- Manuals
- Brands
- Dell
- Data Manager
- PowerProtect
- Virtual Machine User Guide
Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide PDF
Summary of Content for Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide PDF
PowerProtect Data Manager 19.12 Virtual Machine User Guide
December 2022 Rev. 03
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
2021 - 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Preface......................................................................................................................................... 8
Chapter 1: PowerProtect Data Manager for Virtual Machines Overview........................................13 PowerProtect Data Manager overview........................................................................................................................ 13 Additional information and context................................................................................................................................13 Supported Internet Protocol versions...........................................................................................................................14 Terminology......................................................................................................................................................................... 15 Role-based security........................................................................................................................................................... 16 Firewall and port considerations.....................................................................................................................................16 PowerProtect Data Manager new deployment overview........................................................................................ 17 Access the PowerProtect Data Manager UI............................................................................................................... 17
Get Started window.................................................................................................................................................... 18
Chapter 2: Enabling Virtual Machine Protection.......................................................................... 20 About asset sources, assets, and protection storage.............................................................................................. 20 About vCenter server asset sources and virtual assets.......................................................................................... 20 Prerequisites for discovering asset sources............................................................................................................... 20
Discovering asset sources in a GCVE environment............................................................................................. 21 Enable an asset source..................................................................................................................................................... 21
Disable an asset source..............................................................................................................................................22 Delete an asset source............................................................................................................................................... 22
Adding a vCenter Server asset source........................................................................................................................ 23 Add a VMware vCenter server.................................................................................................................................23 Creating a dedicated vCenter user account.........................................................................................................25 Specify the required privileges for a dedicated vCenter user account ........................................................ 25
VM Direct protection engine overview........................................................................................................................ 28 Requirements for an external VM Direct Engine................................................................................................. 28 Protection engine limitations.................................................................................................................................... 29 Add a VM Direct Engine.............................................................................................................................................29 Additional VM Direct actions..................................................................................................................................... 31 Transparent Snapshot Data Mover protection mechanism.............................................................................. 33
Chapter 3: Managing Virtual Machine Assets and Protection....................................................... 36 Protection policies.............................................................................................................................................................36 Additional protection policy options............................................................................................................................. 36 Before you create a protection policy..........................................................................................................................36
Replication triggers..................................................................................................................................................... 38 Supported enhanced VMware topologies for virtual machine protection...........................................................38 Add a protection policy for virtual machine protection........................................................................................... 39 Managing virtual machine backups............................................................................................................................... 46
Add and remove the credentials for virtual machine assets.............................................................................46 Enable or disable Changed Block Tracking (CBT)...............................................................................................47 More options for managing virtual machine backups......................................................................................... 47 Snapshot freeze scripts and thaw scripts for virtual machine backups........................................................ 48
Contents
Contents 3
Add a service-level agreement.......................................................................................................................................49 Add or remove assets in a protection policy............................................................................................................... 51 Edit the retention period for backup copies............................................................................................................... 52 Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier).....52 Protection rules ................................................................................................................................................................55
Creating virtual machine tags in the vSphere Client.......................................................................................... 55 Add a protection rule..................................................................................................................................................56 Manually run a protection rule..................................................................................................................................57 Edit or delete a protection rule ...............................................................................................................................58 View assets applied to a protection rule................................................................................................................58 Change the priority of an existing protection rule ............................................................................................. 59 Configure protection rule behavior......................................................................................................................... 59
Chapter 4: Restoring Virtual Machine Data and Assets................................................................ 60 Prerequisites to restore a virtual machine.................................................................................................................. 60 Self-service restores........................................................................................................................................................ 60 View backup copies available for restore.....................................................................................................................61 Restoring a virtual machine or VMDK.......................................................................................................................... 62 Restoring a virtual machine backup with the storage policy association............................................................ 62 Image-level restores......................................................................................................................................................... 63
Restore to the original virtual machine.................................................................................................................. 63 Restore individual virtual disks................................................................................................................................. 65 Restore to a new virtual machine............................................................................................................................65 Direct restore to ESXi................................................................................................................................................ 68
Instant Access virtual machine restore........................................................................................................................68 Manage and monitor Instant Access sessions......................................................................................................70 Migrate an Instant Access session...........................................................................................................................71
