes support protection for all VM assets and resource pools in the selected folder and its subfolders.

For characteristics, matching criteria include options such as Greater than or Less than.

For tags, matching criteria include options such as Includes, Does not include, In, or Not in. The In and Not in criteria support multiple tags.

For Power State, matching criteria include options such as Equals and Does Not Equal.

Where the available matching criteria includes regular expressions, click for a list of supported operators and effects in a separate dialog box.

NOTE: Regular expressions for the VM Folder Name and VM Resource Pool attributes use Google

RE2J syntax. The operators and effects on the Optional tab of the dialog box are unavailable for these

attributes. However, the operators and effects on the Unsupported tab are available, as are the standard

regular expression predefined character classes. For example, \d for a digit.

56 Managing Virtual Machine Assets and Protection

Regular expressions for all other attributes use ElasticSearch regex syntax. These expressions do not support

predefined character classes.

Because predefined character classes are valid for some attributes, the UI does not mark these classes as invalid

syntax. This is true even for attributes where such classes are not supported.

c. Depending on the selected attribute, supply a search phrase to compare against the attribute or select an option from the list. The wizard displays a count of matching assets beside the rule and enables new Add Rule options for compound rules.

For example, a rule with the filters VM Folder Name, Contains, and Finance can match assets belonging to your finance department to the selected protection policy.

6. To define a compound rule:

The wizard only enables some Add Rule options after the successful validation of other rules in the same container. For example, rules cannot be empty.

a. Select a logical operation, and then click the corresponding Add Rule option. If you select + (AND), the new rule appears in the same container. If you select Add Rule - OR, the new rule appears in a separate container.

b. Repeat the previous step to define the new protection rule.

c. To remove a rule from a compound rule, click for that rule.

NOTE: The wizard disables for any rules whose deletion would result in an empty container. To remove these

rules, remove the entire container.

The wizard removes the selected rule and any associated Add Rule options.

d. To remove an entire container and any rules within it, click for that container. The wizard also removes any associated Add Rule options.

e. To remove all rules, click Reset Rules.

The wizard displays a count of matching assets beside each rule and, for each container, a count of matching assets for all rules in the container.

NOTE: The counts displayed by the Protection > Protection Rules > Add Protection Rules > Add Conditions and

Protection > Protection Rules > Add Protection Rules > Add Conditions > Filtered Assets panes only count

the number of assets in the filtered folders and resource pools. The counts do not include assets in subfolders or

sub-resource pools. Despite the displayed count, all assets in subfolders and sub-resource pools are also protected. For

existing protection rules, accurate asset counts are displayed in the Protection > Protection Rules and Protection >

Protection Policies panes.

7. To see a list of unprotected assets which match the protection rule, click View Matching Assets. The Matching Assets window opens and displays the details of each matching asset. Verify that the list includes all expected assets, and then click Done.

8. If the protection rule and list of matching assets do not meet expectations, adjust the rules accordingly. Alternatively, reset the rules and then build the protection rule again.

9. If the protection rule and list of matching assets meet expectations, click Next. The Summary page appears.

10. Review the protection rule details and then click Finish.

Results

The new protection rule automatically protects any matching assets.

Manually run a protection rule

PowerProtect Data Manager automatically runs protection rules when new assets are detected or when existing assets are modified. You can also run protection rules manually.

Prerequisites

NOTE: For SQL, Oracle, SAP HANA, and file system asset types, the protection rule runs only on scheduled discovery in

PowerProtect Data Manager. Ensure that you schedule discovery for these asset types.

Managing Virtual Machine Assets and Protection 57

Steps

1. From the PowerProtect Data Manager UI, select Protection > Protection Rules.

The Protection Rules window appears.

2. Select the required protection rules, and then click Run.

PowerProtect Data Manager runs all of the selected protection rules for the current asset type.

Schedule asset discovery

To schedule discovery in the PowerProtect Data Manager UI, complete the following steps:

Steps

1. Select Infrastructure > Asset Sources.

2. Select the App/File System Host tab.

3. Select the application host, and then click Discover.

4. From the Discovery Schedule list, select the time of day to initiate the discovery.

Edit or delete a protection rule

You can change the name, description, the rule filters, and the associated protection policy.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. To edit a protection rule, select the rule and then click Edit.

The Edit Protection Rule window appears.

a. Select a protection policy, and then click Next. b. Modify the name, description, or filter rules, and then click Next.

Add a protection rule provides more information about working with rules.

c. Review the protection rule summary, and then click Finish.

3. To delete a protection rule, select the rule and then click Delete.

PowerProtect Data Manager removes from protection policies any assets that were added because of this protection rule. PowerProtect Data Manager adds those assets again if you do not update related protection rules.

View assets applied to a protection rule

You can view the assets that are applied to a protection rule from the Protection Rules window. If the modification of a protection rule results in assets moving from one policy to another, the Protection Rules window enables you to verify the results.

About this task

To view assets that are applied to a protection rule, complete the following steps.

Steps

1. From the left navigation pane, select Protection > Protection Rules.

The Protection Rules window appears.

2. Click the link in the Assigned Assets Count column for the protection rule.

The Assets List window appears and displays the matched assets.

3. To export asset records for the protection rule, in the Assets List window, click Export All.

58 Managing Virtual Machine Assets and Protection

Change the priority of an existing protection rule

When multiple protection rules exist, you can define the priority of each rule. Priority determines which rule applies to an asset when that asset matches multiple rules and those rules have conflicting actions.

About this task

For example, if an asset matches several protection rules and each rule specifies a different protection policy, then the rule with the highest priority determines the policy assignment.

Protection rule priorities are integers. Smaller integers represent a higher priority.

Steps

1. Select Protection > Protection Rules.

The Protection Rules window appears.

2. To change a protection rule's priority, select the rule and then click Up or Down.

Remember that the smaller integer has the higher priority.

Configure protection rule behavior

You can use the REST API to configure what happens when a protection rule changes.

The PowerProtect Data Manager Public REST API documentation provides instructions.

NOTE:

If you update from a previous release of PowerProtect Data Manager, the configured behavior for protection rules changes

still applies to the current release. For example, in PowerProtect Data Manager 19.4, if you did not configure protection

rules through application.properties to move assets across policies, then you cannot change the behavior with this

method in PowerProtect Data Manager 19.5 or later.

However, if you updated the configuration file to enable protection rules to move assets across policies, then this behavior

continues to apply after the update.

Managing Virtual Machine Assets and Protection 59

Restoring Virtual Machine Data and Assets

Topics:

Prerequisites to restore a virtual machine Self-service restores View backup copies available for restore Restoring a virtual machine or VMDK Restoring a virtual machine backup with the storage policy association Image-level restores Instant Access virtual machine restore File-level restores Restore an application-aware virtual machine backup

Prerequisites to restore a virtual machine Review the following requirements before you restore a virtual machine in PowerProtect Data Manager:

Only the Administrator and the Restore Administrator roles can restore data. Ensure that you have added protection storage and the vCenter server, and that the protection of virtual machine copies

has completed successfully.

To check, select Infrastructure > Assets and Infrastructure > Asset Sources. Ensure that protection of the virtual machines completed successfully. If the virtual machines have been backed up by a

protection policy, the assets appear in the Restore > Assets window. Verify that no pre-existing snapshots exist on the virtual machine. If performing a restore to the original virtual machine, a minimum vCenter version of 6.7 is required if you want to restore the

virtual machine protection policy backup's storage-policy assignments. If performing a restore to a new location, ensure that sufficient space is available on the target datastore. Verify that the virtual machine copy that is selected for restore has not expired. For restores of virtual machine protection policy backups using the Transparent Snapshot Data Mover (TSDM) protection

mechanism, note the following: For a Restore to Original Folder and Overwrite Original Files, the virtual machine must be currently protected by a

policy that uses TSDM. For a Create and Restore to New VM, the destination ESXi host where the new virtual machine will be created must

have the vSphere Installation Bundle (VIB) installed and enabled.

Self-service restores A PowerProtect Data Manager system or security administrator can enable users to perform self-service restores of their own assets without further administrator intervention.

Self-service restores require a scope of authority which includes the Restore Administrator role for the relevant user assets or asset sources. The PowerProtect Data Manager Security Configuration Guide contains important prerequisites for self-service restores, such as configuring scopes of authority, resource groups, and role assignments.

After an administrator performs the necessary configuration, the scope of authority grants the user access to the PowerProtect Data Manager UI. Access the PowerProtect Data Manager UI provides instructions for logging in. From the UI, users can follow any of the methods that are described in this chapter to restore their data from backups.

Example

A user named Lisa owns several virtual machines on a vCenter asset source named Prototypes. Lisa is not currently a PowerProtect Data Manager user or a vCenter administrator. To meet recovery objectives and reduce overhead, Lisa requests that her system administrators configure self-service restore.

4

60 Restoring Virtual Machine Data and Assets

To fulfill the request, a system administrator creates a resource group named LisaRG. This resource group contains Lisa's virtual machines from the Prototypes asset source plus any other necessary resources. The system administrator also creates a scope of authority which grants Lisa the Restore Administrator and User roles for the LisaRG resource group.

Now, Lisa can log in to the PowerProtect Data Manager UI with her own account and browse backups of her assets. After selecting a backup, Lisa can restore an image of any of her virtual machines, perform file-level restores, or perform an Instant Access restore. Lisa only sees assets which belong to her and cannot see or affect assets which belong to others.

View backup copies available for restore When a protection policy is successfully backed up, PowerProtect Data Manager displays details such as the name of the storage system containing the asset backup, location, the creation and expiry date, and the size. To view a backup summary:

Steps

1. From the PowerProtect Data Manager UI, select Infrastructure > Assets or Restore > Assets.

2. Select the tab that corresponds to the type of assets that you want to view. For example, for vCenter virtual machine assets, click Virtual Machine.

Assets that are associated with protection copies of this type are listed. By default, only assets with Available or Not Detected status display. You can also search for assets by name.

For virtual machines, you can also click the File Search button to search on specific criteria.

NOTE: In the Restore > Assets window, only tabs for asset types supported for recovery within PowerProtect Data

Manager display. Supported asset types include the following:

Virtual Machines

File System

Storage Group

Kubernetes

3. To view more details, select an asset and click View copies.

The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.

When you click a child node, the right pane displays the following information:

Storage system where the copy is stored. The number of copies Details of each copy, including the time that each copy was created, the consistency level, the size of the copy, the

backup type, the copy status, and the retention time. The indexing status of each copy at the time of copy creation:

Success indicates that all files or disks are successfully indexed. Partial Success indicates that only some disks or files are indexed and might return partial results on file search. Failed indicates that all files or disks are not indexed. In Progress indicates that the indexing job is in progress.

If indexing has not been configured for a backup copy, or if global expiration has been configured and indexed disks or files have been deleted before the backup copy expiration date, the File Indexing column displays N/A.

The indexing status updates periodically which enables you to view the latest status. For virtual machine backups, a Disk Excluded column enables you to view any virtual disks (VMDKs) that were excluded

from the backup.

Restoring Virtual Machine Data and Assets 61

Restoring a virtual machine or VMDK After virtual assets are backed up as part of a virtual machine protection policy in the PowerProtect Data Manager UI, you can perform image-level and file-level recoveries from individual or multiple virtual machine backups, and also restore individual virtual machine disks (VMDKs) to their original location.

PowerProtect Data Manager supports multiple data movers for restoring virtual machines, depending on the restore type and the vSphere capabilities. Restores are performed using one of the following data movers:

Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual machine policies when vCenter and ESXi version 7.0 U3c or later is deployed in the environment. Review the section Prerequisites to restore a virtual machine for specific restore type requirements for TSDM.

VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware virtual machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.

Storage vMotion from protection storage to primary storage.

All types of recoveries are performed from the Restore > Assets window. Recovery options include the following:

Restore to Original VM: Restore the virtual machine to its original location on the vCenter server, along with (optionally) the virtual machine configuration that existed at the time of the backup.

Restore Individual Virtual Disks: Restore select virtual disks to their original location on the vCenter server. Create and Restore to New VM: Create a new virtual machine using a copy of the original virtual machine backup, and

restore this backup to the new virtual machine. Instant Access VM: Instant access to the virtual machine backup for browse and restore. File Level Restore: Restore individual files/folders the original or a new virtual machine Direct Restore to ESXi: Recover the virtual machine directly to an ESXi host without a vCenter server.

The Restore button, which launches the Restore wizard, is disabled until you select one or more virtual assets in the Restore > Assets window. Selecting multiple assets disables the View Copies button, since this functionality is available within the first page of the Restore wizard.

To access the Restore and Overwrite Original VM, Create and Restore to New VM, and Instant Access VM recovery types, or the Restore Individual Virtual Disks option, select one or more virtual assets and then click Restore to launch the Restore wizard.

To access the File Level Restore and Direct Restore to ESXi recovery options, select a virtual asset and then click View Copies.

In both instances, you must select a backup copy in the first page of the Restore wizard before you can go to the Options page, which displays the available recovery options.

NOTE: For all options, recovery in the PowerProtect Data Manager UI can only be performed if the backup or replica is

on a DD system. If a replica backup does not exist on such storage, you must manually replicate this backup to DD storage

before performing the restore.

The following sections describe each recovery option and provide instructions to perform the recovery.

NOTE: Full SQL-database and transaction-log restores of a virtual machine from application-aware virtual machine

protection policies must be performed using Microsoft application agent tools. The section Restore an application-aware

virtual machine backup provides more information.

Restoring a virtual machine backup with the storage policy association vSphere storage-based policies are used to communicate to the storage system details about how the virtual machine and its contents should be stored. At the time of backup, the existing policy assignments for the virtual machine will be stored in the backup copy.

During a restore to the original virtual machine in the PowerProtect Data Manager UI or the vSphere Client, you can select the Restore Storage Policies option if you want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

62 Restoring Virtual Machine Data and Assets

This option is only applicable to virtual machine backup copies taken with PowerProtect Data Manager 19.6 and later. If you select this option but the virtual machine backup copy was created with PowerProtect Data Manager version 19.5 and earlier, or the storage policy has been deleted from the vCenter Server, the virtual machine restore will proceed but any storage policy association will not be restored.

NOTE: Enabling this option requires vCenter version 6.7 and later.

Image-level restores The following topics provide instructions to perform restore operations at the virtual machine image level.

Restore to the original virtual machine

A Restore to Original VM recovers a virtual machine backup to its original location on the vCenter server. This operation rolls back virtual machines that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time. Use this process for restoring the production system.

Prerequisites

Review Prerequisites to virtual machine restore before performing the restore.

About this task

NOTE: If the original virtual machine was deleted, a Restore to Original Folder and Overwrite Original Files recovery

attempts to re-create the virtual machine. However, if the original virtual machine resources such as the datastore and

cluster are no longer available, the restore fails and a Restore to New is required.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the check box next to the appropriate virtual machines and click Restore.

Use the filter in the Name column to search for the asset name of the specific virtual machine, or use the File Search button to search on specific criteria for files within backed-up virtual machines.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

7. On the Restore Type page, select Restore to Original VM, and then click Next.

NOTE: If the system determines that the original virtual machine datastores may be insufficient to complete the restore

a warning is displayed. In this case, create more space in the original datastores, and then, select Proceed Anyways.

If the virtual machine disk configuration has changed since the original backup, the Disk Configuration page appears. Otherwise, the Options page appears.

8. On the Disk Configuration page, review the current configuration of the virtual machine along with any disks that have been added since the last backup:

a. For any hard disks in the current virtual machine configuration that were not part of the backup copy, select Delete disks that will be detached to remove these disks after restore, or clear the check box to keep these disks in their

Restoring Virtual Machine Data and Assets 63

original folders on the virtual machine after the restore. These disks will not be in the virtual machine configuration, but after the restore you can use the vSphere Client to manually reattach or download these disks as appropriate.

b. Click Next.

9. On the Options page:

a. Select Restore VM Tags to restore the vCenter tags and categories that are associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Selecting this option replaces any

existing tags and categories on the assets in the restore location with tags and categories from the assets in the

restored copy. Tags and categories being restored that do not exist on the vCenter server at the time of the

restore, or have been deleted, are re-created as part of the restore, along with the tag description and the cardinality

settings that determine the relationship of tags within a category. If tags and categories on the vCenter server have

been renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For

example, if a tag ID is the same but the tag name has been changed since the backup, a new tag is created based on

the tag name in the backup copy being restored.

After a successful restore, the replaced tags and categories are not deleted in the vSphere Client, and can be

viewed in the Tags & Custom Attributes window, or the Tags pane of the Summary window when the virtual

machine is selected.

b. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore proceeds but any storage policy association is not restored.

NOTE: Enabling this option requires vCenter version 6.7 or later.

c. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

d. Select Restore VM Configuration if the disk configuration has changed since the original virtual machine backup to restore the configuration that existed at the time of this backup. If there were changes to the VM disk configuration, you cannot clear this option.

e. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.

10. The Networks page displays the network interface controllers and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

NOTE: If a network used by an adapter is no longer accessible to the current virtual machine, a warning is displayed, and

a different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network interface controller, select or clear the associated check box in the Connect at Power On column.

11. Click Next. The Summary page appears with a confirmation message indicating that the virtual machine will be powered off and that the virtual machine in the datastore will revert to the point in time of the selected backup copy before being powered back on.

12. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

13. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

NOTE: A full backup typically occurs automatically after a restore to the original virtual machine is completed.

64 Restoring Virtual Machine Data and Assets

Restore individual virtual disks

A Restore Individual Virtual Disks recovers individual virtual disks (VMDKs) to their original location on the vCenter server, rolling the VMDKs that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time.

Prerequisites

Review Prerequisites to virtual machine restore before you perform the following procedure.

About this task

NOTE: When you restore individual VMDKs, only the selected disks are restored. The virtual machine configuration does not

change.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Individual Virtual Disks, and then click Next.

7. On the Select Disks page, from the Backup Properties pane, select the VMDKs that you want to restore, and then click Next. Note that individual VMDKs can only be restored to the original location.

8. On the Options page:

a. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

b. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.

c. Click Next.

The Summary page appears with a confirmation message indicating that the selected disk(s) will be overwritten in the current configuration with the copy from the backup.

9. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.

10. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Restore to a new virtual machine

A Create and Restore to New VM enables you to create a new virtual machine using a copy of the original virtual machine backup. Other than having a new name or location and a new vSphere VM Instance UUID, this copy is an exact replica of the virtual machine that you backed up with the protection policy in PowerProtect Data Manager.

Prerequisites

Review Prerequisites to virtual machine restore before you perform this procedure.

Restoring Virtual Machine Data and Assets 65

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to run file-level restore workflows on specific files within virtual machines.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

7. On the Restore Type page, select Create and Restore to New VM, and then click Next.

8. On the VM Information page:

a. From the vCenter list, select the vCenter server for the new virtual machine restore. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

b. Select the destination data center. c. Click Next.

9. On the Restore Location page:

a. Select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster.

b. Click Next.

If you selected an ESXi host within the cluster, the Datastore page displays.

If you selected a cluster but did not select a host, the ESX Host page displays.

10. On the ESX Host page, select a host that is connected with the cluster, and then click Next.

11. On the Datastore page, select the datastore where you want to restore the virtual machine disks.

NOTE: The Total Estimated Space Needed for Recovery is displayed and updated according to the specified disk

provisioning type.

In the datastore list:

The free space in each datastore is displayed.

If a datastore is estimated to be smaller than required for recovery, it is displayed in red alongside an error icon.

Select Browse... to display the total capacity, provisioned capacity, and free capacity of all available datastore(s),

and select a datastore.

a. If you are restoring multiple virtual machines, select the Datastore and Provisioning Type to use for all virtual machines.

b. If you are restoring one virtual machine: To restore all disks to the same location, keep Configure Per Disk disabled, and select the datastore from the

datastore list in the Storage column. To restore disks to different locations, enable Configure Per Disk, and for each disk, select a datastore from the

datastore list in the Storage column. Select how to provision the disk from the provisioning types in the Disk Format column.

NOTE: If you select a datastore whose estimated free space is smaller than required for recovery, a warning is

displayed. In this case, you can select Proceed Anyways to continue, but it is recommended to create more space in

the specified datastore(s) before doing so.

c. Click Next.

66 Restoring Virtual Machine Data and Assets

12. On the Options page:

a. If restoring a single virtual machine, specify the New VM name. b. If restoring multiple virtual machines, select whether you want to use the original virtual machine names for the virtual

machine restore, or rename the virtual machines by appending a suffix to the original name. c. For Select Access Level, keep the slider set to Yes if you want to enable instant access for this restore.

When you select this option, the virtual machine is created and turned on while temporarily accessing the VMDKs from DD storage. Storage vMotion is initiated to the target datastore. The virtual machine becomes available for use when it is turned on.

d. (Optional) For the recovery options, select Power on the virtual machine when the restore completes and Reconnect the virtual machine's NIC when the restore completes. Power on the virtual machine when the restore completes is selected by default when instant access is enabled.

e. Select Restore VM Tags to restore vCenter tags and categories associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on

the assets in the restore location will be replaced with the tags and categories from the assets in the restored copy.

If the tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings

that determine the relationship of tags within a category. If tags and categories on the vCenter server have been

renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For example, if

a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag

name in the backup copy being restored.

After a successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

f. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.

If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore proceeds but any storage policy association is not restored.

NOTE: Enabling this option requires vCenter version 6.7 or later.

g. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

h. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.

i. Click Next.

13. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a

different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.

c. Click Next.

14. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.

15. Go to the Jobs window to monitor the restore.

A restore job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Restoring Virtual Machine Data and Assets 67

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all of the virtual machines available for restore.

2. Select the check box next to the desired virtual machine and click View Copies.

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the restore completes, if desired. This option is selected by default.

b. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

c. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Instant Access virtual machine restore An Instant Access VM restore enables you to create a new virtual machine directly from the original virtual machine backup on protection storage for the purposes of instant backup validation and recovery of individual files. The instant access virtual

68 Restoring Virtual Machine Data and Assets

machine is initially available for 7 days. This process does not copy or move any data from protection storage to the production datastore. An instant access virtual machine restore also provides the option to move the virtual machine to a production datastore when you want to retain access to the virtual machine for a longer time.

Prerequisites

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all virtual machines available for restore.

2. Select the check box next to the appropriate virtual machines and click Restore.

You can also use the filter in the Name column to search for the name of the specific virtual machine, or click the File Search button to search on specific criteria.