File-level restores.............................................................................................................................................................. 72 Manually install the VM Direct agent on Linux..................................................................................................... 72 Manually install the VM Direct agent on Windows.............................................................................................. 74 File-level restore to the original virtual machine.................................................................................................. 74 File-level restore to alternate virtual machine......................................................................................................76 Virtual machine file-level restore from a search.................................................................................................. 77
Restore an application-aware virtual machine backup.............................................................................................80
Chapter 5: Protecting Virtual Machines Using the Transparent Snapshot Data Mover .................81 Overview of transparent snapshots for virtual machine protection......................................................................81 vSphere Installation Bundle monitoring and management....................................................................................... 81 Transparent snapshot data mover system requirements........................................................................................82 Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover............................. 82
Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover............................................................................................................................................................... 82
Creating VMkernel ports for TSDM........................................................................................................................83 Virtual machine transparent snapshot unsupported features and limitations.................................................... 84 Transparent Snapshot Performance and Scalability.................................................................................................86
Chapter 6: PowerProtect Functionality Within the vSphere Client.............................................. 88 PowerProtect functionality within the vSphere Client............................................................................................ 88 Overview of the PowerProtect plug-in for the vSphere Client.............................................................................88
4 Contents
Prerequisites for enabling the vSphere Client PowerProtect plug-in............................................................ 90 Monitor PowerProtect Data Manager virtual machine protection copies..................................................... 91 Perform a manual PowerProtect-policy backup in the vSphere Client.......................................................... 91 Perform an image-level restore of a PowerProtect backup in the vSphere Client.....................................92 File-level restores of a PowerProtect backup in the vSphere Client............................................................. 93
Overview of VASA and VMware Storage Policy Based Management ................................................................ 97 Register the VASA provider for policy association............................................................................................. 98 Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy............99 Monitor virtual machine protection policy compliance.......................................................................................99
Chapter 7: VMware Cloud (VMC) on Amazon Web Services (AWS)............................................ 100 PowerProtect Data Manager image backup and recovery................................................................................... 100 Supported PowerProtect Data Manager and DDVE deployment configurations............................................ 100 Deployment and configuration best practices and requirements......................................................................... 101 Configuring the VMC-on-AWS portal......................................................................................................................... 101 Interoperability with PowerProtect Data Manager features.................................................................................102 vCenter server inventory requirements..................................................................................................................... 102 Creating a dedicated cloud-based vCenter user account..................................................................................... 102
Specify the required privileges for a dedicated cloud-based vCenter user account ............................... 103 Add a VM Direct Engine.................................................................................................................................................104 Unsupported operations ............................................................................................................................................... 106
Chapter 8: Azure VMware Solution (AVS) on Microsoft Azure.................................................... 107 PowerProtect Data Manager image backup and recovery....................................................................................107 Supported PowerProtect Data Manager and DDVE deployment configurations............................................ 107 Deployment and configuration best practices and requirements........................................................................ 108 Configuring the AVS-on-Azure portal........................................................................................................................ 108 vCenter server inventory requirements..................................................................................................................... 109 Creating a dedicated cloud-based vCenter user account..................................................................................... 109
Specify the required privileges for a dedicated cloud-based vCenter user account ............................... 109 Add a VM Direct Engine.................................................................................................................................................. 111 Unsupported operations ................................................................................................................................................ 112
Chapter 9: Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)....................113 PowerProtect Data Manager image backup and recovery.................................................................................... 113 Supported PowerProtect Data Manager and DDVE deployment configurations............................................. 113 Deployment and configuration best practices and requirements......................................................................... 114 Configuring the GCVE-on-GCP portal........................................................................................................................ 114 vCenter server inventory requirements...................................................................................................................... 115
Discovering asset sources in a GCVE environment........................................................................................... 115 Creating a dedicated cloud-based vCenter user account...................................................................................... 115
Specify the required privileges for a dedicated cloud-based vCenter user account ................................115 Add a VM Direct Engine..................................................................................................................................................117 Unsupported operations................................................................................................................................................. 118
Chapter 10: Backing Up and Recovering a vCenter Server.......................................................... 120 Backing up and recovering a vCenter server............................................................................................................120 vCenter deployments overview................................................................................................................................... 120 Protecting an embedded PSC...................................................................................................................................... 120
Contents 5
Direct restore to ESXi............................................................................................................................................... 121 Protecting external deployment models.................................................................................................................... 122
vCenter server appliance with one external PSC where PSC fails............................................................... 122 vCenter server appliance is lost but the PSC remains..................................................................................... 123 vCenter server appliance with multiple PSCs where one PSC is lost but one remains............................123 vCenter server appliance remains but all PSCs fail........................................................................................... 123 vCenter server appliance remains but multiple PSCs fail................................................................................ 124 vCenter server appliance fails.................................................................................................................................124
vCenter server restore workflow................................................................................................................................ 125 Platform Services Controller restore workfow........................................................................................................ 126 Additional considerations............................................................................................................................................... 126 Command reference........................................................................................................................................................127