The Restore wizard appears.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

5. Click OK to save the selection and exit the dialog, and then click Next.

6. On the Purpose page: Select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.

NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that

disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete

successfully.

7. On the Restore Type page, select Instant Access VM, and then click Next.

8. On the VM Information page:

a. From the vCenter list, select the vCenter server for the instant access virtual machine restore. You can select the vCenter server of the original virtual machine backup, or another vCenter server. This list displays any vCenter server that has been added from the Assets window.

When you select a vCenter server, available data centers appear.

b. Select the destination data center. c. Click Next.

9. On the Restore Location page, select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster. If you selected an ESXi host within the cluster, the Networks or Options page displays.

If you selected a cluster but did not select a host, the ESX Host page displays.

10. On the ESX Host page, select a host that is connected with the cluster, and then click Next.

11. On the Options page:

a. If restoring a single virtual machine, specify the Instant Access VM name. b. If restoring multiple virtual machines, select whether you want to use the original virtual machine names for the instant

access virtual machine restore, or rename the instant access virtual machines by appending a suffix to the original name. c. Optionally, select Power on the virtual machine when the restore completes and Reconnect the virtual

machine's NIC when the restore completes. Power on the virtual machine when the restore completes is selected by default for instant access virtual machine restores.

d. Select the Restore VM Tags check box to restore vCenter tags and categories associated with this backup copy.

NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories

on the assets in the restore location will be replaced with the tags and categories from the restored copy. If the

tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been

deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings

that determine the relationship of tags within a category. If tags and categories on the vCenter server have been

Restoring Virtual Machine Data and Assets 69

renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For example, if

a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag

name in the backup copy being restored.

After a successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom

Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.

e. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

f. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.

g. Click Next.

12. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.

NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a

different network should be selected for that adapter.

a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.

b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.

c. Click Next.

13. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore. A confirmation message displays indicating that the restore has been initiated and providing the option to go to the Jobs window to monitor the restore progress.

14. Go to the Jobs window to view the entry for the instant access virtual machine recovery and verify when the recovery

completes successfully. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.

Results

To monitor and manage the instant access virtual machine recovery, select Restore > Running Sessions, and then click the Instant Access tab. From this window, you can also extend the instant access virtual machine session beyond the default period of 7 days.

NOTE: On a single-node protection storage system such as a DD system, instant access/restore functionality has been

enhanced to return a failure message when overwhelmed with traffic. For example, if on the target node or the ESXi host

there are Live VM and/or Instant Restore sessions that are in conflict, instant access/restore jobs will fail with a message

indicating a resource contention issue. If this occurs, you need to clear the conflicts and then restart the session in order for

the job to execute.

Manage and monitor Instant Access sessions

In the PowerProtect Data Manager UI, the Instant Access tab of the Restore > Running Sessions window enables you to monitor vMotion events, and to manage the status of a virtual machine restore to new or instant access virtual machine restore. For example, you can extend the availability period or delete an instant access virtual machine.

NOTE: The Instant Access Sessions that are used by a SQL application-aware self-service restore are displayed in the

PowerProtect Data Manager UI, but management is disabled. Use the SQL application-aware self-service restore UI to

manage these sessions.

When the Jobs window indicates that a recovery has completed successfully, go to Restore > Running Sessions > Instant Access to access information about the sessions. This window enables you to monitor and manage all exported copies that you have created from protection storage. An active restore session with a state of Mounting indicates that the restore is still in progress. Once the state changes to Mounted, the restore is complete and the instant access virtual machine is ready. When you select the session in the table, you can choose from three options:

70 Restoring Virtual Machine Data and Assets

Extend Click to extend the number of days the instant access virtual machine restore is available. The default retention period of an instant access virtual machine restore is 7 days.

Migrate Click to open the Migrate Storage vMotion wizard, which enables you to move the instant access virtual machine to a protection datastore. Migrate an instant access session provides instructions.

Delete Click if you no longer require the active restore session. Note that you can also vMotion from inside the vCenter server, and PowerProtect Data Manager removes the Instant Access Session after detection.

For instant access virtual machine restores, availability of the instant access virtual machine session is also indicated in the vSphere Client. The session appears in the Recent Tasks pane, and you can expand the cluster and select the instant access virtual machine to view summary information, as shown in the following figure.

Figure 3. instant access virtual machine restore in the vSphere Client

Migrate an Instant Access session

Once you validate that the instant access virtual machine is the virtual machine that you require for production, click Migrate to open the Migrate Storage vMotion wizard, which enables you select the session and move the virtual machine to a production datastore.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Running Sessions, and then click the Instant Access tab.

2. Select a session from the table that is in Mounted state, and click Migrate. The Migrate Storage vMotion wizard displays.

3. On the Disk Files Datastore page, select the datastore where you want to relocate the instant access virtual machine, and then click Next. To migrate all VMDKs to the same datastore, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To migrate VMDKs to separate datastores, move the Configure per disk slider to the right, and then:

a. Select a datastore for each disk from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

4. On the Summary page, review the information to ensure that the details are correct, and then click Migrate.

5. Go to the Jobs window or the Instant Access window to view the progress of the migration.

In the Jobs window, the migration job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed. In the Instant Access window, you can monitor the vMotion status of the

Restoring Virtual Machine Data and Assets 71

migration. When a vMotion is in progress, the status indicates VMotioning. Once the storage vMotion for the session is complete, the status of the session changes to Deleting as the session is being removed from the Instant Access window.

File-level restores You can use PowerProtect Data Manager to perform restore operations at the file level.

The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. The agent is installed automatically during a file-level restore, but you can choose to manually install it before performing a file-level restore. Manually installing the agent allows the user account performing the file-level restore to have different permissions from the user account installing the agent.

NOTE: In some installation paths, application messages, and log files, the VM Direct agent is named the vProxy Agent.

There are two methods of restoring individual virtual machine files within the PowerProtect Data Manager UI:

Using the File Level Restore wizard Using the File Search functionality

Manually install the VM Direct agent on Linux

You can manually install the VM Direct agent.

Prerequisites

The destination virtual machine is a supported Linux platform. To determine which Linux platforms are supported, see the compatibility information provided by the E-Lab Navigator.

When logging in to the destination virtual machine in the following steps, log in as a root user or a user in the local sudousers list of the operating system.

NOTE: Even if you log in as a user with privileges similar to a root user, the VM Direct agent installation fails.

If you log in to the destination virtual machine in the following steps as a user in the local sudousers list of the operating system, ensure you have already completed the following steps on the destination virtual machine: 1. Provide sudo access to the following files at a minimum:

RPM command (SLES, Red Hat Enterprise Linux, CentOS) and dpkg command (Debian/Ubuntu)

/opt/emc/vproxyra/bin/postinstall.sh /opt/emc/vproxyra/bin/preremove.sh

Note the following additional requirements:

The sudo user or group must be configured for no password prompt.

The sudo user or group must be provided with the no requiretty option.

When user elevation is enabled for file-level restore: To browse files, you must have the appropriate authority in the destination virtual machine operating system. For

example, you must be permitted to run vflrbrowse using sudo without being prompted for a password.

To perform the restore, the user account must have the appropriate authority. For example, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

NOTE: If the Run with Elevated Privileges file-level restore is unsuccessful, an error displays indicating Unable to perform FLR Agent operation 'recover_files' on VM virtual machine name. This might

occur when a typographical error has been made in the sudo commands. To determine if this has occurred, review

the log file output for the following text:

sudo: a password is required /etc/sudoers.d/admin: syntax error near line 1 sudo: no valid sudoers sources found, quitting

It is recommended that you test the sudo command before performing a file-level restore in order to resolve any

potential errors.

2. Create the file /etc/sudoers.d/linuxuser, where linuxuser is the Linux login user, and then add the following contents to the file.

72 Restoring Virtual Machine Data and Assets

On CentOS, OpenSuSE Leap, Oracle Linux, Red Hat Enterprise Linux, and SuSE Linux Enterprise Server operating systems:

username ALL=NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty Defaults:username !authenticate

NOTE: On SuSE 12, the location is /bin/rpm instead of /usr/bin/rpm.

On Debian and Ubuntu Server operating systems:

username ALL=NOPASSWD: /usr/bin/dpkg, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty

About this task

To manually install the VM Direct agent, perform the following steps.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Run the command cd /opt/emc/sw-repo/vflragent/linux.

3. Run the following command:

scp @ :

If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, replace with the name of the .rpm file.

If the destination virtual machine operating system is Debian or Ubuntu Server, replace with the name of the .deb file.

Replace with the name of a root user on the destination virtual machine.

Replace with the IP address of the destination virtual machine.

Replace with a directory path on the destination virtual machine to which the VM Direct agent installer package should be copied.

NOTE: If you are installing the VM Direct agent as a non-root user, ensure the non-root user has read and execute

permissions to files in this directory path.

4. Log in to a shell prompt of the destination virtual machine.

5. Change directories to the location of the file copied in step 3.

6. If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, run the following command:

rpm -ivh

Replace with the name of the file copied in step 3.

7. If the destination virtual machine operating system is Debian or Ubuntu Server, run the following command:

dpkg -i

Replace with the name of the file copied in step 3.

8. Run the command /opt/emc/vproxyra/bin/postinstall.sh.

Results

You can now perform file-level restore operations as a non-root user.

Restoring Virtual Machine Data and Assets 73

Manually install the VM Direct agent on Windows

You can manually install the VM Direct agent.

Prerequisites

The destination virtual machine is a supported Windows platform. To determine which Windows platforms are supported, see the compatibility information provided by the E-Lab Navigator.

When logging in to the destination virtual machine in the following steps, log in as a user with administrator rights. If you need to enable the administrator account, perform the following steps: 1. Open a command prompt in administrative mode, and then type net user administrator /active: yes.

2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.

3. In the User Accounts pane, right-click the user, select Properties, and then clear the Account is disabled option.

About this task

To manually install the VM Direct agent, perform the following steps.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Run the command cd /opt/emc/sw-repo/vflragent/windows.

3. Copy emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi to the destination virtual machine.

4. Log in to the destination virtual machine.

5. Install the VM Direct agent by double-clicking emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi. The Programs and Features Control Panel tool displays Dell vProxy Agent as installed.

Results

You can now perform file-level restore operations as a user without administrator rights.

File-level restore to the original virtual machine

A file-level restore to the original virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to the same or a new location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. In order to complete the VM Direct agent installation, the user must be an administrator account on Windows virtual

machines, or a root user account or a user in the operating system's local sudousers list on Linux virtual machines.

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows virtual machine, or from a

Linux backup to a Linux virtual machine.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Select the check box next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name.

74 Restoring Virtual Machine Data and Assets

NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File

Search button is used for virtual machine file-level restore when restoring files from multiple copies across one or more

virtual machines. See File-level restore to the original virtual machine for more information.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Original Virtual Machine, and then click Next.

6. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machine after the restore completes.

c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.

d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.

When validated, the VM Direct agent is installed automatically on the restore destination, if it is not already installed. e. After a successful disk mount, click Next.

7. On the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

8. On the Options page, select from one of the following options, and then click Next. Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original

location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original

virtual machine. NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you

are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.

9. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information.

b. Click Restore.

10. Go to the Jobs window to monitor the restore. A restore job appears with a start time and progress bar.

Restoring Virtual Machine Data and Assets 75

File-level restore to alternate virtual machine

A file-level restore to alternate virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to a new location on a new virtual machine. This restore can be performed to a primary or secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. In order to complete the VM Direct agent installation, the user must be an administrator account on Windows virtual

machines, or a root user account or a user in the operating system's local sudousers list on Linux virtual machines.

If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows virtual machine, or from a

Linux backup to a Linux virtual machine.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Select the check box next to the virtual machine that you want to recover from, and then click View Copies.

You can also use the filter in the Name column to search for a specific virtual machine name. NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File

Search button is used for virtual machine file-level restore when restoring files from multiple copies across one or more

virtual machines. See File-level restore to alternate virtual machine using File Search for more information.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.

5. On the Restore Type page, select Restore to Alternate Virtual Machine, and then click Next.

6. On the Select Target VM page, choose from one of the following options: Search for a target virtual machine by typing the name. Browse from the available vCenter servers to locate the destination virtual machine.

7. On the Mount Copy page:

a. To initiate the disk mount, type the guest operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machine after the restore completes.

c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.

d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.

When validated, the VM Direct agent is installed automatically on the restore destination, if it is not already installed. e. After a successful disk mount, click Next.

8. On the Select Files to Recover page:

76 Restoring Virtual Machine Data and Assets

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,

when you select an object from one location, the object is selected in the duplicate location as well.

9. On the Restore Location page, perform one of the following actions to choose where to restore the files, and then click Next. Browse the folder structure of the destination virtual machine to select a folder. Create a new folder.

NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you

are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.

10. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore.

11. Go to the Jobs window to monitor the restore. A restore job appears with a start time and progress bar.

Virtual machine file-level restore from a search

Within the Restore window of the PowerProtect Data Manager UI, File Search enables you to restore files from protected virtual machine backup copies to: The original virtual machine An alternate virtual machine.

NOTE: Only file-level virtual machine restore is available from File Search.

File-level restore to original virtual machine using File Search

Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to the same location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the

destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores to the original machine:

The files must be restored from a Windows backup to a Windows virtual machine, or from a Linux backup to a Linux

virtual machine.

Restoring files from multiple copies with identical file names and paths from the same asset is not supported. In this

case, only a file-level restore to the alternate virtual machine is available.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Click File Search, and then perform the following:

a. Select a virtual machine from the VM Name list. b. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the

search. The files that match the search criteria display in the Results pane.

c. In the Results pane, select the files that you want to restore, and then click Add.

Restoring Virtual Machine Data and Assets 77

The Results pane is collapsed, and the Selected Files pane updates to display the current file selections. d. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click

Restore.

The VM File Restore wizard appears, displaying the Location page.

3. On the Location page:

a. Select Restore to Original Location. b. (Optional) Select Overwrite existing files with the same name to replace files in the original location with the files

being restored if the files have the same name. c. If you selected files from multiple virtual machines, and these virtual machines share the same credentials, move the Use

one set of credentials for all VMs slider to the right to avoid retyping the credentials for each virtual machine. d. For one or more virtual machines, type the virtual machine User Name and Password, and then click Verify to validate

the credentials.

If there are administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials are handled as end-user credentials.

You are not required to wait for validation to complete before clicking Verify for another set of virtual machine credentials.

When validated, if the VM Direct agent is not already installed, it is installed automatically on the restore destination. The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic VM Direct agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list.

e. (Optional) Leave Keep FLR Agent Installed selected to keep the on the destination virtual machines after the restore completes.

f. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.

g. Click Next.

The Summary page appears.

4. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information.

b. Click Restore or Finish.

5. Go to the Jobs window to monitor the restore. A batch file-level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.

File-level restore to alternate virtual machine using File Search

Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to a new location on a new virtual machine. The files can be restored to the primary vCenter server or a secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.

Prerequisites

Review the section Supported platform versions for file-level restore for supported platform and operating system versions. If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the

destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.

NOTE: For file-level restores to an alternate virtual machine:

You can only restore files from a Windows backup to a Windows virtual machine, or from a Linux backup to a Linux

virtual machine.

Restore of multiple files from different operating systems to the same target virtual machine is not supported. In this

case, only a file-level restore to the original virtual machine is available.

78 Restoring Virtual Machine Data and Assets

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all the virtual machines available for restore.

2. Click File Search, and then perform the following:

a. Select a vCenter server from the vCenter Name list. b. Select a virtual machine from the VM Name list. c. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the

search. The files that match the search criteria display in the Results pane.

d. In the Results pane, select the files that you want to restore, and then click Add. The Results pane is collapsed, and the Selected Files pane updates to display the current file selections.

e. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click Restore. The VM File Restore wizard appears, displaying the Location page.

3. On the Location page:

a. Select Restore to Alternate Location. The table on the page updates to display the available destination virtual machines within the vCenter server and the location of any selected virtual machine.

b. Expand the vCenter server to locate the virtual machine that you want to restore to, and then select the virtual machine. A prompt appears, requesting the credentials of this virtual machine.

c. Type the virtual machine User Name and Password, and then click Verify to validate the credentials. When validated, if the VM Direct agent is not already installed, it is installed automatically on the restore destination. The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic VM Direct agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list.

d. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machines after the restore completes.

e. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.

f. When validation completes, click Close to return to the Location page. The Location page updates with the available destination folders on the selected virtual machine.

g. Browse to the destination folder, or select a location and click Add Folder to create a destination within this folder.

NOTE: If you are performing the restore to a new folder on a Linux virtual machine when logged in as a user in

the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root

user. Ensure the user you are logged in as has permissions to the directory. Otherwise, the restored files cannot be

viewed.

h. Optionally, select Overwrite existing files with the same name to replace files in the destination folder with the files being restored if the files have the same name.

i. Click Next.

The Summary page appears.

4. On the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.

b. Click Restore or Finish.

5. Go to the Jobs window to monitor the restore. A batch file-level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.

Restoring Virtual Machine Data and Assets 79

Restore an application-aware virtual machine backup When virtual machine applications are protected within a protection policy in PowerProtect Data Manager, you can recover the application data using the Microsoft application agent, or perform a centralized restore within the PowerProtect Data Manager UI.

The PowerProtect Data Manager Microsoft SQL Server User Guide provides instructions on how to restore an application- aware virtual machine using the VM Direct SQL Server Management Studio (SSMS) plug-in.

80 Restoring Virtual Machine Data and Assets

Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Topics:

Overview of transparent snapshots for virtual machine protection vSphere Installation Bundle monitoring and management Transparent snapshot data mover system requirements Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Virtual machine transparent snapshot unsupported features and limitations Transparent Snapshot Performance and Scalability

Overview of transparent snapshots for virtual machine protection The transparent snapshot data mover (TSDM) is a new protection mechanism in PowerProtect Data Manager 19.9 and later designed to replace the VMware vStorage API for Data Protection (VADP) protection mechanism for crash-consistent virtual machine protection.

The advantages of using the TSDM protection mechanism for virtual machine data protection include the following:

Eliminates the latency and performance impact on the production virtual machine during the protection policy life cycle. Reduces the CPU, storage, and memory consumption required for backups. After the initial full backup, only incremental

backups using the immediate previous snapshot will be performed. An external VM Direct Engine is not required. The VM Direct Engine embedded with PowerProtect Data Manager is

sufficient. Automatic scaling.

vSphere Installation Bundle monitoring and management The vSphere Installation Bundle (VIB) is a software package that is bundled with the PowerProtect Data Manager OVA and update package. The VIB is installed automatically on a vSphere ESXi 7.0 U3c and later host during the PowerProtect Data Manager deployment or update, and is required to enable the transparent snapshot data mover (TSDM) for virtual machines.

Prerequisites to VIB installation and update

The VIB package will be installed or updated provided that the following requirements are met:

The PowerProtect Data Manager version is 19.9 or later. The hosting ESXi Server is version 7.0 U3c or later. The managing vCenter Server is version 7.0 U3c or later. *The installation can be performed on all eligible hosts of the cluster and all hosts added to the cluster. VIB management is enabled on the vCenter server asset source. The section Transparent Snapshot Data Mover protection

mechanism provides more information.

During the VIB installation:

A VIB file (approximately 4 MB) is uploaded to the ESXi datastore. An entry for the job Performing Host Configuration (vib_install) appears in the PowerProtect Data Manager UI.

5

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 81

Information for the vCenter and ESXi host is detected to verify that the supported versions are installed.

You can use the Transparent Snapshot Data Movers tab in the Protection Engines window of the PowerProtect Data Manager UI to monitor and manage the installation of the VIB. This window provides a vCenter hierarchy view which is based on the asset sources that are enabled in PowerProtect Data Manager. If an ESXi host is not eligible or available for the VIB installation, the status displays as Not Eligible in the Protection Engines window. Transparent Snapshot Data Mover protection mechanism provides more information.

NOTE: The VIB cannot be deployed until virtual machine assets from an ESXi cluster are added to a protection policy. It is

recommended that you perform an installation pre-check before the backup of any TSDM-enabled protection policies.

During the creation of a crash-consistent virtual machine protection policy, the VIB is deployed automatically on the vSphere cluster being protected. If all requirements are met, TSDM is used as the default protection mechanism instead of VADP. If crash-consistent policies that were created in PowerProtect Data Manager 19.8 and earlier are configured with the following options, these policies can be migrated to use TSDM:

Exclude swap files from backup is off. Enable guest file system quiescing is off.

You can use the PowerProtect Data Manager UI to apply TSDM as the data mover for virtual machine assets.

Transparent snapshot data mover system requirements The following software is required to automatically enable use of the Transparent Snapshot Data Mover (TSDM) for virtual machine data protection operations.

NOTE: TSDM for virtual machine protection also requires that the protection policy is a crash-consistent policy, with the

quiescing and swap file exclusion options disabled.

Table 11. Software requirements

Software required Version supported Notes

vCenter server 7.0 U3c and later vCenter and ESXi 7.0 U3c is the minimum version that is required to use TSDM. Until this version is deployed in the environment, TSDM is not used for virtual machine protection policies.

ESXi server 7.0 U3c and later

Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Review the following recommendations for use of the Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine protection.

Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover

You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the additional privileges required to use the Transparent Snapshot Data Mover (TSDM) for virtual machine protection operations. For the remaining privileges required for the dedicated vCenter user account, see Specify the required privileges for a dedicated vCenter user account .

82 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Table 12. Minimum required vCenter user account privileges

Setting vCenter 7.0.3 and later required privileges PowerCLI equivalent required privileges

Datastore Datastore > Browse datastore Datastore > Low level file operations

$privileges = @( 'Host.Config.Patch', 'Host.Config.Image', 'Host.Config.NetService', 'Datastore.FileManagement', 'Datastore.Browse', 'vSphereDataProtection.Protectio n', 'vSphereDataProtection.Recovery' , 'System.Read', 'Task.Create', 'Task.Update' ) New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Host Configuration > Image configuration Configuration > Security profile and firewall Configuration > Query patch

System System > Read

Tasks Tasks > Create task Tasks > Update task

vSphere Data Protection

Protection Recovery

Creating VMkernel ports for TSDM

For backup and restore of virtual assets from the ESXi hosts and their respective virtual machines using the Transparent Snapshot Data Mover (TSDM) protection engine, It is strongly recommended that you create a dedicated VMkernel port for all ESXi hosts in the cluster to facilitate data transfer.

Before you begin:

For optimal data transfer between ESXi hosts and protection storage, use the same network subnet that is used for backup storage.

For each ESXi host in the cluster, it is recommended to use a 10G physical network adapter port for TSDM backup traffic. Plan a unique network subnet to use exclusively for TSDM protection engine that does not overlap with any other existing

network subnets. This subnet must contain the following: An IP address for each VMkernel port in each ESXi host. An IP address for each port in protection storage target interfaces.

Complete Create a VMkernel port for a standard vSwitch configuration or Create a VMkernel port for a distributed vSwitch configuration. Use the switch and IP settings recommended above.

Create a VMkernel port for a standard vSwitch configuration

For each ESXi host in the cluster:

Steps

1. In the vSphere Client, navigate to the ESXi host and select the host.

2. Right-click the host and select Add Networking.

3. Select VMkernel Network Adapter, and then click Next.

4. Create a new switch, or choose an existing one.

When creating a new switch, assign the NIC adapter to Active Adapters.

5. In the Port Properties settings IP settings, select either IPv4 or IPv6, and clear all other check boxes under Available services.

6. In the IP settings, specify the VMkernel IP settings.

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 83

Create a VMkernel port for a distributed vSwitch configuration

Steps

1. On the vSphere Client home page, click Networking, and then navigate to and select a distributed port group.

2. From the Actions menu, select Add VMkernel Adapters.

3. On the Select hosts page, click Attached hosts, select from the hosts that are associated with the distributed switch, and then click OK.

4. Click Next.

5. On the Configure VMkernel adapter page, select either IPv4 or IPv6, and clear all other check boxes under Available services.

6. In the IP settings, specify the VMkernel IP settings.

Virtual machine transparent snapshot unsupported features and limitations Review the following unsupported features and limitations for the transparent snapshot data mover (TSDM) in PowerProtect Data Manager.

Unsupported virtual machine platforms and configurations

TSDM virtual machine protection is not supported for the following virtual machines, configurations, and platforms:

Physical RDMs Virtual RDMs Encrypted virtual machines Fault Tolerant virtual machines Azure VMware Solution (AVS) on Microsoft Azure Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) VMware Cloud (VMC) on Amazon Web Services (AWS) Virtual machines with Site Recovery Manager enabled.

Full synchronization performed under certain conditions

The following conditions will result in a full synchronization operation for TSDM-enabled virtual machine protection policy backups:

PowerProtect Data Manager is updated from a previous release. NOTE: The full backup completes successfully but with exceptions to indicate that the backup was forced to maintain

the integrity of the data in the backup chain.

The full synchronization is scheduled as part of a PowerProtect Data Manager protection policy. A manual backup is performed of the protection policy using Backup Now in the PowerProtect Data Manager UI. The most recent virtual machine backup has been deleted. Disks were added to the virtual machine. Disks that were previously marked as excluded are added to the protection policy backup. The VMware DPD service was removed and then readded to the virtual machine. This can occur, for example, when the

virtual machine is removed from a TSDM-enabled policy and then added to the same or a different TSDM policy, or when the virtual machine protection mechanism is manually changed from TSDM to VADP and then back to TSDM.

The ESXi host, virtual machine, or daemon becomes unresponsive and crashes. The vSphere version is updated to 8.0 or later on the vCenter/ESXI hosts. A restore to a managed snapshot. The virtual machine encryption/decryption setting is changed.

NOTE: A full synchronization is not required after vMotion operations.

84 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Site Recovery Manager unsupported for TSDM-protected virtual machines (vSphere versions previous to 8.0)

In vSphere versions earlier than version 8.0, enabling of VMware's Site Recovery Manager (SRM) for virtual machines that are protected in PowerProtect Data Manager with TSDM is not supported. Ensure that you disable SRM protection for any virtual machines that use the TSDM protection mechanism, or manually configure these virtual machines to use the VADP data mover instead to continue using SRM.

NOTE: Array-based replication for SRM is unsupported, regardless of the vSphere version.

Asset copy size reported differently for TSDM backups with thin- provisioned disks in release 19.10 and later

An increase in the asset copy size of TSDM backups with thin-provisioned disks might be observed due to the manner in which asset copy size is reported in PowerProtect Data Manager 19.10 and later. For thin-provisioned disks, the asset copy size now reflects the capacity (provisioned size) of the disks instead of the used size. No actual increase in size has occurred.

VADP restore of TSDM backup restores disks as thick-provisioned in some circumstances

If VADP data path is used to restore a virtual machine that was backed up using the TSDM protection mechanism, the disks are restored as thick-provisioned instead of thin-provisioned. PowerProtect Data Manager uses VADP data path for restores in the following circumstances:

The virtual machine is restored in a vSphere environment running with a version previous to 7.0 U3. The virtual machine is restored to an ESXi host that does not have the TSDM vSphere Installation Bundle (VIB) installed. The virtual machine is restored directly to the ESXi host, since the vCenter server is not used for a Direct Restore to ESXi.

Virtual Machine Disk (VMDK) limit for virtual machines protected with TSDM

TSDM-based protection supports a maximum of 40 VMDKs per virtual machine. If this limit is exceeded, backups are queued for a longer time, and must be canceled manually.

For virtual machines with more than 40 VMDKs, you can override the protection mechanism at the asset level to use VADP. The section Migrating assets to use the Transparent Snapshot Data Mover provides more information.

Size of thin provisioned files created by vSphere during TSDM operations does not reflect the true size written to file system (fixed in vSphere 7.0 U3f and later)

VMware vSphere creates files that are displayed as two times larger than the VMDK files of the virtual machines that are protected by TSDM. The names of these files end in -flat.ses, and the files are located in the same VMFS volume and directory as the VMDK files of the protected virtual machines. These are thin-provisioned files and part of normal TSDM operations.

To determine the real amount of data that is written to the file system, use the du command, or update to vSphere version 7.0 U3f or later.

vMotion of TSDM protected virtual machines

vSphere disables the vMotion migration of virtual machines to an ESXi host version previous to 7.0 U3 when the virtual machine is protected with TSDM. In order to migrate the TSDM protected virtual machine to an ESXi version that does not support

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 85

TSDM, you must disable the VMware DPD service that is attached to the virtual machine during the initial protection policy configuration. To disable the filter, remove the virtual machine from the TSDM protected virtual machine protection policy. Once the virtual machine is removed from the policy, a job is automatically initiated to disable the filter.

Once the vMotion completes, you can re-add the virtual machine to the protection policy. This virtual machine is then protected by the VADP protection mechanism, since the new ESXi/cluster host version is lower than the version required by TSDM.

Removal of managed snapshots required before running virtual machine protection policies

A PowerProtect Data Manager virtual machine protection policy cannot be configured to use the TSDM protection mechanism when the virtual machine contains managed snapshots. Verify that no managed snapshots exist for the virtual machine, and then retry the configuration job from the System Jobs window of the PowerProtect Data Manager UI.

TSDM only available for virtual machine crash-consistent policies

Use of the TSDM protection mechanism is only supported for crash-consistent virtual machine protection policies. Also, the virtual machine crash-consistent policy must have the swap file exclusion and quiescing options disabled.

Transparent Snapshot Performance and Scalability Review the following information related to performance considerations to scale your environment.

NOTE: As a VMware infrastructure best practice, it is recommended that you spread the workload across ESXi servers as

much as possible. With the Transparent Snapshot Data Mover protection mechanism, you can move backup data in streams

from multiple ESXi servers.

Table 13. Scalability limits for the vCenter and ESXi server

Component Maximum limit

Number of protected virtual machines per ESXi server Unlimited

Number of protected VMDKs per ESXi server 1000

Size of VMDK 64 TB

Transparent Snapshot Data Mover (TSDM) backups Up to 3000 virtual machine backups, and up to 180 concurrent virtual machine backups.

NOTE: An external VM Direct Engine is not required when using TSDM as the protection mechanism for crash-consistent virtual machine protection. For application consistent and application aware virtual machine protection, add a VM Direct Engine.

Table 14. TSDM maximum concurrent protection operations and memory consumption

Component Maximum limit Notes

Number of concurrent virtual machine backups per ESXi host (ESXi and vCenter 7.0 U3d and later)

18 To obtain the maximum concurrent operations, the ESXi hosting the protected virtual machines must be version 7.0 U3d or later. This maximum is based on improvements to TSDM performance that result in faster processing of these sessions, and will vary based on the type of operations being performed (for example, single disk vs multiple disk virtual machine backups).

NOTE: A lower number of concurrent streams helps to avoid over-subscription to the ESXi host memory.

Number of concurrent virtual machine restores per ESXi host (ESXi and vCenter 7.0 U3d and later)

16

Total number of concurrent virtual machine backups and restores per ESXi host (ESXi and vCenter 7.0 U3d and later)

20

86 Protecting Virtual Machines Using the Transparent Snapshot Data Mover

Table 14. TSDM maximum concurrent protection operations and memory consumption (continued)

Component Maximum limit Notes

Number of concurrent virtual machine backups per ESXi host (ESXi and vCenter 7.0 U3c)

10 This maximum is based on improvements to TSDM performance that result in faster processing of these sessions. Also, a lower number of concurrent streams helps to avoid over-subscription to the ESXi host memory.

Number of concurrent virtual machine restores per ESXi host (ESXi and vCenter 7.0 U3c)

10

Concurrent VMDK backups Up to 28 disks A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.

256 MB/9 MB per disk=up to 28 VMDK backups in parallel.

For a single virtual machine, as an example, there might be a maximum of four parallel VMDKs per virtual machine during a full sync, and a maximum of 10 parallel VMDKs per virtual machine during a delta sync.

NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 parallel VMDK backups is not always possible.

Total TSDM memory consumption on ESXi host

Up to 768 MB 256 MB/9 MB per disk=up to 28 VMDK backups in parallel.

TSDM memory consumption on ESXi host for DD streams

Up to 256 MB

Up to 28 streams

A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.

256 MB/9 MB per stream=up to 28 DD streams in parallel.

NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 streams is not always possible.

Protecting Virtual Machines Using the Transparent Snapshot Data Mover 87

PowerProtect Functionality Within the vSphere Client

Topics:

PowerProtect functionality within the vSphere Client Overview of the PowerProtect plug-in for the vSphere Client Overview of VASA and VMware Storage Policy Based Management

PowerProtect functionality within the vSphere Client The vSphere Client integrates with PowerProtect Data Manager to provide the following functionality: PowerProtect portletWhen adding a vCenter server as an asset source in the PowerProtect Data Manager UI, if you

enable the vSphere Plugin option, a pane for PowerProtect appears in the vSphere Client. This pane provides a subset of PowerProtect Data Manager functionality, including the availability to perform a manual backup, image-level restore and file-level restore of PowerProtect Data Manager virtual machine protection policies.

Storage policy association with a PowerProtect Data Manager virtual machine protection policyvSphere Storage APIs for Storage Awareness (VASA) leverages VMware Storage Policy Based Management (SPBM) to support data protection operations, allowing you to pair SPBM policies that are created in the vSphere Client with protection policies that are created in PowerProtect Data Manager. This association allows you to manage all virtual machine storage and protection requirements in a centralized location (the vSphere Client), instead of requiring multiple user interfaces.

Overview of the PowerProtect plug-in for the vSphere Client When adding a vCenter server in the PowerProtect Data Manager user interface, if you enable the vSphere Plugin option, a subset of the user-interface functionality becomes available within the vSphere Client.

The PowerProtect Data Manager portlet appears when you select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.

6

88 PowerProtect Functionality Within the vSphere Client

Figure 4. PowerProtect portlet in the vSphere Client

NOTE: If you were already logged into the vSphere Client when the vCenter discovery was started in PowerProtect Data

Manager, you must log out and log back in to see the PowerProtect Data Manager user interface.

If the virtual assets in the vCenter server have not yet been assigned to a PowerProtect Data Manager protection policy, only the PowerProtect name displays in the portlet. Adding the virtual machine to a protection policy provides additional information, as shown in the following figure.

PowerProtect Functionality Within the vSphere Client 89

Figure 5. PowerProtect portlet with protected virtual machine

After you set up a virtual machine protection policy, you can perform the following PowerProtect Data Manager functionality within the vSphere Client:

View information about protection policies and information about available protection copies. Monitor in-progress backup and restore operations for the virtual machine protection policy. You can also view information

for successfully completed protection copies that are available for restore. Perform a manual backup. Perform an image-level restore (Restore to Original, Restore to New, or Instant Access). Perform a file-level restore.

Prerequisites for enabling the vSphere Client PowerProtect plug-in

To use the vSphere Client PowerProtect plug-in for backup and restore operations, complete the following tasks in the vSphere Client and the PowerProtect Data Manager UI.

Add the vCenter serverIn the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and select vSphere Plugin to enable the plug-in. Add a VMware vCenter server provides information.

Add privileges for the Virtual machine power user group (if you are already an administrator, this task is optional)In the vSphere Client, go to Administration > Roles, select the Virtual Machine power user (PPDM), and then open the Edit Role window.

Add the following PowerProtect Data Manager privileges:

Backup File Level Restore to Original Instant Access Restore to New Restore to Original

90 PowerProtect Functionality Within the vSphere Client

Figure 6. PowerProtect privileges added for the virtual machine power user

NOTE: If you edit the vCenter server in the PowerProtect Data Manager user interface to unregister the vSphere

Plugin for PowerProtect Data Manager, these PowerProtect Data Manager privileges are not removed from the user

group.

For the virtual asset (virtual machine, cluster, host) and all its child elements, add permissions to the Virtual machine power user group that you enabled with PowerProtect Data Manager privileges. To add these permissions, select the asset in the left pane of the vSphere Client, and then click the Permissions tab.

Add a virtual machine protection policy in the PowerProtect Data Manager user interface Protection > Protection Policies window to schedule a backup of the virtual machines. Add a protection policy for virtual machine protection provides information.

Monitor PowerProtect Data Manager virtual machine protection copies

You can use the Monitor tab in the vSphere Client to view PowerProtect Data Manager protection copies that are available for restore, and monitor in-progress backup and restore operations for the PowerProtect Data Manager virtual machine protection policy.

With a virtual machine selected, in the Monitor tab's navigation pane, select PowerProtect > Protection Copies to view information about completed PowerProtect Data Manager protection policy backups for this virtual machine. This view is the same as the view in the PowerProtect Data Manager UI Infrastructure window. A copy map enables you to view the available protection copies when you click on the storage icon, as described in More options for managing virtual machine backups.

To view the status of active backup and restore operations initiated from the PowerProtect Data Manager UI or the vSphere Client, click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane. You can also view this pane from the Summary window.

Perform a manual PowerProtect-policy backup in the vSphere Client

You can back up one or more PowerProtect Data Manager virtual machine protection policies at any time by performing a manual backup in the vSphere Client.

Prerequisites

Ensure that you are logged in to the vSphere Client as an administrator.

PowerProtect Functionality Within the vSphere Client 91

Add the Backup privilege to the Administrator group in the vSphere Client. To add the Backup privilege, complete the following steps: 1. Select Administration > Roles. 2. Select Administrator, and then click Privileges in the right pane. 3. In the PowerProtect Backup section, select Backup.

Ensure that virtual machine assets have been added to a virtual machine protection policy. You cannot perform manual backups of unprotected virtual machines.

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.

2. Perform a manual backup of a virtual machine protection policy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Backup. Within the PowerProtect portlet, click Backup Now. The vSphere Client starts the backup operation. A message appears indicating whether the request was processed successfully.

Results

An entry for the backup job appears in the Jobs > Protection window of the PowerProtect Data Manager UI. To view the status of operations, you can also click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane.

Perform an image-level restore of a PowerProtect backup in the vSphere Client

You can use the vSphere Client PowerProtect plug-in to perform an image-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

About this task

Available image-level restore options in the vSphere Client include:

Restore to OriginalRestore the virtual machine to the original location on the same vCenter server. Restore Individual Virtual DisksRestore selected VMDKs to the original location on the same vCenter server. Restore to NewRestore the virtual machine to a new location on the original vCenter server. Instant AccessRestore the backup as a live virtual machine to view the backup and then determine whether you want to

do a full restore. Instant Access sessions are made available for a default period of 7 days, which can be extended.

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter.

2. In the Summary window, access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Restore. Within the PowerProtect portlet, click Restore.

3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. On the Purpose page, select from one of the following options: Restore Entire VMsSelect this option if you want to restore the entire virtual machine.

92 PowerProtect Functionality Within the vSphere Client

Restore Individual Virtual DIsksSelect this option if you want to restore only specific virtual machine disks (VMDKs).

NOTE: Individual VMDKs can only be restored to the original location.

6. Click Next. If restoring entire virtual machines, the Restore Type page appears. If restoring individual VMDKs, the Select Disks page appears.

7. On the Restore Type page, select from one of the available restore types.

For Instant Access restore, review the section Instant Access virtual machine restore. For Restore to New, review the section Restore to a new virtual machine. For Restore to Original, review the section Restore to the original virtual machine. For Restore Individual Virtual Disks, review the section Restore individual virtual disks. The wizard updates to display the options specific to the restore type that you selected.

NOTE: Options such as vCenter server, resource pool, and datastore are limited to the logged-in vSphere user's

permissions, and are not necessarily the same as a PowerProtect Data Manager administrator.

8. Click Next. The Summary page appears.

9. Review your selections and then click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.

Next steps

For Instant Access restores, when the virtual machine is powered on and you select the virtual machine in the left pane of the Summary window, the session information appears within the PowerProtect portlet. If you need extra time for this session, you can click Extend Session and increase session availability by up to 7 days.

File-level restores of a PowerProtect backup in the vSphere Client

You use the PowerProtect portlet in the vSphere Client and the VM Direct agent to perform a file-level restore of a PowerProtect Data Manager virtual machine protection-policy backup.

The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. The agent is installed automatically during a file-level restore, but you can choose to manually install it before performing a file-level restore. Manually installing the agent allows the user account performing the file-level restore to have different permissions from the user account installing the agent.

NOTE: In some installation paths, application messages, and log files, the VM Direct agent is named the vProxy Agent.

Manually install the VM Direct agent on Linux

You can manually install the VM Direct agent.

Prerequisites

The destination virtual machine is a supported Linux platform. To determine which Linux platforms are supported, see the compatibility information provided by the E-Lab Navigator.

When logging in to the destination virtual machine in the following steps, log in as a root user or a user in the local sudousers list of the operating system.

NOTE: Even if you log in as a user with privileges similar to a root user, the VM Direct agent installation fails.

If you log in to the destination virtual machine in the following steps as a user in the local sudousers list of the operating system, ensure you have already completed the following steps on the destination virtual machine: 1. Provide sudo access to the following files at a minimum:

RPM command (SLES, Red Hat Enterprise Linux, CentOS) and dpkg command (Debian/Ubuntu)

/opt/emc/vproxyra/bin/postinstall.sh /opt/emc/vproxyra/bin/preremove.sh

PowerProtect Functionality Within the vSphere Client 93

Note the following additional requirements:

The sudo user or group must be configured for no password prompt.

The sudo user or group must be provided with the no requiretty option.

When user elevation is enabled for file-level restore: To browse files, you must have the appropriate authority in the destination virtual machine operating system. For

example, you must be permitted to run vflrbrowse using sudo without being prompted for a password.

To perform the restore, the user account must have the appropriate authority. For example, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.

NOTE: If the Run with Elevated Privileges file-level restore is unsuccessful, an error displays indicating Unable to perform FLR Agent operation 'recover_files' on VM virtual machine name. This might

occur when a typographical error has been made in the sudo commands. To determine if this has occurred, review

the log file output for the following text:

sudo: a password is required /etc/sudoers.d/admin: syntax error near line 1 sudo: no valid sudoers sources found, quitting

It is recommended that you test the sudo command before performing a file-level restore in order to resolve any

potential errors.

2. Create the file /etc/sudoers.d/linuxuser, where linuxuser is the Linux login user, and then add the following contents to the file.

On CentOS, OpenSuSE Leap, Oracle Linux, Red Hat Enterprise Linux, and SuSE Linux Enterprise Server operating systems:

username ALL=NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty Defaults:username !authenticate

NOTE: On SuSE 12, the location is /bin/rpm instead of /usr/bin/rpm.

On Debian and Ubuntu Server operating systems:

username ALL=NOPASSWD: /usr/bin/dpkg, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty

About this task

To manually install the VM Direct agent, perform the following steps.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Run the command cd /opt/emc/sw-repo/vflragent/linux.

3. Run the following command:

scp @ :

If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, replace with the name of the .rpm file.

If the destination virtual machine operating system is Debian or Ubuntu Server, replace with the name of the .deb file.

Replace with the name of a root user on the destination virtual machine.

Replace with the IP address of the destination virtual machine.

94 PowerProtect Functionality Within the vSphere Client

Replace with a directory path on the destination virtual machine to which the VM Direct agent installer package should be copied.

NOTE: If you are installing the VM Direct agent as a non-root user, ensure the non-root user has read and execute

permissions to files in this directory path.

4. Log in to a shell prompt of the destination virtual machine.

5. Change directories to the location of the file copied in step 3.

6. If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, run the following command:

rpm -ivh

Replace with the name of the file copied in step 3.

7. If the destination virtual machine operating system is Debian or Ubuntu Server, run the following command:

dpkg -i

Replace with the name of the file copied in step 3.

8. Run the command /opt/emc/vproxyra/bin/postinstall.sh.

Results

You can now perform file-level restore operations as a non-root user.

Manually install the VM Direct agent on Windows

You can manually install the VM Direct agent.

Prerequisites

The destination virtual machine is a supported Windows platform. To determine which Windows platforms are supported, see the compatibility information provided by the E-Lab Navigator.

When logging in to the destination virtual machine in the following steps, log in as a user with administrator rights. If you need to enable the administrator account, perform the following steps: 1. Open a command prompt in administrative mode, and then type net user administrator /active: yes.

2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.

3. In the User Accounts pane, right-click the user, select Properties, and then clear the Account is disabled option.

About this task

To manually install the VM Direct agent, perform the following steps.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Run the command cd /opt/emc/sw-repo/vflragent/windows.

3. Copy emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi to the destination virtual machine.

4. Log in to the destination virtual machine.

5. Install the VM Direct agent by double-clicking emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi. The Programs and Features Control Panel tool displays Dell vProxy Agent as installed.