Chapter 11: Backing Up VMware Cloud Foundation (VCF) on VxRail............................................128 Backing up VCF on VxRail............................................................................................................................................. 128 VCF and VxRail overview...............................................................................................................................................128 VCF components and backup methods..................................................................................................................... 129 Check VMware certification......................................................................................................................................... 130 Backup prerequisites.......................................................................................................................................................130 The backup script............................................................................................................................................................ 130 Quick protection............................................................................................................................................................... 131 Selective protection: SDDC and NSX-T Managers................................................................................................. 132 Selective protection: vCenter servers........................................................................................................................133 Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual
machines........................................................................................................................................................................ 134 SFTP password change: SDDC and NSX-T Managers...........................................................................................135 SFTP password change: vCenter servers................................................................................................................. 135 Backup-script troubleshooting..................................................................................................................................... 136
Appendix A: Virtual Machine Best Practices and Troubleshooting.............................................. 138 Software and hardware requirements........................................................................................................................ 138 Scalability limits for vCenter server, VM Direct Engine, and DD systems.........................................................139 PowerProtect Data Manager resource requirements in a VMware environment............................................140 Best practices and additional considerations for the VM Direct Engine............................................................140
VM Direct Engine performance and scalability...................................................................................................140 Transport mode considerations...............................................................................................................................141 Change the limit of instant access sessions........................................................................................................142 Configuring a backup to support vSAN datastores...........................................................................................142 Configuration checklist for common issues.........................................................................................................142 Disable vCenter SSL certificate validation.......................................................................................................... 143 Uninstalling the VM Direct agent........................................................................................................................... 143 Updating the Microsoft Application Agent and VM Direct agent software................................................ 144 Supported file-level restore platforms and OS versions.................................................................................. 144 File-level restore and SQL restore requirements and limitations................................................................... 145 Virtual disk types supported....................................................................................................................................146 Virtual machine data change rate.......................................................................................................................... 147 VM Direct Engine data ingestion rate................................................................................................................... 147 VM Direct Engine limitations and unsupported features..................................................................................147 VM Direct Engine selection with virtual networks (VLANs)........................................................................... 150 Deploying VM Direct appliance to datastore cluster unsupported................................................................ 150
6 Contents
Best practices for vCenter server backup and restore..........................................................................................150 Changing the vCenter server FQDN...........................................................................................................................150
Change the vCenter server FQDN......................................................................................................................... 151 Replacing security certificates..................................................................................................................................... 152
Replacing the self-signed security certificates.................................................................................................. 152 Replace expired or changed certificates on an external server..................................................................... 152
Support for backup and restore of encrypted virtual machines.......................................................................... 154 Troubleshooting network setup issues.......................................................................................................................155 Troubleshooting virtual machine backup issues....................................................................................................... 155
Backup completes with a non-quiesced snapshot warning.............................................................................155 Backup fails when names include special characters ...................................................................................... 156 Deleting vCenter asset sources or moving ESXi to another vCenter server.............................................. 157 Failed to lock virtual machine for backup: Another vProxy operation 'Backup' is active on VM ..........158 Lock placed on virtual machine during backup and recovery operations continues for 24 hours if
VM Direct appliance fails..................................................................................................................................... 158 Managing command execution for VM Direct agent operations on Linux...................................................158 PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates......159 SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in
directory"................................................................................................................................................................. 159 Troubleshooting virtual machine restore issues....................................................................................................... 159
Network connection issues with cloud-based deployments after restore of virtual machine with NSX-T VDS port groups...................................................................................................................................... 162
Troubleshooting instant access restore failures................................................................................................ 162 Troubleshoot virtual machine SQL application consistent policy issues............................................................ 162
Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log backup...................................................................................................................................................................... 162
Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID variable..................................................................................................................................................................... 163
Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names.......................163 Troubleshooting vSphere Plugin deployments......................................................................................................... 163
Troubleshoot vSphere Plugin deployments......................................................................................................... 163 VMware knowledge base articles and product documentation........................................................................... 164
Glossary.................................................................................................................................... 165
Contents 7
As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.
If a product does not function correctly or does not function as described in this document, contact Customer Support.
NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,
go to the Customer Support website.
Product naming Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the user interface has not yet been updated to reflect this change.
Language use This document might contain language that is not consistent with Dell Technologies current guidelines. Dell Technologies plans to update the document over subsequent future releases to revise the language accordingly.
This document might contain language from third-party content that is not under Dell Technologies control and is not consistent with the current guidelines for Dell Technologies own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.