Results

You can now perform file-level restore operations as a user without administrator rights.

PowerProtect Functionality Within the vSphere Client 95

Perform a file-level restore of a PowerProtect backup in the vSphere Client

You can use the PowerProtect portlet in the vSphere Client to perform a file-level restore of a PowerProtect Data Manager virtual machine protection policy backup.

Prerequisites

Note the following before performing file-level restore in the vSphere Client:

A minimum vCenter version of 6.7 U1 is required. Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore requirements and limitations.

NOTE:

For file-level restores, you can only restore files:

From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

To virtual machines within the same vCenter server.

About this task

Available file-level restore options in the vSphere Client include:

Restore single or multiple files to the original folder and overwrite the original files within the same virtual machine, or Restore single or multiple files to a new folder with a new name within the same virtual machine.

Steps

1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.

2. Access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > File Level Restore. Within the PowerProtect portlet, click File Level Restore.

3. From the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.

The Choose Copy dialog appears.

NOTE: If you click Next without choosing a copy, the most recent backup copy is used.

4. In the Choose Copy dialog:

a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.

5. From the Mount Copy page:

a. To initiate the disk mount, type the destination virtual machine operating system user credentials:

If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.

If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.

b. (Optional) Leave Keep FLR Agent Installed selected when you want the VM Direct agent to remain on the destination virtual machine after the restore completes.

c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.

d. Click Start Mount to initiate the disk mount.

If not already installed, the VM Direct agent is automatically installed on the destination virtual machine. A progress bar indicates when the mount completes.

NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.

96 PowerProtect Functionality Within the vSphere Client

e. After a successful disk mount, click Next.

6. From the Select Files to Recover page:

a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.

b. Click Next.

NOTE: In the browse view, each directory or hard drive appears twice. Selecting an object from one location selects the

object in the duplicate location as well.

7. From the Options page, select from one of the following options: Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original

location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original

virtual machine. NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you

are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.

8. Click Next. If performing the restore to the original virtual machine, the Summary page displays. You can go to the final step. If performing the restore to an alternate location on the original virtual machine, the Restore Location page displays.

9. From the Restore Location page:

a. Browse the folder structure of the virtual machine to select the new folder where you want to restore the objects. b. Click Next.

10. From the Summary page:

a. Review the information to ensure that the restore details are correct. You can click Edit next to the Restore Location or Files Selected rows to change the information.

b. Click Restore.

Results

An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.

Overview of VASA and VMware Storage Policy Based Management vSphere Storage APIs for Storage Awareness (VASA) is a set of application program interfaces (APIs) that allow arrays to integrate with vCenter for management functionality. Storage Vendor Providers allow the vCenter server to retrieve information from storage arrays, including topology, capabilities (such as native thin provisioning and deduplication), and status. The policy-based management functionality of a VASA provider helps administrators choose the appropriate storage device, and monitors and reports information about existing storage policies.

Starting in vSphere version 7.0 U1, VASA support is extended to Data Protection operations by leveraging VMware Storage Policy Based Management (SPBM). SPBM spans all storage offerings from VMware, allowing policies to provision and manage storage for any virtual machine application. The integration of PowerProtect Data Manager and SPBM allows you to:

Pair SPBM policies with protection policies, allowing you to meet virtual machine storage and protection requirements within vSphere without requiring the PowerProtect Data Manager UI for data protection operations.

Add new or existing virtual assets to an SPBM policy. You can also reassign these assets and remove them from the policy. View policy compliance status, including data protection policy information. Protect virtual machines at scale, allowing you to manage capacity resources and overcome challenges such as capacity

planning and different service level requirements.

Enabling VASA and SPBM within the vSphere Client for integration with PowerProtect Data Manager requires you to perform the following:

Register the VASA provider to allow for storage provisioning information flow between PowerProtect Data Manager and the vCenter server.

Select the PowerProtect Data Manager storage awareness provider within the vCenter server storage policy component creation workflow, which exposes the list of available PowerProtect Data Manager virtual machine protection policies.

PowerProtect Functionality Within the vSphere Client 97

Assign the PowerProtect Data Manager protection policy to an SPBM policy, which is automatically assigned to virtual machines when they are represented by an instance.

Monitor the status of storage compliancy of the virtual assets protected by these PowerProtect Data Manager policies.

If you replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved certificate authority, you must exchange the new security certificates with vCenter. The PowerProtect Data Manager Security Configuration Guide provides instructions.

Register the VASA provider for policy association

The following procedure describes how to register the VASA provider to enable PowerProtect Data Manager communication with the vCenter server and use the provider to enable an association between a virtual machine storage policy and a PowerProtect Data Manager virtual machine protection policy.

Prerequisites

The vSphere version must be a minimum 7.0 U1.

Steps

1. In the vSphere Client, go to Menu > Hosts and Clusters.

2. In the left pane, select the vCenter server, and then select the Configure tab.

3. Under Security, select Storage Providers, and then click + Add. The New Storage Provider dialog appears.

4. On the New Storage Provider dialog:

a. Specify a name for the provider. b. Specify a URL in the format https://my-ppdm.example.com:9009/vasa/version.xml, where my-

ppdm.example.com is the PowerProtect Data Manager fully qualified hostname. c. Provide PowerProtect Data Manager credentials for a user with the Administrator role, and then click OK.

These credentials are only required for the initial login to perform the registration. Subsequent log-in attempts use certificates.

If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt appears, asking if you want to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can dismiss and ignore this error.

5. Provide PowerProtect Data Manager administrator level credentials, and then click OK. The dialog updates to indicate that the registration is in progress. If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt displays to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.

NOTE: For self-signed or untrusted certificates, an error might appear. You can ignore this error.

6. When the registration is complete, click OK to exit the New Storage Provider dialog. The Configure tab updates to display the new VASA provider.

Results

You can now use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

NOTE: If the provider goes offline at any point, you can select the provider in the table and click Rescan to reestablish a

connection. Also, If the provider is removed and then readded, any policies that were previously assigned to the provider are

restored.

98 PowerProtect Functionality Within the vSphere Client

Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy

Use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.

Steps

1. In the vSphere Client, select the vCenter server in the left pane.

2. Go to Menu > Policies and Profiles.

3. In the left pane, select VM Storage Policies, and then click Create in the right pane. The Create VM Storage Policy wizard appears.

4. Provide a name and description that helps identify this policy as a storage policy that you want to associate with a PowerProtect Data Manager protection policy, and then click Next.

5. On the Policy Structure page, select Enable host based rules, and then click Next.

6. On the Host based services page, select the Data Protection tab, and then perform the following:

a. Select Custom. b. From the Provider list, select DellEMC PowerProtect as the registered provider. c. From the PPDM Protection Policy list, select an existing PowerProtect Data Manager virtual machine protection policy

that you want to associate with this storage policy.

NOTE: It is recommended that you use a descriptive name for the PowerProtect Data Manager virtual machine

protection policy so that the purpose is easy to identify, since the vSphere Client does not provide policy details

within the PowerProtect portlet. If you decide to rename the PowerProtect Data Manager policy at any point, the

association is retained since the UUID of the policy is used to create the connection.

d. Click Next.

7. Complete the storage policy details, and click Finish.

Results

The VM Storage Policies window displays the new storage policy in the table. An association is created between the PowerProtect Data Manager policy and the virtual machine storage policy, and the PowerProtect portlet in the vSphere Client updates to display the PowerProtect Data Manager protection policy. You can now perform manual backups and scheduled restores of the virtual assets in this policy.

When you assign the new storage policy to a virtual machine, that virtual machine should automatically be assigned to the associated PowerProtect Data Manager protection policy as well. Also, if you are creating a new virtual machine, you can assign a storage policy to the new virtual machine during this process.

NOTE: You can create separate storage policies for each virtual machine disk, but only the policy that is associated with the

virtual machine is used for data protection.

NOTE: If you want to remove a virtual machine from protection, assign the virtual machine to a different policy, or to the

Datastore Default policy.

Monitor virtual machine protection policy compliance

You can use the Storage Policies portlet within the vSphere Client to monitor the compliance of virtual assets in PowerProtect Data Manager virtual machine protection policies.

To access the portlet:

Select the Summary tab, or Select the Configure tab, select a virtual machine in the left pane, and then click Policies.

If a virtual asset was unassigned from the policy within PowerProtect Data Manager, the policy displays as Non-compliant.

PowerProtect Functionality Within the vSphere Client 99

VMware Cloud (VMC) on Amazon Web Services (AWS)

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the VMC-on-AWS portal Interoperability with PowerProtect Data Manager features vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for VMware Cloud (VMC) on Amazon Web Services (AWS).

Using PowerProtect Data Manager to protect virtual machine assets in VMC on AWS is similar to how you protect virtual machine assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in VMC on AWS, PowerProtect Data Manager and DDVE can be deployed in several ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are VMware Cloud on AWS (VMC on AWS) and the AWS Marketplace (AWS). The following table describes the supported deployment configurations of the two products:

Table 15. Supported deployment configurations

PowerProtect Data Manager DDVE

VMware Cloud on AWS VMware Cloud on AWS

VMware Cloud on AWS AWS Marketplace

AWS Marketplace AWS Marketplace

When deploying PowerProtect Data Manager to VMC on AWS, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the VMC-on-AWS environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to AWS, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the VMC-on-AWS environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Amazon Web Services Deployment Guide.

7

100 VMware Cloud (VMC) on Amazon Web Services (AWS)

Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual machine assets.

To perform data protection and disaster recovery tasks in VMC on AWS, consider the following recommendations for the backup infrastructure:

Deploy PowerProtect Data Manager and DDVE either to VMC on AWS or to AWS. Deploy the VM Direct appliance to VMC on AWS. Deploy at least one VM Direct appliance for each software-defined data center (SDDC) cluster in the VMC-on-AWS

environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and the DDVE appliance. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the cloudadmin@vmc.local user. Refer to Creating a dedicated cloud-based vCenter user account to create a dedicated cloud-based vCenter user

account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in the same environment as the first instance. This type of

deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.

You can store backups outside of the VMC-on-AWS environment. For example, store backups on an AWS virtual private cloud (VPC). This type of deployment enables efficient data transfer over the fast ENI connection that is used by VMware to communicate with AWS.

Configuring the VMC-on-AWS portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and DDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the VMC-on-AWS portal meets the following requirements:

By default, there is no external access to the vCenter server in the software-defined data center (SDDC). You can open access to the vCenter server by configuring a firewall rule. To enable communication to the vCenter public IP address from the SDDC logical network, set the firewall rule in the compute gateway of VMC on AWS. If the firewall rule is not configured in the SDDC, PowerProtect Data Manager does not allow you to add the vCenter server.

The default compute gateway firewall rules prevent all virtual machine traffic from reaching the Internet. To enable the PowerProtect Data Manager virtual machine to connect to the Internet, create a compute gateway firewall rule. This action enables outbound traffic on the logical network to which the PowerProtect Data Manager server virtual machine is connected.

Configure DNS to allow machines in the SDDC to resolve FQDNs to their public IP addresses. If the DNS server is not configured in the SDDC, the PowerProtect Data Manager server does not allow you to add the vCenter server by using the server's public FQDN or IP address.

It is recommended that you deploy the DD system as a virtual appliance. If deploying DDVE to VMC-on-AWS, connect the SDDC to an AWS account during the SDDC creation, and then select a VPC and subnet within that account.

DDVE must be connected to the SDDC through the VMC-on-AWS Elastic Network Interfaces (ENIs). This action allows the SDDC, the services in the VPC, and subnet in the AWS account to communicate without having to route traffic through the Internet gateway.

The same ENI channel is recommended for access to DDVE.

For more information about configuring ENIs, see https://vmc.vmware.com/console/aws-link. If DDVE is running in VMC-on-AWS, configure the inbound and outbound firewall rules of the compute gateway for DDVE

connectivity.

VMware Cloud (VMC) on Amazon Web Services (AWS) 101

For detailed information on what incoming and outgoing ports need to be opened for the PowerProtect-VM proxy solution, refer to the PowerProtect Data Manager Security Configuration Guide.

If using NSX-T, configure DNS to resolve to the internal IP address of the vCenter server. Navigate to SDDC Management > Settings > vCenter FQDN, and then select the Private vCenter IP address to directly access the management network over the built-in firewall.

Open TCP port 443 of the vCenter and ESXi servers in both the management and compute gateways.

For a VMC-on-AWS environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.

If DDVE is running in VMC-on-AWS, the inbound and outbound firewall rules of the VMC-on-AWE VPC security group are configured to provide connectivity between the SDDC compute gateway and DDVE.

If there is replication between DDVE instances, ensure the following: The security group in AWS is configured to allow all inbound traffic from the private IPs of the DDVE instances The DDVE instances can ping each other using their FQDNs .

Interoperability with PowerProtect Data Manager features VMC on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload and Compute sections in AWS.

Do not use the following non-accessible areas:

vSANdatastore datastore Management VMs folder in VMs and Templates view Mgmt-ResourcePool resource pool in Hosts and Clusters view

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

102 VMware Cloud (VMC) on Amazon Web Services (AWS)

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account .

Table 16. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count

VMware Cloud (VMC) on Amazon Web Services (AWS) 103

Table 16. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction Guest operating system management by

VIX API Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.

104 VMware Cloud (VMC) on Amazon Web Services (AWS)

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.

vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

VMware Cloud (VMC) on Amazon Web Services (AWS) 105

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in VMC on AWS does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the

privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover

(TSDM) protection mechanism.

NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to AWS, Cloud

Disaster Recovery (Cloud DR) and Search Clusters are also unsupported.

106 VMware Cloud (VMC) on Amazon Web Services (AWS)

Azure VMware Solution (AVS) on Microsoft Azure

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the AVS-on-Azure portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Azure VMware Solution (AVS) on Microsoft Azure.

Using PowerProtect Data Manager to protect virtual machine assets AVS on Azure is similar to how you protect virtual machine assets in an on-premises data center. This section provides information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in AVS on Azure, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Azure VMware Solution (AVS on Azure) and the Azure Marketplace (Azure). The following table describes the supported deployment configurations of the two products:

Table 17. Supported deployment configurations

PowerProtect Data Manager DDVE

Azure VMware Solution Azure Marketplace

Azure Marketplace Azure Marketplace

When deploying PowerProtect Data Manager to AVS on Azure, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the AVS-on-Azure environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to Azure, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the AVS-on-Azure environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Azure Deployment Guide.

8

Azure VMware Solution (AVS) on Microsoft Azure 107

Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual machine assets.

To perform data protection and disaster recovery tasks in AVS on Azure, consider the following recommendations and requirements for the backup infrastructure:

Deploy PowerProtect Data Manager either to AVS on Azure or to Azure. Deploy DDVE to Azure. Deploy the VM Direct appliance to AVS on Azure. Deploy at least one VM Direct appliance for each software-defined data

center (SDDC) cluster in the AVS-on-Azure environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the cloudadmin@vsphere.local user. Refer to Creating a dedicated cloud-based vCenter user account to create a dedicated cloud-based vCenter user

account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in Azure. This type of deployment enables backup copies to be

stored for longer retention, leveraging the Azure network for transferring data at lower latency and cost when compared to the public Internet.

Configuring the AVS-on-Azure portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and the DDVE appliance. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the AVS-on-Azure portal meets the following requirements:

If you have deployed a PowerProtect Data Manager OVA to AVS on Azure or a PowerProtect Data Manager machine image to Azure, it is configured to use a custom DNS server.

NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to

redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data

Manager Azure Deployment Guide.

Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in Azure. If you have more than one DDVE instance running in Azure to perform replication, the DDVE

instances have the ability to ping each other using their FQDNs.

NOTE: DDVE running in AVS-on-Azure is not supported.

DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to an Azure account, and an Azure cloud and subnet within that account is selected. Any DDVE instance on Azure is connected to the SDDC through a Vnet. This action allows the SDDC, the services in

the Azure cloud, and subnets in the Azure account to communicate without having to route traffic through the Internet gateway.

For an AVS-on-Azure environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.

The same Vnets are recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.

108 Azure VMware Solution (AVS) on Microsoft Azure

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account .

Table 18. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag

Azure VMware Solution (AVS) on Microsoft Azure 109

Table 18. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Assign or Unassign vSphere Tag on Object NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect'

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

Edit Inventory Create new Register Remove Unregister

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction

110 Azure VMware Solution (AVS) on Microsoft Azure

Table 18. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Guest operating system management by VIX API

Install VMware Tools Power off Power on Reset

-Privilege (Get-VIPrivilege -Id $privileges)

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.

vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine.

Azure VMware Solution (AVS) on Microsoft Azure 111

NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks (VLANs), this network carries Management traffic.

Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in AVS on Azure does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the

privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover

(TSDM) protection mechanism.

NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to Azure, Cloud

Disaster Recovery (Cloud DR), Search Clusters, and Microsoft Exchange Server are also unsupported.

112 Azure VMware Solution (AVS) on Microsoft Azure

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Topics:

PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the GCVE-on-GCP portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations

PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP).

Using PowerProtect Data Manager to protect virtual machine assets in GCVE on GCP is similar to how you protect virtual machines assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.

Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in GCVE on GCP, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.

When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Google Cloud VMware Engine (GCVE on GCP) and the Google Cloud Marketplace (GCP). The following table describes the supported deployment configurations of the two products:

Table 19. Supported deployment configurations

PowerProtect Data Manager DDVE

Google Cloud VMware Engine Google Cloud Marketplace

Google Cloud Marketplace Google Cloud Marketplace

When deploying PowerProtect Data Manager to GCVE on GCP, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the GCVE-on-GCP environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to GCP, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the GCVE-on-GCP environment to be protected.

For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Google Cloud Platform Deployment Guide.

9

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 113

Deployment and configuration best practices and requirements For GCVE-on GCP support, ensure that the following requirements are met:

To perform data protection and disaster recovery tasks in GCVE on GCP, consider the following recommendations and requirements for the backup infrastructure deployment:

Deploy PowerProtect Data Manager either to GCVE on GCP or to GCP. Deploy DDVE to GCP. Deploy the VM Direct appliance in a GCVE-on-GCP environment. Deploy at least one VM Direct appliance for each software-

defined data center (SDDC) cluster in GCVE on GCP. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP

points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as

the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:

Specify the login credentials for the CloudOwner@gve.local user. Refer to the following section to create a dedicated cloud-based vCenter user account, and then specify the login

credentials for that user. You can clone backups to another DDVE instance running in GCP. This type of deployment enables backup copies to be

stored for longer retention, leveraging the GCP network for transferring data at lower latency and cost when compared to the public Internet.

Configuring the GCVE-on-GCP portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and DDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.

Ensure that the GCVE-on-GCP portal meets the following requirements:

If you have deployed a PowerProtect Data Manager OVA to GVCE on GCP or a PowerProtect Data Manager machine image to GCP, it is configured to use a custom DNS server.

NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to

redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data

Manager Google Cloud Platform Deployment Guide.

Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in GCP. If you have more than one DDVE instance running in GCP to perform replication, both DDVE

instances have the ability to ping each other using their FQDNs.

NOTE: DDVE running in GCVE on GCP is not supported.

DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to a Google account, and a Google cloud and subnet within that account is selected. Any DDVE instances running in GCP is connected to the SDDC through a Vnet. This action allows the SDDC, the services in

GCP, and subnets in GCP to communicate without having to route traffic through the Internet gateway. For a GCVE-on-GCP environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect-

VM proxy solution.

The same Vnet is recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.

114 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:

An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.

The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.

Discovering asset sources in a GCVE environment

There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.

Ensure the following permissions of any GCVE-located vCenter server:

The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the

vSphere object hierarchy.

Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.

Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.

You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.

Specify the required privileges for a dedicated cloud-based vCenter user account

You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.

The following table includes the privileges required for this user.

NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required

privileges for a dedicated vCenter user account .

Table 20. Minimum required cloud-based vCenter user account privileges

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Alarms Create alarm Modify alarm

$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement',

Cryptographic operations

Direct Access NOTE: This only applies to AVS and GCVE.

Datastore Allocate space Browse datastore Configure datastore

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 115

Table 20. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Low level file operations Remove file

'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access',

Folder Create folder

Global Cancel task Log event Manage custom attributes Set custom attribute

vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object

NOTE: This only applies to vCenter 7.0 and later.

Create vSphere Tag Create vSphere Tag Category

Network Assign network

Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine

Sessions Validate session

SPBM policy restore

Profile-driven storage

vApp Export Import vApp application configuration

Virtual Machine

Change Configuration

Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility

Edit Inventory Create new Register

116 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Table 20. Minimum required cloud-based vCenter user account privileges (continued)

Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges

Remove Unregister

'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )

New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)

Guest operations Guest operation modifications Guest operation program execution Guest operation queries

Interaction Configure CD media Connect devices Console interaction Guest operating system management by

VIX API Install VMware Tools Power off Power on Reset

Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template

Snapshot Management

Create snapshot Remove snapshot Revert to snapshot

Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.

Prerequisites

Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.

If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.

About this task

The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network

bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.

NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing

or VLANs. Skip the Networks Configuration page.

Steps

1. From the left navigation pane, select Infrastructure > Protection Engines.

The Protection Engines window appears.

2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 117

3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.

Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.

vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.

NOTE: Ensure that you do not select the internal vCenter server.

ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks

(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether

the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).

You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.

Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes

Tanzu guest cluster, or NAS asset protection.

4. Click Next.

5. Click Next to skip the Networks Configuration page..

6. On the Summary page, review the information and then click Finish.

The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.

Results

When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.

NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.

If no external VM Direct Engine is available for these solutions, data protection operations fail.

Next steps

If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.

When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.

Unsupported operations PowerProtect Data Manager image backup and restore in GCVE on GCP does not currently support the following operations:

PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server

118 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)

Backup and restore operations with anything other than the CloudOwner role or a customized role that has all of the privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account

Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism.

NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to GCP, Cloud

Disaster Recovery (Cloud DR), Search Clusters, Microsoft Exchange Server, and block-based backups (BBB) with the File

System agent (FSA) are also unsupported.

Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 119

Backing Up and Recovering a vCenter Server

Topics:

Backing up and recovering a vCenter server vCenter deployments overview Protecting an embedded PSC Protecting external deployment models vCenter server restore workflow Platform Services Controller restore workfow Additional considerations Command reference

Backing up and recovering a vCenter server The following sections describe how to protect the vCenter Server Appliance (VCSA) and the Platform Services Controllers (PSC). It is intended for virtual administrators who utilize the distributed model of the vCenter server and require protection of the complete vCenter server infrastructure.

vCenter deployments overview You can protect vCenter 6.5 and later deployments with PowerProtect Data Manager by using the VM Direct Engine appliance. The vCenter server and Platform Services Controller (PSC) must be deployed as virtual machines.

For the restores to complete successfully:

Ensure that Ensure that these virtual machines use a fully qualified domain name (FQDN) with correct DNS resolution. Ensure that the host name of the machine is configured as an IP address. Note that if the host name is configured as an IP

address, the IP address cannot be changed.

There are mainly two types of vCenter deployments:

vCenter server appliances and Windows virtual machines with an embedded PSC. vCenter server appliances and Windows virtual machines with an external PSC.

This type has two sub categories:

vCenter server environments with a single external PSC. vCenter server environments with multiple PSC instances. This environment contains multiple vCenter server instances

registered with different external PSC instances that replicate their data.

Protecting an embedded PSC The following section describes backup and recovery options for protecting an embedded PSC.

Backup

You can perform a backup of an embedded PSC by using the following guidelines.

1. Create a protection policy, and then add the vCenter virtual machine to the protection policy. 2. Select the full virtual machine and not individual disks.

10

120 Backing Up and Recovering a vCenter Server

3. Run the scheduled or on-demand (ad-hoc) protection policy.

Recovery

Depending on the type of failure, you can perform the virtual machine recovery by using one of the following methods.

Restore to original This method is valid only when the vCenter Server Appliance (VCSA) is intact and running, but corrupted.

Recover as a new virtual machine to a managed ESXi server (Virtual Machine Recovery). Use this method if you have completely lost your VCSA. Note that this vCenter server must be registered with PowerProtect Data Manager.

Direct restore to ESXi server. Direct restore to ESXi will be the main use case.

Direct restore to ESXi

If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.

Prerequisites

Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.

Additionally, ensure that you disconnect the ESXi host from the vCenter server.

Steps

1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.

The Restore window displays all of the virtual machines available for restore.

2. Select the check box next to the desired virtual machine and click View Copies.

NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name

of the specific virtual machine or click the File Search button to search on specific criteria.

The Restore > Assets window provides a map view in the left pane and copy details in the right pane.

When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.

3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.

4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.

5. On the Options page:

a. (Optional) Select Reconnect the virtual machine's NIC when the restore completes, if desired. This option is selected by default.

b. For low-bandwidth environments, select Enable DDBoost Compression.

This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.

c. Click Next.

6. On the ESX Host Credentials page:

a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.

7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the

datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:

a. For each available disk that you want to recover, select a datastore from the Storage list.

Backing Up and Recovering a vCenter Server 121

b. Select the type of provisioning you want to apply to the disk from the Disk Format list.

8. On the Summary page:

a. Review the information to ensure that the details are correct. b. Click Restore.

9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.

Protecting external deployment models Review the backup and recovery options for protecting external deployments.

Backup

You can perform a backup by using the following guidelines:

1. Create a protection policy and add the vCenter virtual machine and PSC virtual machine to the policy. This will ensure that snapshots are taken at the same time.

2. Ensure that you select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.

NOTE: Ensure that you back up all vCenter server and PSC instances at the same time

Recovery

Depending on the failure, you can perform virtual machine recovery by using one of the following methods:

Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server: Use this method of you have completely lost your VCSA. Note

that the vCenter server where the VCSA resides must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server. For Emergency recovery, perform the steps specified in the section Direct restore to

ESXi.

NOTE: In the event of a complete environment failure, PSC should be restored first, followed by the vCenter server

restore.

The following scenarios provide specific instructions based on the number of vCenter server appliances and external PSCs in the environment and the extent of the failure.

vCenter server appliance with one external PSC where PSC fails

Steps

1. Perform an image-level recovery of the PSC by using one of the methods indicated above, and then power ON the virtual machine.

2. Verify that all PSC services are running. For a PSC deployed as an appliance, run the service-control --status --all command in the appliance shell.

For a PSC installed on Windows, from the Windows Start menu, select Control Panel > Administrative Tools > Services.

3. Log into the vCenter server appliance shell as root.

4. Verify that no vCenter services are running, or stop any vCenter services that are running by typing service-control --stop.

5. Run the vc-restore script to restore the vCenter virtual machines. For a vCenter server appliance, type vcenter-restore -u psc_administrator_username -p

psc_administrator_password For a vCenter server installed on Windows, go to C:\Program Files\VMware\vCenter Server\, and then run

vcenter-restore -u psc_administrator_username -p psc_administrator_password where psc_administrator_username is the vCenter Single Sign-On administrator user name, which must be in UPN format.

122 Backing Up and Recovering a vCenter Server

6. Verify that all vCenter services are running and the vCenter Server is started, as specified in step two.

7. Perform a log in test to the vCenter server. If the restore was successful, the login completes successfully.

vCenter server appliance is lost but the PSC remains

Steps

1. Perform an image-level recovery of the lost vCenter server by using one of the following methods, and then power ON. Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your VCSA.

Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all services are started.

3. Perform a login test.

vCenter server appliance with multiple PSCs where one PSC is lost but one remains

Steps

1. Repoint the vCenter instance (insert link) to one of the functional PSCs in the same SSO domain.

NOTE: Log in to all vCenter servers one by one to determine which vCenter login fails. This will be the vCenter server

that requires the repoint steps.

2. Run the following command on the vCenter server appliance:

cmsso-util repoint --repoint-psc psc_fqdn_or_static_ip [--dc-port port_number] NOTE: The square brackets enclose the command options.

3. Perform a login test on the vCenter server.

4. Deploy the new PSC and join to an active node in the same SSO and site, replacing lost ones.

5. Repoint the vCenter server to the new PSC.

vCenter server appliance remains but all PSCs fail

About this task

NOTE: In this scenario, none of the vCenter logins (SSO user) have been successful.

Steps

1. Restore the most recent PSC backup and wait for the vCenter services to start

2. Log in to the vCenter server appliance's shell as root.

3. Verify that no vCenter services are running, or stop vCenter services.

4. Run the vc-restore script to restore the VCSA (refer above for detailed steps).

NOTE: If the login test to any vCenter server appliance fails, then the restored PSC is not the PSC that the vCenter

server appliance is pointing to, in which case you may be required to perform a repoint, as described above.

5. Deploy the new PSC and join to an active node in the same SSO domain and site.

6. Repoint vCenter connections as required

Backing Up and Recovering a vCenter Server 123

vCenter server appliance remains but multiple PSCs fail

Steps

1. Restore one PSC.

2. Test the vCenter server appliance login. If the login fails, repoint the vCenter server appliance to an active PSC.

3. Deploy the new PSC and join to an active node in the same SSO domain and site.

vCenter server appliance fails

About this task

NOTE: If all PSCs and vCenter server appliances have failed, restore one PSC first before restoring the vCenter server

appliance.

Steps

1. Perform an image-level restore of the lost vCenter server by using one of the following methods, and then power ON the vCenter. Restore to original This method is valid only when the vCenter server appliance is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your vCenter

server appliance. Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.

2. After a successful boot, verify that all vCenter services have started.

3. Perform a log in test.

4. If the login test fails, then this vCenter server appliance is pointing to an inactive PSC. Repoint to an active node.

124 Backing Up and Recovering a vCenter Server

vCenter server restore workflow The following diagram shows the restore workflow for a vCenter server.

Figure 7. vCenter server restore workflow

Backing Up and Recovering a vCenter Server 125

Platform Services Controller restore workfow The following diagram shows the restore workflow for a Platform Services Controller (PSC).

Figure 8. PSC restore workflow

Additional considerations Review the following additional considerations when backing up and restoring the vCenter server and PSC.

Backing up the vCenter server will not save the Distributed switch (vDS) configuration as it is stored on the hosts. As a best practice, back up the vDS configuration by using a script that can be used after restoring the virtual center.

After restoring the PSC, verify that replication has been performed as designed by using the following commands to display the current replication status of a PSC and any of the replication partners of the PSC: For VCSA, go to /usr/lib/vmware-vmdir/bin and type ./vdcrepadmin -f showpartnerstatus -h

localhost -u administrator -w Administrator_Password For Windows, open a command prompt and type cd "%VMWARE_CIS_HOME%"\vmdird\

126 Backing Up and Recovering a vCenter Server

For the vCenter server or PSC, do not select advanced quiesce-based backup options. Selecting these options will result in application quiescing on virtual machines, which impacts the overall environment due to stunning.

The VMware vCenter server documentation, available at https://docs.vmware.com/en/VMware-vSphere/index.html, provides more information about the vCenter server and PSC.

Command reference Use the following command to start or stop services in the vCenter server and PSC, or obtain the status:

service-control -status/start/stop -all You can use other Replication topology commands, as in the following example.

Replication topology command

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u PSC_Administrator -w password

NOTE: You can replace localhost with another PSC FQDN to obtain all of the partnerships in the current vSphere

domain.

Backing Up and Recovering a vCenter Server 127

Backing Up VMware Cloud Foundation (VCF) on VxRail

Topics:

Backing up VCF on VxRail VCF and VxRail overview VCF components and backup methods Check VMware certification Backup prerequisites The backup script Quick protection Selective protection: SDDC and NSX-T Managers Selective protection: vCenter servers Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines SFTP password change: SDDC and NSX-T Managers SFTP password change: vCenter servers Backup-script troubleshooting

Backing up VCF on VxRail The following sections describe how to protect VMware Cloud Foundation (VCF) on VxRail by using a PowerProtect Data Manager command-line backup script.

NOTE: VxRail is the preferred Dell Technologies platform for VCF. However, environments that use other VMware-

supported vSAN Ready Nodes are also supported by Dell Technologies. The following sections also apply to those

environments.

VCF and VxRail overview VCF integrates a VMware cloud infrastructure with cloud management services by using the vRealize software suite to run enterprise applications. The VCF infrastructure is managed by the SDDC Manager, and it includes vSphere compute, vSAN storage, NSX networking, and a range of security implementations.

Dell Technologies VxRail is an all-in-one solution that uses Dell Technologies PowerEdge servers and its own VxRail hyperconverged infrastructure (HCI) software to provide a fully functional VCF environment to enterprise customers.

For more information about VCF and VxRail, see the following resources:

The VMware Cloud Foundation documentation The VxRail Administration Guide at Customer Support About VMware Cloud Foundation on Dell VxRail

11

128 Backing Up VMware Cloud Foundation (VCF) on VxRail

VCF components and backup methods Understanding the backup method used by a VCF component aids in understanding how the VCF component is protected by the backup script. The following tables show the VCF components of the different backup methods.

Table 21. VCF components of file-based backups

Backup Method Component

File based NSX-T Data Center

SDDC manager

vCenter server

Assets of these components are first copied to an external server that uses Secure File Transfer Protocol (SFTP) or another supported protocol. After that, the external server is backed up by PowerProtect Data Manager.

If using quick protection, these components are automatically protected.

Table 22. VCF components of image-based backups

Backup Method Component Automatically discovered

Image based vRealize Suite Lifecycle Manager (vRSLCM) VCF 4.0

vRealize Automation VCF 4.1

vRealize Business No

vRealize Log Insight VCF 4.1

vRealize Network Insight No

vRealize Operations Manager VCF 4.1

VxRail Manager No

Workspace ONE Access VCF 4.1

Assets of these components are backed up directly by PowerProtect Data Manager. The Automatically discovered column displays the minimum required version of VCF for a component to be automatically

discovered, as well as those components that are not automatically discovered by any version of VCF. If using quick protection, the automatically discovered components are automatically protected.

All image-based backups follow the VMware quiescing recommendations for VCF virtual machines that are part of VMware Validated Design (VVD):

Table 23. VCF components and quiescing

Component Quiescing

vRealize Suite Lifecycle Manager Enabled

Workspace ONE Access Enabled

vRealize Log Insight Disabled

vRealize Operations Manager Disabled

vRealize Automation Enabled

Backing Up VMware Cloud Foundation (VCF) on VxRail 129

Check VMware certification Use this method to check the versions of PowerProtect Data Manager that VMware has certified to work with their products.

About this task

VMware certification allows customers to receive support from VMware for any VMware-specific features related to PowerProtect Data Manager.

NOTE: VMware will only certify a version of PowerProtect Data Manager after it has been released and tested. If you are

waiting for the current version of PowerProtect Data Manager to be certified, you can continue to check its status.

Steps

1. In a browser, navigate to the VMware Compatibility Guide.

2. Select All > Dell EMC > All.

3. Click Update and View Results.

4. In the Solution Name column, look for EMC PowerProtect Data Manager entries.

5. Review the information in the corresponding Solution Version and Supported Releases columns.

Backup prerequisites Ensure the following prerequisites are met before backing up VCF on VxRail:

VCF is at a supported version. For more information, see the PowerProtect Data Manager compatibility matrix provided by the E-Lab Navigator.

Any external server (using SFTP or another supported protocol) used in a file-based backup has been discovered as a File System asset in PowerProtect Data Manager.

Any vCenter server being protected has been added as an asset source in PowerProtect Data Manager. PowerProtect Data Manager and the vCenter server and SDDC, and NSX-T managers are all set to the same time zone and

have their clocks synchronized. PowerProtect Data Manager and VCF do not have backup schedules that would back up the same assets at the same time. A VM Direct Engine exists. Any backup directory path specified by an external server in a file-based backup exists. All credentials provided during the execution of the backup script resolve to accounts with the required permissions to

access the related resources. This includes but is not limited to the following: The vCenter username being used belongs to the vCenter Administrators group. The SDDC manager username being used has the SDDC manager Admin role.

The backup script You use a PowerProtect Data Manager script to protect VCF components.

The script is accessible from the PowerProtect Data Manager command line. It provides a series of guided procedures that automate multiple backup operations into a single process. The script can also be used to change external SFTP passwords.

NOTE: This script only backs up the data of protected VCF components. It cannot be used to restore any of the data

that is backed up. To restore the data, use the PowerProtect Data Manager and VMware user-interface tools. Ensure that

you restore VCF-management data to components in a manner supported by VMware. For more information, go to the

VMware Validated Design Documentation website and review the backup and restore procedures of the documentation

that corresponds to your version of VCF. If disaster recovery must be performed, see VMware Cloud Foundation Disaster

Recovery With PowerProtect Data Manager at Customer Support.

130 Backing Up VMware Cloud Foundation (VCF) on VxRail

Quick protection This procedure uses default backup settings and values to protect all VCF components at once. Every vCenter server and any automatically discovered VCF component will be protected. Quick protection requires the least amount of input, but also provides the least amount of choice. For information about the default settings and values used, review the selective-protection procedures that follow.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 1.

NOTE: Quick protection uses the same external SFTP server and backup schedule for both the SDDC Manager

and vCenter servers. It also overrides the existing backup configurations of the SDDC and vCenter servers without

prompting.

5. Enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.

The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp://server_address:port_number/folder/subfolder.

Examples:

sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup

6. Enter the encryption passphrase for SDDC Manager backups.

The encryption passphrase must be between 12 and 20 characters in length and contain at least two lowercase letters, two uppercase letters, two numerals, and a special character.

NOTE: The encryption passphrase is also used for vCenter server backups, and is required when restoring data. Store

the passphrase in a secure location that is separate from the backup files and VCF environment you are protecting.

7. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

8. Select the days of the week a backup takes place, and then enter the time of day.

Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

9. Select both a File System and Virtual Machine protection policy to use.

If a default protection policy of either type does not exist, it will be automatically created with a frequency of DAILY, a time of 8:00 PM to 6:00 AM, and a retention of 7 days.

A protection policy with the name VCF-Image-Based-Protection is used as the default image-based protection policy. A protection policy with the name VCF-File-Based-(SFTP)-Protection is used as the default file-based protection policy. If a default protection policy has just been automatically created and it is the only protection policy of that type, it will be

automatically used.

Backing Up VMware Cloud Foundation (VCF) on VxRail 131

If a default protection policy already exists, confirm if it should be used or if the protection policy to use should be selected from a list.

10. Enter the IP address or FQDN of any image-based VCF component that is not automatically discovered and that you want to protect. For a list of components that are not automatically discovered, see VCF components and backup methods.

Results

You can monitor the progress of the backup script as it protects the VCF components.

Selective protection: SDDC and NSX-T Managers This procedure protects just the SDDC and NSX-T manager file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2, and then 1.

5. To override an existing SDDC Manager backup configuration, enter y.

6. To add or modify SDDC Manager backup configuration information, enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.

The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp://server_address:port_number/folder/subfolder.

Examples:

sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup

7. Enter the encryption passphrase for SDDC Manager backups.

The encryption passphrase must be between 12 and 32 characters in length and contain at least two lowercase letters, two uppercase letters, two numbers, and a special character.

NOTE: The encryption passphrase is required when restoring data. Store this passphrase in a secure location that is

separate from the backup files and VCF environment you are protecting.

8. The default SSH fingerprint of the external SFTP server is displayed. Confirm that it should be used, or enter a new one.

NOTE: With quick protection, the default SSH fingerprint of the external SFTP server is always used.

9. Select the backup frequency. If you select HOURLY, enter the minute of each hour a backup takes place. If you select WEEKLY, select the days of the week a backup takes place, and then enter the time of day.

For a weekly backup frequency, type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

10. Enter the backup-retention values described in the following table. The values automatically used by quick protection are also listed.

132 Backing Up VMware Cloud Foundation (VCF) on VxRail

Table 24. Backup-retention values

Parameter Value range Quick-protection default value

Days of daily backups to retain 030 7

Days of hourly backups to retain 014 7

Backup files to retain 1600 15

Take backups on state change Yes or no Yes

11. Confirm if a new File System protection policy should be created in order to protect the external SFTP server. Enter y to provide details of the new protection policy.

Enter n to either select from a list of existing protection policies or skip protection of the external SFTP server.

Results

You can monitor the progress of the backup script as it protects the selected VCF components.

Selective protection: vCenter servers This procedure protects just the vCenter server file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2 twice.

5. Select the automatically discovered vCenter servers to protect.

Enter a to protect all the servers. Otherwise, enter the numbers that correspond to the individual servers to protect, separating each number with a space.

6. Enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.

Supported protocols for the external server are FTP, SFTP, FTPS, HTTP, HTTPS, NFS, and SMB. The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp:// server_address:port_number/folder/subfolder.

Examples:

sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup

7. Select the days of the week a backup takes place, and then enter the time of day.

Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:

1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:

13:25

8. Confirm if the backups should be encrypted. If they should be encrypted, enter an encryption password.

Backing Up VMware Cloud Foundation (VCF) on VxRail 133

If you enter an encryption password, it must be between 8 and 20 characters in length and contain at least one lowercase letter, one uppercase letter, one number, and one special character.

9. Confirm if historical data should be backed up and the number of backups to retain.

NOTE: In quick protection, the default is to back up historical data and retain all backups.

10. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

11. If there is an existing vCenter server backup configuration, confirm if it should be overridden.

NOTE: Should the existing backup configuration fail to be overridden, the vCenter server will be left without a backup

configuration.

12. Confirm if a new File System protection policy should be created in order to protect the external server. Enter y to provide details of the new protection policy.

Enter n to either select from a list of existing protection policies or skip protection of the external server.

Results

You can monitor the progress of the backup script as it protects the selected VCF components.

Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines This procedure protects all of the image-based VCF components, while providing more control over the backup settings used for them than quick protection. The components protected include vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines. To protect file-based VCF components, refer to the other selective-protection procedures.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 2, and then 3.

5. Select an image-based VCF component type to protect.

NOTE: You can only select a single component type. To protect more than one component, follow the selective

protection steps for each component.

If you select vRSLCM, select a discovered vRSLCM server to protect. If you select any other component type, enter the IP address or fully qualified domain name (FQDN) of the server to

protect.

6. Confirm if a new Virtual Machine protection policy should be created in order to protect the component. Enter y to provide details of the new protection policy.

Enter n to select from a list of existing protection policies.

Results

You can monitor the progress of the backup script as it protects the selected VCF component.

134 Backing Up VMware Cloud Foundation (VCF) on VxRail

SFTP password change: SDDC and NSX-T Managers While using the backup script to protect VCF components, you might want to change the password of the external SFTP server account associated with the SDDC and NSX-T Managers.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 3, and then 1.

5. Confirm if you want to change the password of the external SFTP server account. Enter y to change the password, and then perform the following actions:

a. Enter the new password. b. Enter y to confirm if the automatically generated SSH fingerprint should be used. Otherwise, enter n to provide your

own SSH fingerprint. Enter n to skip the password change.

Results

You can monitor the progress of the backup script as it changes the password of the external SFTP server account associated with the SDDC and NSX-T managers.

SFTP password change: vCenter servers While using the backup script to protect VCF components, you might want to change the password of an external SFTP server associated with an automatically discovered vCenter server.

Steps

1. From a PowerProtect Data Manager command line, type the following two commands:

cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh

2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.

3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.

4. From the backup-script main menu, enter 3, and then 2.

5. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.

Enter n to be prompted for the credentials for each individual server.

Provide vCenter credentials for a user with the Administrator role.

6. Confirm if you want to provide a backup encryption password. This password will be used when backing up the VCF components of all vCenter servers.

7. For each automatically discovered vCenter server, confirm if you want to change the password of the external SFTP server account associated with it.

Backing Up VMware Cloud Foundation (VCF) on VxRail 135

Results

You can monitor the progress of the backup script as it changes the passwords of all external SFTP server accounts associated with the selected vCenter servers.

Backup-script troubleshooting The following table provides common error codes and messages, along with explanations or recommended areas of investigation to resolve the problem.

Table 25. Error codes and explanations

Error code or message Explanation or area of investigation

INVALID_ENCRYPTION_PASSPHRASE

Provided encryption passphrase is invalid.

The encryption passphrase specified for external SFTP server is invalid.

Validate Backup Location Details FAILED The backup location specified for the external SFTP server in the SDDC Manager backup configuration does not exist.

INPUT_PARAM_ERROR

Failed to establish SFTP connection to with username on port .

The credentials specified for the external SFTP server in the SDDC Manager backup configuration are incorrect.

INVALID_ARGUMENT

The entered backup password does not adhere to the password requirements.

The encryption passphrase specified in the vCenter server backup configuration is invalid.

INVALID_ARGUMENT

Plugin error occurred. Access to the backup server is denied. Check your credentials.

The password specified for the external server in the vCenter server backup configuration is incorrect.

UNAUTHENTICATED

Authentication required.

com.vmware.vapi.endpoint.method.authenticat ion.required

The credentials specified for the vCenter server are incorrect.

Perform validations for backup server fingerprint FAILED

The SSH fingerprint specified for the external SFTP server in the SDDC Manager backup configuration is invalid.

136 Backing Up VMware Cloud Foundation (VCF) on VxRail

Table 25. Error codes and explanations (continued)

Error code or message Explanation or area of investigation

SCHEDULING_SDDC_MANAGER_BACKUPS_FAILED_REAS ON_UNKNOWN

Unexpected error occurred. Provided backup schedule not applied.

Check for errors on the SDCC Manager.

LOCK_NOT_AVAILABLE

Lock is not available - SDDC Manager DEPLOYMENT lock to perform Backup & Restore operation.

There are too many pending SDDC Manager jobs. Try running the backup script at another time.

503

The data store service is not available. Try again later.

remediation timestamp path /api/v2/assets

PowerProtect Data Manager assets cannot currently be queried. Try running the backup script at another time.

503

The service is not available. Try again later.

remediation timestamp path /api/v2/protection-policies

Protection policies cannot currently be queried. Try running the backup script at another time.

Backing Up VMware Cloud Foundation (VCF) on VxRail 137

Virtual Machine Best Practices and Troubleshooting

Topics:

Software and hardware requirements Scalability limits for vCenter server, VM Direct Engine, and DD systems PowerProtect Data Manager resource requirements in a VMware environment Best practices and additional considerations for the VM Direct Engine Best practices for vCenter server backup and restore Changing the vCenter server FQDN Replacing security certificates Support for backup and restore of encrypted virtual machines Troubleshooting network setup issues Troubleshooting virtual machine backup issues Troubleshooting virtual machine restore issues Troubleshoot virtual machine SQL application consistent policy issues Troubleshooting vSphere Plugin deployments VMware knowledge base articles and product documentation

Software and hardware requirements The following table lists the required components for PowerProtect Data Manager and the VM Direct protection engine.

Table 26. PowerProtect Data Manager and VM Direct engine requirements

Component Requirements Notes

PowerProtect Data Manager with the VM Direct Engine

Version 19.12 or later.

vCenter server vSphere and ESXi versions 6.5, 6.7, 7.0, 7.0 U1 or later. Refer to the VMware documentation ESXi 6.5 and later minimum requirements for physical host requirements for the ESXi hosts.

VMware has announced the end of general support for vSphere version 6.0. The Knowledge Base article at https:// kb.vmware.com/s/article/66977 provides more information.

Version 6.5 and later is required to perform Microsoft SQL Server application-aware protection. Also, file-level restore in the vSphere Client requires a minimum vCenter version 6.7 U1.

Any new virtual machine protection policies use Transparent Snapshot Data Mover (TSDM) as the default protection mechanism instead of VADP, provided that the vCenter/ESXi Server that hosts the virtual machines is a

A

138 Virtual Machine Best Practices and Troubleshooting

Table 26. PowerProtect Data Manager and VM Direct engine requirements (continued)

Component Requirements Notes

minimum version of 7.0 U3c and the policy options selected for the virtual machine crash- consistent protection policy are supported by TSDM.

VMware Tools Version 10 or later. Install VMware Tools on each virtual machine by using the vSphere Client. VMware Tools adds additional backup and recovery capabilities that quiesce certain processes on the guest operating system before backup.

Version 10.1 and later is required to perform Microsoft SQL Server application- aware protection.

PowerProtect DD System models and software

All models of PowerProtect DD System in production are supported.

DD Operating System (DDOS) version 6.2 or later and the PowerProtect DD Management Center (DDMC).

Make note of the hosts writing backups to your DD systems.

Web browser Google Chrome. The latest version of the Google Chrome browser is recommended to access the PowerProtect Data Manager user interface.

Scalability limits for vCenter server, VM Direct Engine, and DD systems The following limits have been tested successfully with PowerProtect Data Manager for vCenter server, VM Direct Engine, and DD systems.

NOTE: These numbers are not maximum or hard limits, but should be considered when scaling your environment.

Table 27. Scalability limits

Component Tested limits

Number of vCenter servers supported with a single PowerProtect Data Manager server

12 NOTE: The vCenter server limit is subject to the VM Direct Engine overall limit of 40 and the per vCenter server limit of 25. For example, using the maximum tested number of vCenter servers of 12, you could add an average of 3 VM Direct Engines per vCenter server.

Number of external VM Direct Engines supported with a single PowerProtect Data Manager server

40 NOTE: This number was tested across 10 vCenter servers. For example, 4 VM Direct Engines per vCenter server.

Number of DD systems supported per PowerProtect Data Manager server

10

Network latency between the PowerProtect Data Manager server and VM Direct Engines

200 ms

Network latency between the PowerProtect Data Manager server and the DD systems

200 ms

Number of virtual machines per PowerProtect Data Manager server

10,000

Virtual Machine Best Practices and Troubleshooting 139

PowerProtect Data Manager resource requirements in a VMware environment Review the following minimum system requirements for PowerProtect Data Manager in a VMware environment (ESXi server).

CPU10 CPU cores Memory24 GB RAM for PowerProtect Data Manager Seven disks with the following capacities:

Disk 1100 GB Disk 2500 GB Disks 3 and 410 GB each Disks 5 through 75 GB each

1 GB network interface card (NIC)

NOTE: If you plan to use Cloud DR, your system must also meet the following requirements:

CPU14 CPU cores

Memory28 GB

Best practices and additional considerations for the VM Direct Engine Review the following information for recommendations and best practices when adding a VM Direct protection engine in PowerProtect Data Manager.

VM Direct Engine performance and scalability

The VM Direct Engine performance and scalability of depends on several factors, including the number of vCenter servers and proxies and the number of concurrent virtual machine backups. The following table provides information on these scalability factors and maximum recommendations, in addition to concurrence recommendations for sessions created from backups using the VM Direct Engine.

The count of sessions is driven by the number of proxies and backups running through this server.

Table 28. Performance and scalability factors

Component Maximum limit

Recommended count Notes

Number of concurrent NBD and Preferred Hot Add backups per ESXi host

48 Ensure that your network has a bandwidth of 10 Gbps or higher. VMware uses Network File Copy (NFC) protocol to read VMDK using NBD transport mode. You need one VMware NFC connection for each VMDK file being backed up. The VMware Documentation provides more information on vCenter NFC session connection limits.

Concurrent VMDK backups per vCenter server

180 Can be achieved with a combination of the number of proxies multiplied by the number of configured Hot Add sessions per VM Direct Engine.

Number of proxies per vCenter server

25 7 A limit of 25 concurrent backup and recovery sessions.

Number of files and directories per file-level restore

200,000 File-level restores are recommended for quickly restoring a small set of files. Image-level or VMDK-level restores are optimized and recommended for restoring a large set of files and folders.

140 Virtual Machine Best Practices and Troubleshooting

When you reach the limit for concurrent backup sessions, a warning message displays. The remaining sessions will be queued. You can adjust the session limits by modifying the MAX_VC_BACKUP_SESSIONS and MAX_NBD_BACKUP_SESSIONS variables in the environment file, according to the recommendations. The Knowledge Base article 000020476 provides more information.

Table 29. Proxy session limits by proxy type

Component Total number of sessions (backup and recovery) maximum

Notes

Added (External) VM Direct Engine 25

Embedded VM Direct engine NOTE: The embedded VM Direct engine is pre-bundled with the PowerProtect Data Manager software.

4 The embedded VM Direct engine is only used as a fallback when all other proxies are disabled or in Failed state.

Transport mode considerations

Review the following information for recommendations and best practices when selecting a transport mode to use for virtual machine data protection operations and Tanzu Kubernetes guest cluster protection in PowerProtect Data Manager.

Hot Add transport mode recommended for large workloads

For workloads where full backups of large sized virtual machines or backups of virtual machines with a high data change rate are being performed, Hot Add transport mode provides improved performance over other modes. With Hot Add transport mode, a VM Direct Engine must be deployed on the same ESXi host or cluster that hosts the production virtual machines. During data protection operations, a VM Direct Engine capable of performing Hot Add backups is recommended. The following selection criteria is used during data protection operations:

If a VM Direct Engine is configured in Hot Add only mode, then this engine is used to perform Hot Add virtual machine backups. If one or more virtual machines are busy, then the backup is queued until the virtual machine is available.

If a virtual machine is in a cluster where the VM Direct Engine is not configured in Hot Add mode, or the VM Direct Engine with Hot Add mode configured is disabled or in a failed state, then PowerProtect Data Manager selects a VM Direct Engine within the cluster that can perform data protection operations in NBD mode. Any VM Direct Engine with Hot Add mode configured that is not in the cluster is not used.

Any VM Direct Engine that is configured in NBD only mode, or in Hot Add mode with failback to NBD, is used to perform NBD virtual machine backups. If every VM Direct Engine that is configured in NBD mode is busy, then the backup is queued until one of these engines is available.

If there is no VM Direct Engine that is configured in NBD mode, or the VM Direct Engine with NBD mode configured is disabled or in a failed state, then the PowerProtect Data Manager embedded VM Direct engine is used to perform the NBD backup.

Other transport mode recommendations

Review the following additional transport mode recommendations:

Use Hot Add mode for faster backups and restores and less exposure to network routing, firewall, and SSL certificate issues. To support Hot Add mode, deploy the VM Direct Engine on an ESXi host that has a path to the storage that holds the target virtual disks for backup.

NOTE: Hot Add mode requires VMware hardware version 7 or later. Ensure all virtual machines that you want to back

up are using Virtual Machine hardware version 7 or later.

In order for backup and recovery operations to use Hot Add mode on a VMware Virtual Volume (vVol) datastore, the VM Direct Engine should reside on the same vVol as the virtual machine.

If you have vFlash-enabled disks and are using Hot Add transport mode, ensure that you configure the vFlash resource for the VM Direct host with sufficient resources (greater than or equal to the virtual machine resources), or migrate the VM Direct Engine to a host with vFlash already configured. Otherwise, backup of any vFlash-enabled disks fails with the error

Virtual Machine Best Practices and Troubleshooting 141

VDDK Error: 13: You do not have access rights to this file and the error on the vCenter server The available virtual flash resource '0' MB ('0' bytes) is not sufficient for the requested operation.

For sites that contain many virtual machines that do not support Hot Add requirements, Network Block Device (NBD) transport mode is used. This mode can cause congestion on the ESXi host management network. Plan your backup network carefully for large scale NBD installs, for example, consider configuring one of the following options: Setting up management-network redundancy. Setting up backup network to ESXi for NBD. Setting up storage heartbeats.

See https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmw-vsphere-high-availability- whitepaper.pdf for more information.

If performing NBD backups, ensure that your network has a bandwidth of 10 Gbps or higher.

Change the limit of instant access sessions

For DDOS versions 6.2 and higher, PowerProtect Data Manager uses the limit that the DD storage appliance reports, and manages concurrent instant access sessions based on the reported limit.

You can change the limit by modifying a configuration file to override the default value. Note that sessions that exceed the maximum concurrent sessions that are supported are canceled and retried. To change the number of concurrent sessions manually to match the capability of the underlying storage appliance, perform the following steps.

1. Log in to the PowerProtect Data Manager UI as a user with the Administrator role. 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.

NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown

in the following step.

3. In the application.yml file, change the instant access session parameter value to override the default value. For example:

recovery: queue: ia_session_allowance: 32

4. Run vmdm stop and then vmdm start to restart the vmdm service.

NOTE: Ensure that no other virtual machine operations are running, such as protection and recovery.

Configuring a backup to support vSAN datastores

Backup and recovery functionality is supported for vSAN virtual machines.

When performing backups or restores of virtual machines residing on vSAN datastores, it is highly recommended to deploy the VM Direct appliance on a vSAN datastore. A VM Direct appliance deployed on any one vSAN datastore can be used for backing up virtual machines from other vSAN or non-vSAN datastores by using Hot Add or nbdssl transport modes, as applicable.

Configuration checklist for common issues

The following configuration checklist provides best practices and troubleshooting tips that might help resolve some common issues.

Basic configuration

Review the following basic configuration requirements:

Synchronize system time between all vCenter and ESXi servers. Assign IPs carefully do not reuse any IP addresses. Use Fully Qualified Domain Names (FQDNs) where possible. For any network related issue, confirm that forward and reverse DNS lookups work for each host in the datazone.

142 Virtual Machine Best Practices and Troubleshooting

Virtual machine configuration

Review the following virtual machine configuration requirements:

Ensure that the virtual machine has access to and name resolution for the protection storage. Ensure that the virtual machine firewall has port rules for the protection storage. For application-aware backups, ensure that Microsoft SQL Server instances are enabled for data protection using a SYSTEM

account, as described in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.

Disable vCenter SSL certificate validation

If the vCenter server's SSL certificate cannot be trusted automatically, a dialog box appears when adding the vCenter server as an asset source in the PowerProtect Data Manager user interface, requesting certificate approval. It is highly recommended that you do not disable certificate enforcement.

If disabling of the SSL certificate is required, you can perform the following procedure.

CAUTION: These steps should only be performed if you are very familiar with certificate handling and the issues

that can arise from disabling a certificate.

1. Create a file named cbs_vmware_connection.properties in the /home/admin directory on the PowerProtect Data Manager appliance, with the following contents:

cbs.vmware_connection.ignore_vcenter_certificate=true 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.

NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown

in the following step.

3. In the application.yml file, add the following contents:

vmware_connection: ignore_vcenter_cert: true

discovery: ignore_vcenter_cert: true

4. Run cbs stop to stop the cbs service, and then cbs start to restart the service.

5. Run vmdm stop to stop the vmdm service, and then vmdm start to restart the service.

6. If the SSL certificate uses an FQDN, perform a test to determine if SSL certificate disabling was successful by adding a vCenter server using the vCenter server's IP address, and then verify that the asset source was added and virtual machine discovery was successful.

Uninstalling the VM Direct agent

If you no longer require the VM Direct agent on the target virtual machine, the agent must be properly uninstalled. If you manually delete VM Direct agent files instead of uninstalling the agent and at some point reinstall the agent, subsequent mount attempts to perform restores fail.

To uninstall the VM Direct agent on Linux:

1. Execute the following command: /opt/emc/vproxyra/bin/preremove.sh.

2. Uninstall the VM Direct agent package by running rpm -e emc-vProxy-FLRAgent.

3. If the uninstall fails due to a broken installation or other issue, you can force removal of the package by running rpm -e --force emc-vProxy-FLRAgent.

To uninstall the VM Direct agent on Windows:

1. Select Control Panel > Programs > Programs and Features. 2. Locate Dell vProxy Agent. 3. Right-click the program and select Uninstall.

Virtual Machine Best Practices and Troubleshooting 143

Updating the Microsoft Application Agent and VM Direct agent software

The Microsoft Application Agent and VM Direct agent software required to perform SQL application-aware data protection and file-level restore operations will be automatically updated on the target virtual machine by the VM Direct appliance during the file-level restore operation. The VM Direct appliance detects the available software on the client and updates the agent software with the new version of software from its repository. If the update does not occur automatically, contact Customer Support for a procedure to update the VM Direct software repository with the latest version of the agent software packages.

Supported file-level restore platforms and OS versions

File-level restore is supported for the following platforms and operating system versions only.

Platforms/operating systems are qualified for file-level restore support using the default file system for these platforms:

NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided by the E-Lab

Navigator.

CentOS 7.x Debian 9.x, 10.x, and 11.x RedHat Enterprise Linux versions 7.x, 8.x, and 9.x SuSE Linux Enterprise Server versions 11.x and 12.x Ubuntu version 17.10 Oracle Enterprise Linux version 7.2 and later Windows 7, 8, 10, Server 2008, 2012, 2016 (all 64-bit platforms and R2, where applicable), 2019 for FAT, and NTFS.

Ensure that the latest supported version of VMware Tools or open-vm-tools is installed on the guest operating system.

Support for Debian or Ubuntu operating system

VM Direct file-level restore is supported on the Debian and Ubuntu operating systems. To configure the Debian or Ubuntu guest operating system for file-level restore, perform the following steps.

Steps

1. Log in to the system console as a non-root user.

2. Run the sudo passwd root command.

Enter the new password twice to set a password for the root account.

3. Run the sudo passwd -u root command to unlock the root account.

4. Specify the root user credentials in the PowerProtect Data Manager file-level restore user interface, and complete the file-level restore operation at least once.

While performing the file-level restore operation for the first time, remember to select Keep FLR agent.

5. After performing the above steps at least once, you can revert the root account to the locked state and use non-root account for future file-level restore requests. Non-root user can lock the root account with the sudo passwd -l root command.

Operating system utilities required for file-level restore

On Linux and Windows, the installed operating system must include several standard utilities in order to use file-level restore. Depending on the target operating system for restore and the types of disks or file systems in use, some of these standard utilities, however, may not be included.

The following utilities and programs may be required for performing file-level restore.

On Windows:

msiexec.exe diskpart.exe cmd.exe

144 Virtual Machine Best Practices and Troubleshooting

On Linux:

blkid udevadm readlink rpm bash

NOTE: On Linux LVM, LVM2 rpm version 2.02.117 or later is required. To support the new features of LVM2.0,

LVM2 version 2.03.15 is required. Additional binaries that are also required on Linux LVM include dmsetup, lvm,

vgimportclone, lvmconfig and lvmdevices.

File-level restore and SQL restore requirements and limitations

This section provides a list of requirements and limitations that apply to virtual machine file-level restores and individual SQL database and instance restores.

All platforms

Review the following best practices and limitations that apply to all platforms:

You must install VMware Tools version 10 or later. For best results, ensure that all virtual machines run the latest available version of VMware Tools. Older versions are known to cause failures when you perform browse actions during file-level restore or SQL restore operations.

Before mounting file systems for virtual machine file level restores, ensure that the target virtual machine for the restore supports the file system type, version, and options used in the source backup. For example, the xfsprogs version of the target virtual machine must be compatible with the xfsprogs version of the source virtual machine.

File-level restore is supported only for non-system files or folders (for example, user-created files/folders). When restoring operating system files or folders, or system files or folders such as C:\Windows or C:\Program Files, perform an image-level restore.

You can only restore files and/or folders from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.

You can perform file-level restores across vCenter servers as long as the vCenters are configured in PowerProtect Data Manager, and the source and target virtual machine have the same guest operating system. For example, Linux to Linux, or Windows to Windows.

When a file-level restore or SQL-restore operation is in progress on a virtual machine, no other backup or recovery operation can be performed on this virtual machine. Wait until the file-level restore session completes before starting any other operation on the virtual machine.

Ensure that the virtual machine has enough free slots to accommodate the disks that will mounted as part of the restore. The total number of supported disks is 60 (4 scsi controllers with 15 disks each).

File-level restores do not support the following virtual disk configurations: LVM thin provisioning FAT16 file systems FAT32 file systems on LInux Extended partitions (Types: 05h, 0Fh, 85h, C5h, D5h) Two or more virtual disks mapped to single partition Encrypted partitions Compressed partitions

If the VM Direct agent service is not running on the target virtual machine, VMDKs fail to mount with the error "Cannot connect to vProxy Agent: Unable to connect to '[::1]: '. dial tcp [::1]: : connectex: No connection could be made because the target machine actively refused it."

Clean up from a suspended or cancelled mount operation requires a restart of the virtual machine before you can initiate a new mount for the file-level restore.

File-level restores do not restore or browse symbolic links.

Windows platforms

Review the following best practices and limitations that apply to Windows platforms:

Virtual Machine Best Practices and Troubleshooting 145

To browse all of the disk drives of a backup copy, the copy should be from a virtual machine that has the following Windows permission settings in the Advanced Security Settings for the Local Disk at each disk drive level for both the SYSTEM and \Administrators Principal: Type: Allow Access: Full Control Applies to: This folder, subfolders and files

Ensure that the target virtual machine's SCSI Controller 0 is not empty by attaching the slot to a virtual disk. Otherwise, the file-level restore is unable to mount the disks from the backup copy.

Windows 2012 R2 and earlier versions do not support paths longer than 255 characters. To reduce the number of characters in the restore path, you might be required to remove the Windows drive letter, the colon, the slash, and the trailing null character. Since the Windows VM Direct agent mount point already uses around 90 characters, you might need to select a folder at a higher directory level for the restore.

For Windows 2016 and later, an option to enable support for longer file paths is available. See the following article.

File-level restores of Windows 8, Windows Server 2012 and Windows Server 2016 virtual machines are not supported on the following file systems: Deduplicated NTFS Resilient File System (ReFS) EFI bootloader

File-level restores of virtual machines with Windows dynamic disks are supported with the following limitations: The restore can only be performed when recovering to a virtual machine different from the original. Also, this virtual

machine cannot be a clone of the original. The restore can only be performed by virtual machine administrator users. If Windows virtual machines were created by cloning or deploying the same template, then all of these Windows virtual

machines may end up using the same GUID on their dynamic volumes. When you perform file-level restore on Windows 2012 R2 virtual machines, the volumes listed under the virtual machine

display as "unknown." File-restore operations are not impacted by this issue. When you enable Admin Approval Mode (AAM) on the operating system for a virtual machine (for example, by setting

Registry/FilterAdministratorToken to 1), the administrator user cannot perform a file-level restore to the end user's profile, and an error displays indicating "Unable to browse destination." For any user account control (UAC) interactions, the administrator must wait for the mount operation to complete, and then access the backup folders located at C:\Program Files (x86)\EMC\vProxy FLR Agent\flr\mountpoints by logging into the guest virtual machine using Windows Explorer or a command prompt.

Linux platforms

Review the following best practices and limitations that apply to Linux platforms:

On Linux virtual machines, Logical Volume (LV) names longer than 100 characters are not supported. When you perform file-level restore on Ubuntu/Debian platforms, you must enable the root account in the operating system.

By default, the root account will be in locked state.

Virtual disk types supported

When planning your protection policies, ensure that PowerProtect Data Manager supports the disk types that you use in the environment.