Acronyms The acronyms used in this document might not be familiar to everyone. Although most acronyms are defined on their first use, a definition is not always provided with later uses of the acronym. For a list of all acronyms and their definitions, see the glossary at the end of the document.
Website links The website links used in this document were valid at publication time. If you find a broken link, provide feedback on the document, and a Dell Technologies employee will update the link in the next release as necessary.
Purpose This document describes how to configure and administer the Dell PowerProtect Data Manager software to protect and restore data on virtual machines.
The PowerProtect Data Manager Administration and User Guide provides additional details about configuration and usage procedures.
Audience This document is intended for the virtual machine administrator who is involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager software.
Preface
8 Preface
Revision History The following table presents the revision history of this document.
Revision Date Description
03 December 2, 2022 Updated the following sections: File-level restore and SQL restore
requirements and limitations Network connection issues with
cloud-based deployments after restore of virtual machine with NSX- T VDS port groups
02 November 18, 2022 Updated for the support of vSphere 8.0.
01 October 25, 2022 Initial release of this document for PowerProtect Data Manager version 19.13
Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided by the E-Lab Navigator.
Related documentation The following publications are available at Customer Support and provide additional information:
Table 1. Related documentation
Title Content
PowerProtect Data Manager Administration and User Guide Describes how to configure the software.
PowerProtect Data Manager Deployment Guide Describes how to deploy the software.
PowerProtect Data Manager Licensing Guide Describes how to license the software.
PowerProtect Data Manager Release Notes Contains information about new features, known limitations, environment, and system requirements for the software.
PowerProtect Data Manager Security Configuration Guide Contains security information.
PowerProtect Data Manager Amazon Web Services Deployment Guide
Describes how to deploy the software to Amazon Web Services (AWS).
PowerProtect Data Manager Azure Deployment Guide Describes how to deploy the software to Microsoft Azure.
PowerProtect Data Manager Google Cloud Platform Deployment Guide
Describes how to deploy the software to Google Cloud Platform (GCP).
PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide
Describes how to deploy Cloud Disaster Recovery (Cloud DR), protect virtual machines in the AWS or Azure cloud, and run recovery operations.
PowerProtect Data Manager Cyber Recovery User Guide Describes how to install, update, patch, and uninstall the PowerProtect Cyber Recovery software.
PowerProtect Data Manager File System User Guide Describes how to configure and use the software with the File System agent for file-system data protection.
PowerProtect Data Manager Kubernetes User Guide Describes how to configure and use the software to back up and restore namespaces and PVCs in a Kubernetes cluster.
Preface 9
Table 1. Related documentation (continued)
Title Content
PowerProtect Data Manager Microsoft Exchange Server User Guide
Describes how to configure and use the software to back up and restore the data in a Microsoft Exchange Server environment.
PowerProtect Data Manager Microsoft SQL Server User Guide
Describes how to configure and use the software to back up and restore the data in a Microsoft SQL Server environment.
PowerProtect Data Manager Oracle RMAN User Guide Describes how to configure and use the software to back up and restore the data in an Oracle Server environment.
PowerProtect Data Manager SAP HANA User Guide Describes how to configure and use the software to back up and restore the data in an SAP HANA Server environment.
PowerProtect Data Manager Storage Direct User Guide Describes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.
PowerProtect Data Manager Network Attached Storage User Guide
Describes how to configure and use the software to protect and recover the data on network-attached storage (NAS) shares and appliances.
PowerProtect Data Manager Virtual Machine User Guide Describes how to configure and use the software to back up and restore virtual machines and virtual machine disks (VMDKs) in a vCenter Server environment.
VMware Cloud Foundation Disaster Recovery With PowerProtect Data Manager
Provides a detailed description of how to perform an end-to- end disaster recovery of a VMware Cloud Foundation (VCF) environment.
PowerProtect Data Manager Public REST API documentation Contains the Dell Technologies APIs and includes tutorials to guide you in their use.
vRealize Automation Data Protection Extension for Data Protection Systems Installation and Administration Guide
Describes how to install, configure, and use the vRealize Data Protection Extension.
Typographical conventions The following type style conventions are used in this document:
Table 2. Style conventions
Formatting Description
Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.
Italic Used for full titles of publications that are referenced in text.
Monospace Used for: System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options
Monospace italic Used for variables.
Monospace bold Used for user input.
[ ] Square brackets enclose optional values.
| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.
{ } Braces enclose content that the user must specify, such as x, y, or z.
10 Preface
Table 2. Style conventions (continued)
Formatting Description
... Ellipses indicate non-essential information that is omitted from the example.