PowerProtect Data Manager does not support the following disk types:

First Class Disks Independent (persistent and nonpersistent) RDM Independent - Virtual Compatibility Mode RDM Physical Compatibility Mode

Additionally, it is recommended to avoid deploying VMs with IDE virtual disks, which degrades backup performance. Use SCSI virtual disks instead whenever possible. Note that you cannot use Hot Add mode with IDE Virtual disks. Backup of IDE Virtual disks is performed using NBD mode.

146 Virtual Machine Best Practices and Troubleshooting

Virtual machine data change rate

The data change rate is the percentage of a virtual machine's data that changes between backups.

Data change rates directly impact the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window. A daily data change rate of 3-4% is typical in a vSphere environment. Higher data change rates will require either a longer window to complete the backup, additional VM Direct Engines, or both.

VM Direct Engine data ingestion rate

The VM Direct Engine data ingestion rate is another parameter that directly impacts the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window.

By default, each VM Direct Engine processes approximately 500 GB to 1TB of data per hour, subject to the deduplication and read throughput on the primary stack. A number of additional factors, however, can impact the actual data ingestion rate, including the following:

The protection storage system being used for data protection operations. The type of storage media used for VM Direct Engine storage. Your network and/or SAN infrastructure and connectivity speed.

If data ingestion rates at your site are typically lower or higher than 500 GB per hour, you can add or delete VM Direct Engines as needed. You can also shorten or lengthen the backup window. By default, each VM Direct Engine is configured to handle the optimal number of concurrent VMDK backup jobs. Configuring each VM Direct Engine to allow fewer concurrent backup jobs would typically require deploying additional VM DirectEngines, but can result in more evenly distributed backup jobs among each VM Direct Engine.

Full (Level-0) backups typically take longer and consume more VM Direct Engine resources. Therefore, large new virtual machine deployments can impact the ability to complete all required backups within the time specified for the backup window. In order to allow the system to perform these full backups without interruption, where possible ensure that you implement a phased approach for large new virtual machine deployments. If a phased deployment is not possible, and the full backups do not complete before timeout of the backup window, you can also enable automatic retry of failed backups. For instructions, see the PowerProtect Data Manager Administration and User Guide. It is recommended that an administrator user monitor such workloads to ensure that the system can handle these workloads when the demand on resources begins to decrease, and that the virtual machine backups then complete successfully.

VM Direct Engine limitations and unsupported features

Review the following limitations and unsupported features related to the VM Direct Engine.

Backup of individual folders within a virtual machine is not supported

PowerProtect Data Manager only supports image-level backup and disk-level backup. You cannot perform backups of individual folders within the virtual machine.

Backups fail for resource pools recreated with the same name as deleted pool

When you delete a resource pool from a vCenter server and then create a resource pool with the same name, backups fail. Reconfigure the protection group with the newly created resource pool.

Datastore names cannot contain special characters

Using special characters in datastore names can cause problems with the VM Direct Engine, such as failed backups and restores. Special characters include the following: % & * $ # @ ! \ / : * ? " < > | ;, and so on.

DD Boost over fibre channel not supported

PowerProtect Data Manager does not support DD Boost over fibre channel (DFC).

Virtual Machine Best Practices and Troubleshooting 147

Error when changing configuration of many virtual machines at the same time

When configuring or unconfiguring many virtual machines (300 or more) in a protection policy, an error message might display indicating that the request is too large. You can click OK and proceed, but system performance will be impacted due to the size of the request. As a best practice, it is recommended to use protection rules to automatically determine which assets are assigned to protection policies when the assets are discovered.

Hot Add backups fail when datacenter names contain special characters

Virtual machine backups fail when the datacenter name contains special characters and the transport mode specified for VM Direct backups is Hot Add only. Avoid using special characters in the datacenter name, for example, "Datacenter_#2@3", or specify Hotadd with fallback to Network Block Device for the transport mode.

Hot Add backups fail when virtual machine protection policy configured with Virtual Flash Read Cache value

When using Hot Add transport mode for a virtual machine protection policy, the backup fails with the following error if configured with the Virtual Flash Read Cache (vFRC) value:

"Backup has FAILED. Failed to backup virtual disk \"Hard disk \". Failed to initialize Block Reader. Failed to open source VMDK \ / \": VDDK Error: 13: You do not have access rights to this file. (500)".

I/O contention when all Virtual Machines on a single data store

I/O contention may occur during snapshot creation and backup read operations when all Virtual Machines reside on a single datastore.

Limitations to SQL Server application consistent data protection

Review the SQL Server application-consistent protection support limitations in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.

Network configuration settings are not restored with virtual machine after recovery of a vApp backup

Network configuration settings are not backed up with the virtual machine as part of a vApp backup. As a result, when you restore a vApp backup, you must manually reconfigure the network settings.

NFC log level settings

To assist with I/O performance analysis, set the NFC log level in the VM Direct Engine configuration file to its highest value, for example, vixDiskLib.nfc.LogLevel=4. Setting the log level in the server for NFC asynchronous I/O is not required. You can then run the VDDK sample code and evaluate I/O performance by examining the vddk.log and the vpxa log file.

NOTE: Virtual Machines with very high I/O might stall during consolidation due to the ESXi forced operation called

synchronous consolidate. Plan your backups of such Virtual Machines according to the amount of workload on the Virtual

Machine.

148 Virtual Machine Best Practices and Troubleshooting

Protection fails for virtual machine name containing { or }

A PowerProtect Data Manager virtual machine protection policy fails to back up virtual machines that contain the special characters { or } in the name. This limitation exists with vSphere versions previous to 6.7. If you do not have vSphere 6.7 or later deployed, avoid using these two characters in virtual machine names.

SAN transport mode not supported

PowerProtect Data Manager supports only the Hot Add and NBD transport modes. The Hot Add mode is the default transport mode. For a protection policy, you can specify to use only Hot Add mode, only NBD mode, or Hot Add mode with fallback to NBD of Hot Add is not available.

Specify NBD for datastores if VM Direct should use NBD mode only

For a VM Direct Engine that only uses NBD transport mode, specify datastores that only perform NBD backups.

Thin provisioning not preserved during NFS datastore recovery

When backing up thin-provisioned virtual machines or disks for virtual machines on NFS datastores, an NFS datastore recovery does not preserve thin provisioning. VMware knowledge base article 2137818 at https://kb.vmware.com/kb/2137818 provides more information.

Virtual machine alert "VM MAC conflict" might appear after successful recovery of virtual machine

After performing a successful recovery of a virtual machine through vCenter version 6, an alert might appear indicating a "VM MAC conflict" for the recovered virtual machine, even though the new virtual machine will have a different and unique MAC address. You must manually acknowledge the alert or clear the alert after resolving the MAC address conflict. Note that this alert can be triggered even when the MAC address conflict is resolved.

The VMware release notes at https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u2-release- notes.html provide more information.

VM Direct Engine configuration settings cannot be modified after adding the VM Direct Engine

After adding a VM Direct Engine, the only field you can modify is the Transport Mode. Any other configuration changes require you to delete and then re-add the VM Direct Engine. Additional VM Direct actions provides more information.

VM Direct Engine configured with both IPv4 and IPv6 is not supported

The VM Direct Engine does not support both IPv4 and IPv6 at the same time. If you want to run backups and restores using the VM Direct Engine, use either only IPv4 or only IPv6.

VMware Distributed Resource Scheduler cluster support limitations

The PowerProtect Data Manager server is supported in a VMware Distributed Resource Scheduler (DRS) cluster, with the following considerations:

During backup of a virtual machine, host-vmotion or storage-vmotion is not permitted on the virtual machine. The option to migrate will be disabled in the vSphere Client UI.

A storage-vmotion operation cannot be performed on a VM Direct Engine that is currently is in use for a backup or restore with Hot Add disks attached.

Virtual Machine Best Practices and Troubleshooting 149

VMware limitations by vSphere version

VMware limitations for vSphere 6.0 and later versions are available at https://configmax.vmware.com/home. For vSphere 5.5, go to https://www.vmware.com/pdf/vsphere5/r55/vsphere-55-configuration-maximums.pdf.

VMware snapshot for backup is not supported for independent disks

When using independent disks you cannot perform VMware snapshot for backup.

VM Direct Engine selection with virtual networks (VLANs)

PowerProtect Data Manager typically selects a VM Direct Engine by accounting for availability, transport mode settings, and engine load. This selection optimizes data throughput.

When you configure virtual networks for PowerProtect Data Manager and VM Direct Engine to isolate backup traffic, you can define routes to the protection storage system interface for each virtual network. The routes that you configure can influence VM Direct Engine selection. PowerProtect Data Manager ensures that the selected engine has a network interface that can send traffic for a specific virtual network to the protection storage system.

The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks, including prerequisites and supported topologies and traffic types that can influence selection.

Deploying VM Direct appliance to datastore cluster unsupported

VM Direct appliance deployment to a datastore cluster is not supported. The deployment fails with a ServerFaultCode error.

Best practices for vCenter server backup and restore Review the following recommendations and best practices when planning a vCenter server backup and restore.

NOTE: Backups will not save distributed switch configurations.

It is recommended to schedule the backup of the vCenter server when the load on the vCenter server is low, such as during off-hours, to minimize the impact of vCenter virtual machine snapshot creation and snapshot commit processing overhead.

Ensure that there are no underlying storage problems that might result in long stun times. Keep the vCenter virtual machine and all of its component virtual machines in one single isolated protection policy. The

protection policy should not be shared with any other virtual machines. This is to ensure that the backup times of all vCenter server component virtual machines are as close to each other as possible.

Ensure that the backup start time of the vCenter server does not overlap with any operations for other protected virtual machines being managed by this vCenter server so that there is no impact on other protected virtual machines during snapshot creation and snapshot commit of the vCenter virtual machine.

If the vCenter server and Platform Services Controller instances fail at the same time, you must first restore the Platform Services Controller and then the vCenter server instances.

Changing the vCenter server FQDN If you change the fully qualified domain name (FQDN) of the vCenter server, PowerProtect Data Manager must be reconfigured to accommodate this change without any issues.

When the FQDN of the vCenter server changes, so does its SSL certficate. In order to continue to administer the vCenter server and maintain uninterrupted protection of its assets, the new certificate must be imported into the PowerProtect Data Manager trust store.

150 Virtual Machine Best Practices and Troubleshooting

Change the vCenter server FQDN

When the FQDN of the vCenter server changes, its new SSL certificate must be imported into the PowerProtect Data Manager trust store.

About this task

This procedure uses REST API commands that are run on the PowerProtect Data Manager server.

NOTE: In the following steps, replace 192.168.1.204 with the IP address of the PowerProtect Data Manager server and

a022-renamed-ppdm.vmware.com with the new FQDN of the vCenter server.

Steps

1. Get the current information from the vCenter server, and make a note of the value of id, which corresponds to the new FQDN certificate:

GET https://192.168.1.204:8443/api/v2/certificates?host=a022- renamed.ppdm.vmware.com&port=443&type=Host For example, the output might look like this:

fingerprint: "43FF8FBA82D1DD68E630AE9DB8BA7DF21549CE39" host: " a022-renamed-ppdm.vmware.com" id: "dmNlbnRlci12bWRtLTA0LmFzbC5sYWIuZW1jLmNvbTo0NDM6aG9zdA==" issuerName: "OU=VMware Engineering, O= a022-renamed-ppdm.vmware.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA" notValidAfter: "Mon Mar 11 17:39:09 PDT 2030" notValidBefore: "Mon Mar 16 17:39:09 PDT 2020" port: "443" state: "UNKNOWN" subjectName: "C=US, CN=vcenter-vmdm-04.asl.lab.emc.com" type: "HOST"

2. Import the new certificate into the PowerProtect Data Manager trust store:

PUT https://192.168.1.204:8443/api/v2/certificates/{newCertID}

Replace {newCertID} with the value of id displayed in step 1. Only use the text that was displayed between the quotation marks.

3. Get the ID of the vCenter server:

GET https://192.168.1.204:8443/api/v2/inventory-sources/ All vCenter servers that are configured in PowerProtect Data Manager are displayed.

For example, the output might look like this:

"id": "6ffdb6e9-b864-56f4-8ec8-fe1c214c6fef",

"name": "VC",

"version": "7.0.2",

"type": "VCENTER",

"lastDiscovered": "2021-08-10T07:03:41.624Z",

"lastDiscoveryResult": {

"status": "OK",

4. Record the new FQDN of the vCenter server in PowerProtect Data Manager:

PUT https://192.168.1.204:8443/api/v2/inventory-sources/{vCenter-id}

Replace {vCenter-id} with the value of id displayed for the vCenter server in step 3. Only use the text that was displayed between the quotation marks.

5. Get the current list of certificates:

Virtual Machine Best Practices and Troubleshooting 151

GET https://192.168.1.204:8443/api/v2/certificates Both the old and new FQDN certificates are displayed. There might also be additional certificates displayed.

6. Search the certificate entries displayed in step 5, and locate the entry where the value of host matches the old FQDN of the vCenter server. Make a note of the corresponding id value.

7. Delete the old certificate from the PowerProtect Data Manager :

DELETE https://192.168.1.204:8443/api/v2/certificates/{oldCertID}

Replace {oldCertID} with the value of id noted in step 6. Only use the text that was displayed between the quotation marks.

Next steps

If the SPBM storage provider configured on the vCenter server is displayed as offline after following these steps, remove the storage provider and add it back.

Replacing security certificates You can replace the default self-signed security certificates for the PowerProtect Data Manager user interface, or replace changed or expired security certificates on an external server.

The PowerProtect Data Manager Security Configuration Guide provides more information.

Replacing the self-signed security certificates

If you want to use certificates for the PowerProtect Data Manager user interface that are signed by a certificate authority (CA) of your choice, you can replace them.

The PowerProtect Data Manager Security Configuration Guide provides more information.

Replace expired or changed certificates on an external server

Use this procedure to replace expired or change certificates on an external server. Only the Administrator role can replace certificates.

About this task

If a certificate on an external server has expired or been changed, connection to the server fails with the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX Perform the following steps using cURL or any REST API client, such as Postman.

Steps

1. Log in to the external server as an administrator:

POST https://server hostname:REST port number/api/v2/login Provide the following request payload in JSON format:

{ "username": "username", "password": "password" }

where username is a user with the Administrator role and password is the password for this user.

NOTE: Add the following header key with your REST call request:

'Content-type: application/json'

The response returns the following information:

152 Virtual Machine Best Practices and Troubleshooting

{ "access_token": "token_type": "expires_in": "jti": "scope": "refresh_token": }

Copy the access_token value from the response above. This value will be required in the header key Authorization for all the REST calls in subsequent steps.

2. On the REST API client, run the following to obtain the old or expired external server certificate:

GET https://server hostname:REST port number/api/v2/certificates NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns a list of certificate entries, each containing the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "type": }]

NOTE: Make note of the host, port and type of each certificate, as this information will be required in Step 4. If you

supply incorrect information in Step 4, requests that use these external hosts might fail.

3. On the REST API client, delete the old or expired external server certificate from the PowerProtect Data Manager datastore, using the ID obtained from the response in step 2:

DELETE https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Ensure that you delete only the external server certificate that you want to remove.

4. On the REST API client, obtain the new certificate from the external server, using the host, port, and type obtained from the response in step 2:

GET https://server hostname:REST port number/api/v2/certificates? host=host&port=port&type=type

NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

The response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "UNKNOWN", "type": }]

5. On the REST API client, accept the new certificate, using the ID obtained in the response from step 4:

Virtual Machine Best Practices and Troubleshooting 153

PUT https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value' Also, copy the response payload from step 4 in JSON format and change the state from "UNKNOWN" to "ACCEPTED".

6. On the REST API client, verify that the new certificate has been accepted, using the ID obtained in the response from step 4:

GET https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:

'Authorization: access_token_value'

If the certificate was accepted, the response returns the following information:

[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "ACCEPTED", "type": }]

Restart the virtual machine protection services

As part of PowerProtect Data Manager maintenance, perform the following steps when directed.

Prerequisites

Verify that there are no active backup and restore operations. The PowerProtect Data Manager Administration and User Guide provides instructions for canceling jobs and disabling protection policies.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Restart the virtual machine data mover service:

/usr/local/brs/lib/vmdm/bin/vmdm restart 3. Restart the protection engine service:

systemctl restart vproxyd 4. If required, re-enable protection policies. The PowerProtect Data Manager Administration and User Guide provides

instructions.

Support for backup and restore of encrypted virtual machines Backup and restore of encrypted virtual machines is supported in PowerProtect Data Manager, with the following limitations:

Restoring encrypted virtual machines to a different vCenter server where encryption is not configured is not supported. You must perform the restore to a new virtual machine on the same vCenter server, or to a different vCenter server where encryption is configured using same or different KMS server as source vCenter.

Restoring an encrypted virtual machine backup to a new virtual machine on the original vCenter server will restore the virtual machine disks (VMDKs) in unencrypted format. For more information about manually changing the virtual machine policy to enable encryption of VMDKs, see the article Virtual Machine Encryption.

VMware recommends powering off the virtual machine before encryption is applied. When restoring an encrypted virtual machine as a new virtual machine or by using an Instant Access restore, disable the Power on the virtual machine when

154 Virtual Machine Best Practices and Troubleshooting

the restore completes option to ensure that the virtual machine can be encrypted by the vCenter server after the restore completes. For more information, see the artcle Encrypt an Existing Virtual Machine or Virtual Disk.

In order to use Hot Add transport mode, all VM proxies with access to the encrypted virtual machines datastore must be encrypted as well. For example, if encrypted virtual machines reside in an ESXi cluster, all VM proxies deployed on the cluster must also be encrypted.

In order to backup and restore encrypted virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM) virtual machines, vCenter 7.0 U1 or later is required.

For Restore to Original VM recovery operations, ensure that production VMs have the same encryption status as their backup copies. If a production VM has a different encryption status than its backup copy, Restore to Original VM recovery attempts fail with the message Encryption status of production VM and backup copy is different. To resolve this issue, change the encryption status of the production VM to match its backup copy, or perform a Create and Restore to New VM recovery instead.

If a virtual machine is encrypted and vCenter 7.0 or later is used, an Instant Access virtual machine restore job can fail to automatically migrate the virtual machine from the DD NFS datastore to local storage. When this occurs, the restore job has a Completed with Exceptions status. To resolve the issue, perform the following steps from the vCenter user interface: 1. Manually migrate the virtual machine from the DD NFS datastore to local storage. 2. Unmount the DD NFS datastore from the ESXi host.

Troubleshooting network setup issues vCenter registration and VM Direct Engine deployment fails if the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network.

PowerProtect Data Manager uses an internal private Docker network. If the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network, or if some data sources have already been deployed within the private network, PowerProtect Data Manager fails to protect the data sources.

To resolve this issue, deploy the PowerProtect Data Manager server and other data sources in a different network. If you cannot modify the deployed network, run a script tool within PowerProtect Data Manager to switch the private Docker network to a different network.

To switch the private Docker network to a different network:

1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Modify the Docker network by running the following command:

/usr/local/brs/puppet/scripts/docker_network_switch.sh subnet gateway Where:

subnet describes the new network in the format 172.25.0.0/24 gateway is the gateway for the private network. For example: 172.25.0.1

Ensure that you specify a subnet and gateway that is not in use.

Troubleshooting virtual machine backup issues This section provides information about issues related to virtual machine backup operations with the VM Direct protection engine.

Backup completes with a non-quiesced snapshot warning

A virtual machine backup completes, but with a warning that a non-quiesced snapshot was used. Although most data will be protected, using a non-quiesced snapshot can result in some data being out of date or missing altogether.

The following warning is seen after a backup completes:

Warnings occurred during snapshot creation. Non-quiesced snapshot was used, quiesced snapshot was unsuccessful. Unable to create quiesced snapshot: An error occurred while quiescing the virtual machine. See the virtual machine's event log for details.

Virtual Machine Best Practices and Troubleshooting 155

This can happen with backups of both Windows and Linux virtual machines. Refer to the following procedures for common methods of resolving the issue.

Troubleshooting non-quiesced Windows snapshots

There is a common method of resolving this issue on Windows.

Steps

1. Confirm that the virtual machine has VMware Tools 10.1.0 or higher installed. If the virtual machine does not have VMware Tools 10.1.0 or higher installed, then install it.

2. Confirm that the VMware Snapshot Provider service is installed on the virtual machine. If the VMware Snapshot Provider service is not installed, then install it by reinstalling VMware Tools.

NOTE: Antivirus software might interfere with the installation of this service. If it is still not installed after reinstalling

VMware Tools, then temporarily disable any antivirus software and reinstall VMware Tools again.

Troubleshooting non-quiesced Linux snapshots

There is a common method of resolving this issue on Linux.

Steps

1. At a shell prompt of the virtual machine, run the command cat /etc/vmware-tools/tools.conf, and look for the value of enableSyncDriver:

[root]# cat /etc/vmware-tools/tools.conf [vmbackup] enableSyncDriver = false

2. If the value of enableSyncDriver is false, perform the following steps:

a. Edit /etc/vmware-tools/tools.conf, and change enableSyncDriver = false to enableSyncDriver = true.

b. At the shell prompt, run the command systemctl restart vmtoolsd.service.

Troubleshooting non-quiesced FreeBSD snapshots

There is a common method of resolving this issue on FreeBSD with Open VM Tools.

To resolve the issue, run the following command at a shell prompt of the virtual machine:

vmware-toolbox-cmd config set vmbackup forceQuiesce false

Backup fails when names include special characters

When spaces or special characters are included in the virtual machine name, datastore, folder, or datacenter names, the .vmx file is not included in the backup.

The VM Direct appliance does not back up objects that include the following special characters (format: character/escape sequence): & %26 + %2B / %2F = %3D ? %3F % %25 \ %5C ~ %7E ] %5D

156 Virtual Machine Best Practices and Troubleshooting

Deleting vCenter asset sources or moving ESXi to another vCenter server

When you delete a vCenter asset source from PowerProtect Data Manager without removing any VM Direct or Search nodes the vCenter servers are hosting, the nodes become non-operational and move into a Failed status after the next health check. As a result, PowerProtect Data Manager updates will fail. This issue also occurs when you move the ESXi server hosting the VM Direct and Search nodes between vCenter servers.

To correct this issue, you can perform one of the following actions:

Manually delete the VM Direct and Search nodes. The section Delete VM Direct or Search nodes when a vCenter server asset source is no longer required provides the required steps.

Return the VM Direct and Search nodes to an Operational or Ready state using the vproxymgmt and infranodemgmt tools. Choose this action if you want to add the vCenter server again, or you want to add the vCenter server that the ESXi has been moved to. The section Return VM Direct or Search nodes to an operational state when re-adding a vCenter server provides the required steps.

Delete VM Direct or Search nodes when a vCenter server asset source is no longer required

Perform the following procedure when you delete a vCenter server as an asset source in PowerProtect Data Manager and you will not be re-adding the vCenter server:

About this task

NOTE: Manual cleanup of the virtual machine for the VM Direct or Search node has to be performed from the vCenter

server.

Steps

1. Run the following command to source the environment file.

source /opt/emc/vmdirect/unit/vmdirect.env 2. For VM Direct removal:

a. Obtain the list of VM Direct Engines that require removal by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any VM Direct Engine that needs to be deleted. c. Use the vproxymgmt tool to delete VM Direct Engines by running /opt/emc/vmdirect/bin/vproxymgmt

delete -vproxy_id ProxyID 3. For Search Node removal:

a. Obtain the list of Search nodes that require removal by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be deleted. c. Use the infranodemgmt tool to delete Search nodes by running /opt/emc/vmdirect/bin/infranodemgmt

delete -node_id NodeID 4. In the PowerProtect Data Manager user interface, ensure that any sessions have been removed for both the VM Direct or

Search nodes.

Return VM Direct or Search nodes to an operational state when re-adding a vCenter server

When you want to re-add a vCenter server that you deleted from PowerProtect Data Manager, or you want to add a vCenter server that an ESXi server has been moved to, perform the following procedure in order to return the VM Direct or Search nodes to an Operational or Ready state.

Steps

1. Re-add the deleted vCenter server as an asset source in the PowerProtect Data Manager user interface, or note the name of the new vCenter server to where the ESXi server has been moved.

2. Run the following command to source the environment file.

Virtual Machine Best Practices and Troubleshooting 157

source /opt/emc/vmdirect/unit/vmdirect.env 3. For VM Direct updates:

a. Obtain the list of VM Direct Engines that require updating by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any VM Direct Engine that needs to be updated. c. Use the vproxymgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/vproxymgmt

modify -vcenter_hostname vCenter-FQDN -vproxy_id ProxyID 4. For Search node updates:

a. Obtain the list of Search nodes that require updating by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be updated. c. Use the infranodemgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/infranodemgmt

modify -vcenter_hostname vCenter-FQDN -node_id NodeID 5. In the PowerProtect Data Manager user interface, ensure that any sessions for the VM Direct or Search node and cluster

have changed to an Operational or Ready state.

Failed to lock virtual machine for backup: Another vProxy operation 'Backup' is active on VM

This error message appears when a backup fails for a virtual machine or when a previous backup of the virtual machine was abruptly ended and the VM annotation string was not cleared.

To resolve this issue, clear the annotation string value for the virtual machine.

1. Connect to the vCenter server, and then select Home > Inventory > Hosts and Clusters. 2. Select the virtual machine, and then select the Summary tab. 3. Clear the value that appears in the Dell VM Direct Engine Session field.

Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails

During VM Direct backup and recovery operations, a lock is placed on the virtual machine. If a VM Direct appliance failure occurs during one of these sessions, the lock is extended to a period of 24 hours, during which full backups and transaction log backups will fail with the following error until the lock is manually released:

Cannot lock VM 'W2K8R2-SQL-2014' (vm-522): Another vProxy operation 'Backup' is active on VM vm-522.

Workaround

To manually release the lock on the virtual machine:

1. Open the vSphere Web Client. 2. Select the virtual machine and select Summary. 3. Select Custom attribute and click Edit. 4. Remove the attribute Dell VM Direct Engine Session.

Managing command execution for VM Direct agent operations on Linux

The VM Direct agent automatically creates a PAM service file named vproxyra in the /etc/pam.d system directory, if the file does not already exist.

This file, which enables you to manage command execution through the VM Direct agent, is modeled on the corresponding vmtoolsd file. The settings in this file permit command execution by any user who is able to perform VM Direct operations on the guest virtual machine. A system administrator can further modify this file to specify which users can perform VM Direct

158 Virtual Machine Best Practices and Troubleshooting

operations, for example, file-level restore and SQL application-aware protection. For more information on the configuration of PAM service files, see the system documentation for your specific guest virtual machine operating system.

PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates

After you replace the default self-signed security certificates, you may see errors in the vSphere client PowerProtect portlet when you select virtual machines:

Service Unavailable: Please contact your administrator. No healthy upstream. Reinstall the PowerProtect plug-in to apply the new certificates. The PowerProtect Data Manager Security Configuration Guide provides more information.

SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"

SQL Server application-consistent virtual machine backups might fail with the following error when the disk.EnableUUID variable for the virtual machine is set to False.

Unable to find VSS metadata files in directory C:\Program Files\DPSAPPS\MSVMAPPAGENT\tmp\VSSMetadata.xxxx. To resolve this issue, ensure that the disk.EnableUUID variable for the virtual machines included in a SQL Server application- consistent backup is set to True.

Troubleshooting virtual machine restore issues The following topics provide information on troubleshooting virtual machine restore failures and virtual machine restore limitations.

Removal of pre-existing snapshots required before running virtual machine restore

A virtual machine restore cannot be completed when a pre-existing VMware snapshot is present on the virtual machine. An error similar to the following appears:

Session 'session ID' is unsuccessful: There are 1 pre-existing snapshot present on this VM. Recover is not possible. Remove snapshot(s) and try again. Verify that no pre-existing snapshots exist on the virtual machine, and then retry the restore operation from the System Jobs window of the PowerProtect Data Manager UI.

Some operations fail for vTPM virtual machine in a DRS-enabled cluster with dedicated vCenter user account

The following operations fail for virtual Machines with a Virtual Trusted Platform Module (vTPM) when the virtual machines are in a DRS-enabled cluster and using a dedicated vCenter user account:

The vTPM virtual machines cannot be powered on after a restore to the original virtual machine or restore to a new virtual machine , with the error Permission to perform this operation was denied displaying.

For an instant access restore, migration is unsuccessful, with the error Unable to complete vMotion task Task:task-3785. Permission to perform this operation was denied displaying.

To avoid these issues, ensure that the privilege Cryptographic operations > Migrate is included as part of the dedicated vCenter user role. Specify the required privileges for a dedicated vCenter user account provides more information.

Virtual Machine Best Practices and Troubleshooting 159

Virtual machine restores fail when vProxyd or vrecoverd disruption occurs

A virtual machine restore hangs and VPOD will not be able to reconnect to the restore session when the following scenarios occur:

A disruption to the vrecoverd process on any external VM Direct Engine.

A disruption to the vProxyd process during a Restore to Original Folder and Overwrite Original Files or Create and Restore to New VM operation that uses Transparent Snapshot Data Mover (TSDM) as the protection mechanism.

After several retry attempts, VPOD marks the restore session as "Failed" and releases theVM Direct Engine associated with the restore.

If this failure occurs during a Create and Restore to New VM, you can delete the new virtual machine and restart the restore operation.

If this failure occurs during a Restore to Original Folder and Overwrite Original Files, you must remove the VM Direct Engine lock on the virtual machine from the vCenter server, and then retry the restore operation. In the vSphere Client, the VM Direct Engine lock appears as a custom attribute with the name Dell VM Direct Engine Session.

NOTE: If this attribute contains any value after a vProxyd process failure, backup and restore operations on this virtual

machine cannot be performed. Clean up of this attribute and then running a successful restore operation is a requirement in

order to avoid any potential data loss or corruption of the virtual machine, otherwise subsequent backups might also contain

corrupted data.

DD NFS share not removed after instant access restore

The NFS share might not be removed after a successful virtual machine instant access restore. When this occurs, the restore hangs and the following NFS clients appear enabled in the DD system.

Figure 9. DD NFS clients still enabled after restore

If you encounter this issue, you can wait 24 hours for PowerProtect Data Manager to clean up the DD NFS shares, or you can stop the restore and clean up the DD NFS clients manually by performing the following steps:

1. Restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

2. Clean up DD NFS clients by typing nfs del .

3. In the vSphere Client's Configuration tab, manually unmount the EMC-vProxy-vm-qa-xxxxx DDNFS datastore that is mounted on the ESXi host.

IP address change required after successful image-level restore to a new virtual machine

After performing a successful image-level restore to a new virtual machine, ensure that you change the IP address immediately in order to avoid IP conflicts with the original virtual machine. If you do not change the IP to a unique value, subsequent data protection operations might fail on the restored virtual machine, even if that virtual machine's network interfaces are disconnected.

Virtual machine protection copy does not display under available copies

If a virtual machine protection copy does not display under the available copies in PowerProtect Data Manager, verify the following:

Ensure that protection of the virtual machine completed successfully. Check that the desired copy has not expired according to the PowerProtect Data Manager protection policy.

160 Virtual Machine Best Practices and Troubleshooting

Virtual machine restore fails with name resolution error

A virtual machine restore might fail with the following error due to network issues between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server:

com.emc.brs.vmdm.http.HttpsConnector - null: Temporary failure in name resolution java.net.UnknownHostException : null: Temporary failure in name resolution

Ensure that you have proper name resolution between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server.

Virtual machine restore fails when the previous restore of this virtual machine is in progress or did not complete

A virtual machine restore fails with the following error if the previous restore operation for the same virtual machine is still in progress or did not complete successfully:

Error : There is another running restore operation that conflicts with this request.

If the previous restore operation for this virtual machine is still in progress, monitor the progress in PowerProtect Data Manager until the restore completes. If the virtual machine restore is complete but the task stops responding, then you must manually cancel the restore in PowerProtect Data Manager by restarting the VMDM service. You can restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.

Virtual machine restore fails with error due to VM Direct corruption

A virtual machine restore might fail with the following error due to corruption of the VM Direct Engine that is running in PowerProtect Data Manager:

com.emc.dpsg.vproxy.client.VProxyManager - Error(createSession): javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

Ensure that the vproxyd service is running in PowerProtect Data Manager by typing the following command.

ps xa | grep vproxy Ensure that the vproxy rpm is installed as expected in PowerProtect Data Manager by typing the following command.

rpm -qa | grep vProxy When logged in as the root user, restart the vproxyd service on PowerProtect Data Manager by typing the following command.

systemctl restart vproxyd

Virtual machine restore fails with error "User UserEARA does not have proper privileges"

A virtual machine restore fails with the error "User UserEARA does not have proper privileges" when the user does not have adequate privileges to perform the restore operation.

Ensure that the PowerProtect Data Manager user performing the restore belongs to System Tenant and has the Administrator or Restore Administrator role.

Filtering virtual machine copies by File Indexing column is not available

When you select a virtual machine for restore in the PowerProtect Data Manager UI and then click View Copies to select from one of the available copies, using the filter in the File Indexing column does not return any results. Use the filters from other columns to locate the virtual machine asset copies that you want to restore.

Virtual Machine Best Practices and Troubleshooting 161

Network connection issues with cloud-based deployments after restore of virtual machine with NSX-T VDS port groups

A network connection cannot be established with VMC, AVS, GCVE, or VMware Cloud on Dell deployments after performing a restore of virtual machines with NSX-T VDS port groups. This issue occurs even when the Connect at Power On option is selected in the Networks page of the PowerProtect Data Manager UI Restore wizard.

This issue is only applicable when the source virtual machine is already running in the VMC vCenter. VMware is investigating the issue, and a fix might be provided in the future. Until a fix is made available, perform the following as a workaround to reconnect the restored virtual machines to the NSX-T VDS port group:

1. In the vSphere Client, right-click the restored virtual machine and select Edit Settings. 2. Change the network of the vNIC to a different NSX-T VDS port group, and then click OK to save the changes to exit the

window. 3. Right-click the restored virtual machine and select Edit Settings again. 4. Change the network of the vNIC back to the original NSX-T VDS port group. 5. Select Connected and Connect at power on, and then click OK.

Troubleshooting instant access restore failures

An instant access restore consists of two stages. First, a virtual machine is made available in the UI as an instant access virtual machine without moving the virtual machine to permanent storage. Second, storage vMotion is initiated to migrate the virtual machine to permanent storage.

If at any point during the migration a restore failure occurs, the instant access session is not automatically removed until after the expiration period for an instant access virtual machine restore, which is 7 days by default. This behavior is intentional for the following reasons:

To avoid data loss, since changes might have been made to the virtual machine during that time To provide you with the opportunity to fix the issue (for example, to free up space on the restore destination or choose a

different datastore) and then take the appropriate action

When the cause of the failure is determined and/or fixed, you can use the Instant Access Sessions window of the UI to retry the migration, or save the data and delete the instant access virtual machine, as required. The section Manage and monitor Instant Access Sessions provides detailed information about these actions.

Troubleshoot virtual machine SQL application consistent policy issues Review the following topics related to troubleshooting virtual machine SQL application-consistent protection policies.

Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log backup

If a transaction log backup is not appropriate for a database, the database is automatically skipped. Databases are skipped for the reasons outlined in the following table.

Table 30. Microsoft SQL Server skipped database cases and descriptions

Case Description

Database has been restored

When a database has been restored, this database is skipped during a transaction log backup because there is no backup promotion.

System database System databases are automatically skipped during a transaction log backup.

Database state The database is not in a state that allows a backup. For example, the database is in the NORECOVERY state.

Recovery model The database is in the SIMPLE recovery model, which does not support a transaction log backup.

162 Virtual Machine Best Practices and Troubleshooting

Table 30. Microsoft SQL Server skipped database cases and descriptions (continued)

Case Description

Other backup product

The most recent backup for the database was performed by a different backup product.

New database The database was created after the most recent full backup.

Backup failure The database was in a state that allows a backup, and a backup was tried, but the backup failed.

All skipped databases are backed up as part of the next full backup. Also, a skipped database does not result in a failure.

The only instance in which a transaction log backup job would potentially fail is if all Microsoft SQL Server instance databases failed to be backed up or were skipped.

Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID variable

A Microsoft SQL Server application-aware virtual machine backup succeeds but displays the following error when the disk.EnableUUID variable for the virtual machine is set to TRUE:

VM ' ' configuration parameter 'disk.EnableUUID' cannot be evaluated. Map item 'disk.EnableUUID' not found. (1071) To resolve this issue, set the disk.EnableUUID variable to TRUE and then reboot the virtual machine.

Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names

Due to a VSS limitation, you cannot use trailing spaces within the names of Microsoft SQL Server databases protected by an application-consistent data protection policy.

Troubleshooting vSphere Plugin deployments When investigating issues with the vSphere Plugin deployments, you might need to troubleshoot its deployment.

Troubleshoot vSphere Plugin deployments

In some circumstances, issues can occur during the deployment of the PowerProtect Data Manager vSphere Plugin.

About this task

If deployment of the vSphere Plugin fails, the plugin displays SSL errors or other errors such as 503 Service Not Available or No Healthy Upstream, or you need to force the removal and re-installation of the plugin, perform the following steps:

Steps

1. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources.

2. Select the vCenter asset source, and then click Edit.

3. Unselect vSphere Plugin, and then click Save.

4. Log in to the vCenter MOB, for example, http://vcenter.example.com/mob.

5. Navigate to a new window to unregister the extension, for example, http://vcenter.example.com/mob/? moid=ExtensionManager&method=unregisterExtension

6. On this window, type 'com.emc.dpsg.ppdm.plugin', and then click Invoke Method.

7. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources, select the vCenter server, and then click Edit.

Virtual Machine Best Practices and Troubleshooting 163

8. Select vSphere Plugin, and then click Save.

9. Log out of the vCenter server, and then log back in again.

NOTE: If Refresh is displayed, click it.

Next steps

If the PowerProtect Data Manager vSphere Plugin is not deployed in vCenter after performing these steps, you might be required to restart the vSphere Web Client service.

To restart the vSphere Web Client service on a vCenter Server Appliance (VCSA), perform the following steps:

1. Run the following commands:

service-control --stop vsphere-ui service-control --start vsphere-ui

2. Log out of the vSphere Client, and then log back in to force deployment of the vSphere Plugin.

VMware knowledge base articles and product documentation Additional VMware troubleshooting information is available at the VMware Knowledge Base and VMware Documentation websites.

164 Virtual Machine Best Practices and Troubleshooting

This glossary provides definitions of acronyms used in the PowerProtect Data Manager documentation.

A

AAG: Always On availability group

ACL: access control list

AD: Active Directory

AKS: Azure Kubernetes Service

API: application programming interface

ARM: Azure Resource Manager

AVS: Azure VMware Solution

AWS: Amazon Web Services

AZ: availability zone

B

BBB: block-based backup

C

CA: certificate authority

CBT: Changed Block Tracking

CDC: change data capture

CIFS: Common Internet File System

CLI: command-line interface

CLR: Common Language Runtime

CN: common name

CPU: central processing unit

CR: custom resource

CRD: custom resource definition

CSI: container storage interface

CSV: Cluster Shared Volume

D

DA: database administrator

DAG: database availability group

Glossary

Glossary 165

DBID: database identifier

DDMC: DD Management Center

DDOS: DD Operating System

DDVE: DD Virtual Edition

DFC: DD Boost over Fibre Channel

DNS: Domain Name System

DPC: Data Protection Central

DR: disaster recovery

DRS: Distributed Resource Scheduler

DSA: Dell security advisory

E

EBS: Elastic Block Store

EC2: Elastic Compute Cloud

eCDM: Enterprise Copy Data Management

ECS: Elastic Cloud Storage

EFI: Extensible Firmware Interface

EKS: Elastic Kubernetes Service

ENI: Elastic Network Interface

EULA: end-user license agreement

F

FC: Fibre Channel

FCD: first class disk

FCI: failover cluster instance

FETB: front-end protected capacity by terabyte

FLR: file-level restore

FQDN: fully qualified domain name

FTP: File Transfer Protocol

G

GB: gigabyte At Dell, this is 230 bytes.

Gb/s: gigabits per second At Dell, this is 230 bits per second.

166 Glossary

GCP: Google Cloud Platform

GCVE: Google Cloud Virtual Edition

GID: group identifier

GLR: granular-level restore

GUI: graphical user interface

GUID: globally unique identifier

H

HA: High Availability

HANA: high-performance analytic appliance

HTML: Hypertext Markup Language

HTTP: Hypertext Transfer Protocol

HTTPS: Hypertext Transfer Protocol Secure

I

IAM: identity and access management

IDE: Integrated Device Electronics

IP: Internet Protocol

IPv4: Internet Protocol version 4

IPv6: Internet Protocol version 6

K

KB: kilobyte At Dell, this is 210 bytes.

L

LAC: License Authorization Code

LAN: local area network

M

MB: megabyte At Dell, this is 220 bytes.

ms: millisecond

MTU: maximum transmission unit

Glossary 167

N

NAS: network-attached storage

NBD: network block device

NBDSSL: network block device over SSL

NDMP: Network Data Management Protocol

NFC: Network File Copy

NFS: Network File System

NIC: network interface card

NTFS: New Technology File System

NTP: Network Time Protocol

O

OS: operating system

OSS: open-source software

OVA: Open Virtualization Appliance

P

PCS: Protection Copy Set

PDF: Portable Document Format

PEM: Privacy-enhanced Electronic Mail

PIN: personal identification number

PIT: point in time

PKCS: Public Key Cryptography Standards

PSC: Platform Service Controller

PVC (cloud computing): private virtual cloud

PVC (Kubernetes): Persistent Volume Claim

R

RAC: Real Application Clusters

RAM: random-access memory

RBAC: role-based access control

ReFS: Resilient File System

REST API: representational-state transfer API

RHEL: RedHat Enterprise Linux

168 Glossary

RMAN: Recovery Manager

RPO: recovery-point objective

RSA: Rivest-Shamir-Adleman

S

S3: Simple Storage Services

SaaS: software as a service

SAP: System Analysis Program Development From the SAP website (2022), "the name is an initialism of the company's original German name: Systemanalyse Programmentwicklung, which translates to System Analysis Program Development. Today the company's legal corporate name is SAP SE - SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.

SCSI: Small Computer System Interface

SDDC: software-defined data center

SELinux: Security-Enhanced Linux

SFTP: Secure File Transfer Protocol

SLA: service-level agreement

SLES: SuSE Linux Enterprise Server

SLO: service-level objective

SPBM: Storage Policy Based Management

SQL: Structured Query Language

SRS: Secure Remote Services

SSD: solid-state drive

SSH: Secure Shell

SSL: Secure Sockets Layer

SSMS: SQL Server Management Studio

SSVs: System Stable Values

T

TB: terabyte At Dell, this is 240 bytes.

TCP: Transmission Control Protocol

TDE: Transparent Data Encryption

TLS: Transport Layer Security

TPM: Trusted Platform Module

TSDM: Transparent Snapshot Data Mover

T-SQL: Transact-SQL

Glossary 169

U

UAC: user account control

UDP: User Datagram Protocol

UI: user interface

UID: user identifier

UTC: Coordinated Universal Time From Wikipedia (2022), "this abbreviation comes as a result of the International Telecommunication Union and the International Astronomical Union wanting to use the same abbreviation in all languages. English speakers originally proposed CUT (for 'coordinated universal time'), while French speakers proposed TUC (for 'temps universel coordonn')."

V

VADP: VMware vStorage APIs for Storage Awareness

VBS: virtualization-based security

VCF: VMware Cloud Foundation

vCLS: vSphere Cluster Service

vCSA: vCenter Server Appliance

VCSA: vCenter Server Appliance

VDI: Virtual Device Interface

vDisk: virtual disk

vDS: virtual distributed switch

vFRC: Virtual Flash Read Cache

VGT: Virtual Guest Tagging

VIB: vSphere Installation Bundle

VLAN: virtual LAN

VM: virtual machine

VMC: VMware Cloud

VMDK: virtual machine disk

VNet: virtual network

VPC: virtual private cloud

vRSLCM: vRealize Suite Lifecycle Manager

VST: Virtual Switch Tagging

vTPM: Virtual Trusted Platform Module

VVD: VMware Validated Design

vVol: virtual volume

170 Glossary

W

WAN: wide area network

Glossary

Manualsnet FAQs

If you want to find out how the PowerProtect Dell works, you can view and download the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide on the Manualsnet website.

Yes, we have the Virtual Machine User Guide for Dell PowerProtect as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Virtual Machine User Guide should include all the details that are needed to use a Dell PowerProtect. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.