You can use the following resources to find more information about this product, obtain support, and provide feedback.
Where to find product documentation The Customer Support website The Community Network The PowerProtect Data Manager Info Hub
Where to get support The Customer Support website provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Customer Support.
To access a product-specific page:
1. Go to the Customer Support website. 2. In the search box, type a product name, and then from the list that appears, select the product.
Support Library The Support Library contains a knowledge base of applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.
To search the Support Library:
1. Go to the Customer Support website. 2. On the Support tab, click Support Library. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by
typing a product name in the search box, and then selecting the product from the list that appears.
Live chat To participate in a live interactive chat with a support agent:
1. Go to the Customer Support website. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.
Service requests To obtain in-depth help from a support agent, submit a service request. To submit a service request:
1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.
NOTE: To create a service request, you must have a valid support agreement. For details about either an account or
obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the
Service Request Number field, type the service request number, and then click the right arrow.
To review an open service request:
1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.
Preface 11
3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.
Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network. Interactively engage with customers, partners, and certified professionals online.
How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPADDocFeedback@dell.com.
12 Preface
PowerProtect Data Manager for Virtual Machines Overview
Topics:
PowerProtect Data Manager overview Additional information and context Supported Internet Protocol versions Terminology Role-based security Firewall and port considerations PowerProtect Data Manager new deployment overview Access the PowerProtect Data Manager UI
PowerProtect Data Manager overview Use PowerProtect Data Manager to perform the following operations: Automate the configuration of virtual machine backup policy and protection storage settings. Create a catalog of virtual machine backups. Then, monitor that catalog data to determine if retention policies are being
adhered to. Manage the life cycle of virtual machine backups. Ensure that the backups are marked for garbage collection, based on the
rules of the retention policy.
For virtual machines, PowerProtect Data Manager provides the following benefits:
Enables the data protection team to create data paths with provisioning, automation, and scheduling to embed protection engines into the infrastructure for high-performance backup and recovery.
Enables backup administrators of large-scale environments to schedule backups for VMware virtual machines from a central location on the PowerProtect Data Manager server.
Enables governed self-service and centralized protection by: Monitoring and enforcing service-level objectives (SLOs) Identifying violations of recovery-point objectives (RPO) Setting retention locks on backups for all asset types
Supports deploying an external VM Direct appliance to move data with the VM Direct Engine. The PowerProtect Data Manager software comes prebundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backup and restore operations when the added external proxies fail or are disabled. It is recommended that you always deploy external proxies, because the embedded proxy has limited capacity for performing parallel backups.
Supports the vRealize Automation DP extension, which enables provisioning of virtual machines with PowerProtect Data Manager protection, on-demand backup, and restore to the original or a new location. The vRealize Automation Data Protection Extension for PowerProtect Data Manager Installation and Administration Guide provides more information.
Additional information and context This guide contains content that is specific to protecting virtual machines and may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide. For example, because that information is also common to other asset types or is part of server administration.
The PowerProtect Data Manager Administration and User Guide provides important information about configuring PowerProtect Data Manager before and during use, including prerequisites such as adding protection storage and creating storage units.
1
PowerProtect Data Manager for Virtual Machines Overview 13
Supported Internet Protocol versions PowerProtect Data Manager and its components support IPv4 and IPv6 addresses in certain configurations.
Table 3. Supported configurations
Component Internet Protocol
PowerProtect Data Manager core
IPv4 only or both IPv4 and IPv6
VM Direct and Search IPv4 only or IPv6 only NOTE: Virtual machines that are backed up must use the same protocol that VM Direct uses. Virtual machines can use both IPv4 and IPv6, even though VM Direct cannot.
Application agents integrated with PowerProtect Data Manager:
NOTE: If both IPv4 and IPv6 are configured and the PowerProtect Data Manager FQDN is used, the agent uses IPv6 for network communication.
File System IPv4, IPv6, or both
Microsoft Exchange Server IPv4 only or both IPv4 and IPv6
Microsoft SQL Server (Application Direct)
IPv4, IPv6, or both
Microsoft SQL Server (VM Direct)
IPv4 only or IPv6 only
NOTE: Only the Microsoft SQL Server agent supports VM Direct.
Oracle RMAN IPv4, IPv6, or both
SAP HANA IPv4, IPv6, or both
Storage Direct IPv4 only
Standalone application agents IPv4 only
Network-attached storage (NAS)
IPv4 only
Kubernetes IPv4 only
PowerProtect Data Manager management
IPv4 or IPv6
PowerProtect DD communication
IPv4 or IPv6
Report Browser IPv4 only
SupportAssist IPv4, IPv6, or both
Syslog Log Server Gateway IPv4 or IPv6
The following limitations and considerations apply.
Communication with components
If PowerProtect Data Manager is configured to only use one protocol, all components it communicates with must also use that protocol. If some components that PowerProtect Data Manager communicates with use IPv4 and others use IPv6, PowerProtect Data Manager must be configured to use both IPv4 and IPv6.
DD systems and DDVE
If a DD system or a DDVE instance uses only IPv6, the required IPv6 interface must be manually selected when a protection policy is added or edited.
14 PowerProtect Data Manager for Virtual Machines Overview
Disaster recovery
Recovering a PowerProtect Data Manager server might result in a conflict with protection-policy configurations. For instance, if the recovered server is configured to use only IPv4, a protection policy that is configured to use IPv6 cannot run.
Name resolution
Name resolution and reverse IP lookup must be configured to ensure the following:
Fully qualified domain names of PowerProtect Data Manager, its components, and DD components resolve to a valid IPv4 or IPv6 address.
If both IPv4 and IPv6 addresses are used for DD, both addresses resolve to the same FQDN. All IPv4 and IPv6 addresses are valid and reachable.
Server updates
IPv6 is only supported with new installations. Using IPv6 after updating from PowerProtect Data Manager 19.11 or earlier is unsupported.
Storage Policy Based Management
If using vCenter or ESXi 7.0u2 or earlier with only IPv6, SPBM providers must be added using their PowerProtect Data Manager FQDN.
Service Unavailable messages with the vSphere Client PowerProtect plug-in
If vCenter uses the vSphere Client PowerProtect plug-in with IPv6 and the vCenter host is added to PowerProtect Data Manager using its IPv6 address or FQDN, Service Unavailable messages might be seen for the protected virtual machine. Backups and restores of the protected virtual machine are unaffected, and these messages can be ignored.
Uncompressed IPv6 formatting
Network interfaces that exist on a DD 7.4.x or earlier system and that are configured to use an uncompressed IPv6 format cannot be discovered. An example of an uncompressed IPv6 format is 2620:0000:0170:0597:0000:0000:0001:001a. An example of a compressed IPv6 format is 2620:0:170:597::1:1a. To use these network interfaces, reconfigure them to use either an IPv4 address or a compressed IPv6 address, and then initiate a discovery.
Terminology Familiarize yourself with the terminology for the PowerProtect Data Manager user interface and documentation.
The following table provides more information about names and terms that you should know to use PowerProtect Data Manager:
Table 4. Term list
Term Description
Application agent Application agents are installed on application or database host servers to manage protection using PowerProtect Data Manager. These agents are commonly known as DD Boost Enterprise Agents (DDBEAs) for databases and applications.
Application-aware A virtual machine protection policy that includes additional application-aware data protection for Microsoft SQL Servers. An application-aware virtual machine protection policy provides
PowerProtect Data Manager for Virtual Machines Overview 15
Table 4. Term list (continued)
Term Description
the ability to quiesce the application during virtual machine image backup to perform a full backup of Microsoft SQL Server databases. You can also schedule Microsoft SQL Server log backups for the virtual machines in the policy.
Asset Assets are objects in PowerProtect Data Manager for which you want to manage protection, including virtual machines, databases, and file systems.
Asset source Assets that PowerProtect Data Manager protects reside within asset sources, which include vCenter servers, application or database hosts, and file servers.
Cloud Tier storage Cloud Tier storage can be added to a protection storage system to expand the deduplication storage capacity onto less expensive object storage in public or private object storage clouds, including secure Elastic Cloud Storage appliances.
Copy A PowerProtect Data Manager copy is a point-in-time backup copy of an asset.
Copy Map The PowerProtect Data Manager Copy Map is a visual representation of backup copy locations on your protection storage and is available for all protected assets that have copies.
Discovery Discovery is an internal process that scans asset sources to find new assets to protect and scans infrastructure components to monitor their health and status.
Instant Access PowerProtect Data Manager virtual machine backup copies can be accessed, mounted, and booted directly from the protection storage targets as running virtual machines. This operation is called Instant Access. Copies can also be moved to a production VMware datastore using vMotion. PowerProtect Data Manager Virtual machine application-aware backup copies can be mounted directly from protection storage as running Microsoft SQL Server databases, which includes the ability to roll forward log backups. These Microsoft SQL Server database disks can also be moved to a production VMware datastore using vMotion.
PowerProtect Data Manager agent
An agent that is included in PowerProtect Data Manager and installed on each application agent host server so that you can monitor and manage the application agent through PowerProtect Data Manager.
Protection policy Protection policies configure and manage the entire life cycle of backup data, which includes backup types, assets, backup start and stop times, backup devices, and backup retention.
Service-level agreement (SLA) An optional policy that you can layer on top of a protection policy. An SLA performs additional checks on protection activities to ensure that protection goals meet the standards of an organization. SLAs are made up of one or more service-level objectives.
Service-level objective (SLO) A definable rule that sets the criteria for recovery-point objectives (RPOs), encryption, and the location of backups according to company requirements.
Role-based security PowerProtect Data Manager provides predefined user roles that control access to areas of the user interface and to protected operations. Some of the functionality in this guide is reserved for particular roles and may not be accessible from every user account.
By using the predefined roles, you can limit access to PowerProtect Data Manager and to backup data by applying the principle of least privilege.
The PowerProtect Data Manager Security Configuration Guide provides more information about user roles, including the associated privileges and the tasks that each role can perform.
Firewall and port considerations The PowerProtect Data Manager Security Configuration Guide provides more details about the port requirements. Verify the requirements between the following components:
PowerProtect Data Manager
16 PowerProtect Data Manager for Virtual Machines Overview
Configured DD systems VM Direct appliances (embedded and external) Web and REST API clients Callhome (SupportAssist) ESXi vCenter
PowerProtect Data Manager new deployment overview Familiarize yourself with the high-level steps required to protect virtual machines.
Steps
1. Design how to group the backups based on the storage requirements and retention policies.
The account team can help with backup storage design.
2. Deploy PowerProtect Data Manager.
The PowerProtect Data Manager Deployment Guide for the appropriate platform provides instructions. Review all prerequisites.
3. Configure PowerProtect Data Manager settings.
For example, configure additional users, identity providers, or virtual networks.
The PowerProtect Data Manager Administration and User Guide and PowerProtect Data Manager Security Configuration Guide provide instructions.
4. Add protection storage.
The PowerProtect Data Manager Administration and User Guide provides instructions.
5. Configure any required storage units.
The PowerProtect Data Manager Administration and User Guide provides instructions.
6. Deploy any required VM Direct Engine appliances.
7. Add a protection policy for groups of assets that you want to back up.
8. Add Service Level Objectives to the protection policy to verify that the protected assets meet the Service Level Agreements (SLAs).
The PowerProtect Data Manager Administration and User Guide provides instructions.
9. Perform a full backup.
Without a full backup, PowerProtect Data Manager treats the backups as partial and assumes that you are out of compliance.
10. Monitor protection compliance in the PowerProtect Data Manager dashboard.
Access the PowerProtect Data Manager UI PowerProtect Data Manager provides a web-based UI that you can use to manage and monitor system features and settings from any location over a network.
Steps
1. From a host that has network access to the virtual appliance, use Google Chrome to connect to the appliance:
https://<appliance_hostname> NOTE: You can specify the hostname or the IP address of the appliance.
2. Log in with your username and password.
Usernames follow the format user[@domain], where domain is an optional identifier that associates the user with a particular identity provider.
PowerProtect Data Manager for Virtual Machines Overview 17
For example: jsmith or administrator@test-lab.
If you do not supply a domain, the authentication service checks the default identity provider. If you supply a domain, the authentication service consults the external identity provider for that domain and determines
whether to allow the login.
NOTE:
If the user interface is left unattended for more than 30 minutes and times out, the login page might display with the
error 503: Unknown Error. If this occurs, dismiss the error and log in again with your username and password.
If you log in with an expired password, reset the password immediately. Clicking Cancel, closing the browser, or
navigating away from the page before changing your password disables your credentials for subsequent logins. If you log
in and receive a prompt to change your password because of outdated login credentials, provide your current password,
a new password, and confirmation of the new password to continue.
When the identity provider validates the credentials, the authentication service issues a user token. The PowerProtect Data Manager UI uses the token information to authorize activities.
Unless you have changed the system configuration, the default identity provider is the local identity provider.
The PowerProtect Data Manager Security Configuration Guide provides more information about the available user roles and their associated permissions. The associated roles for an account determine what parts of the UI a user can see and use, and what operations a user can perform.
If this is your first time accessing the PowerProtect Data Manager UI, an unsigned certificate warning might appear in the web browser.
The security certificate that encrypts communication between the PowerProtect Data Manager UI and the web browser is self-signed. A self-signed certificate is signed by the web server that hosts the secure web page. There is nothing wrong with this certificate. This certificate is sufficient to establish an encrypted channel between the web browser and the server. However, it is not signed by a trusted authority.
The Get Started window appears with configuration options that are required on first deployment. To skip this window and go right to the Dashboard, click Launch.
From the Dashboard window:
The left pane provides links to the available menu items. Expand a menu item for more options. The icons in the PowerProtect Data Manager banner provide additional options.
Get Started window
The Get Started window provides configuration options that are required when the PowerProtect Data Manager system is first deployed. This window continues to display by default each time you log in until you click Launch.
You can access the Get Started window at any time, or view any getting started options that have yet to be configured, by
clicking , and then selecting Getting Started.
The Get Started window enables you to configure or edit the following menu items:
Table 5. PowerProtect Data Manager Get Started menu items
Options Description
License Launches the License window, which prompts you to add a license file to PowerProtect Data Manager. Once a license is uploaded, you can view license details, such as capacity usage and software ID.
Support Launches the Support window, which enables you to configure SupportAssist, AutoSupport, and set up the email server for application notifications and messages.
Assets Launches the Asset Sources window, where you can enable any of the asset source types that PowerProtect Data Manager supports. After enabling an asset source, you can add and register the source for the protection of assets.
18 PowerProtect Data Manager for Virtual Machines Overview
Table 5. PowerProtect Data Manager Get Started menu items (continued)
Options Description
Storage Launches the Add Storage window, where you can add a PowerProtect DD System or PowerProtect DD Management Center as protection storage for primary backup and replicated copies.
PowerProtect Data Manager for Virtual Machines Overview 19
Enabling Virtual Machine Protection
Topics:
About asset sources, assets, and protection storage About vCenter server asset sources and virtual assets Prerequisites for discovering asset sources Enable an asset source Adding a vCenter Server asset source VM Direct protection engine overview
About asset sources, assets, and protection storage In PowerProtect Data Manager, assets are the basic units that PowerProtect Data Manager protects. Asset sources are the mechanism that PowerProtect Data Manager uses to manage assets and communicate with the protection storage where backup copies of the assets are stored.
For virtual machines, the vCenter server is the asset source and the virtual machines are the assets. Before you can add an asset source, you must enable the source within the PowerProtect Data Manager UI.
Add and configure protection storage to use as a target for protection policies. The PowerProtect Data Manager Administration and User Guide provides instructions.
About vCenter server asset sources and virtual assets After you add a vCenter server as an asset source in PowerProtect Data Manager, an automatic discovery of VMware entity information from the vCenter server is initiated.
The virtual assets of the vCenter server appear in the Assets window of the PowerProtect Data Manager user interface under the Virtual Machine tab.
The initial vCenter server discovery identifies all ESXi clusters, hosts, and virtual machines within the vCenter server. Subsequent discoveries can be performed to identify any additional or changed VMware entities since the last discovery operation. You can also manually initiate a discovery of VMware entities at any time from the vCenter tab of the Asset Sources window by selecting a vCenter server and clicking Discover.
After vCenter server and virtual asset discovery, the PowerProtect Data Manager VM Direct protection engine facilitates the management of virtual assets as PowerProtect Data Manager resources for the purposes of backup and recovery. It is recommended that you also add an external VM Direct Engine in the Protection Engines window. You can protect virtual machine assets by manually adding the assets to a virtual machine protection policy, or by creating and applying protection rules to determine which assets are included in a protection policy based on rule definitions.
Prerequisites for discovering asset sources Perform these tasks before you discover an asset source. Ensure that the PowerProtect Data Manager is deployed and configured in the environment. The PowerProtect Data
Manager deployment guides provide information. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. For a new system, enable one or more asset sources for the types of assets that you want to protect. Enable an asset
source provides more information. Configure all asset sources with an NTP server. Before you register a Microsoft SQL Server application, ensure that the DD system has been discovered successfully. For discovery of application agents and File System asset sources:
2
20 Enabling Virtual Machine Protection
Ensure that all clocks on the application and File System hosts and PowerProtect Data Manager are time-synchronized to the local NTP server to ensure discovery of the backups.
Ensure that the application and File System hosts and the PowerProtect Data Manager network can see and resolve each other.
Ensure that port 7000 is open on the application and File System hosts. Discovery of a vCenter Server asset source excludes the following:
Virtual machines with a status of Inaccessible, Invalid, or Orphaned. The virtual machine template. The shadow or standby virtual machine created by RecoverPoint for Virtual Machines, also referred to as the vRPA copy. The vSphere Cluster Service (vCLS) virtual machine.
NOTE: Virtual machines created by the vCLS are managed by VMware, and do not require PowerProtect Data
Manager protection. Even when selected as part of a container, they are automatically excluded from protection.
The vmdm-discovery.log provides a list of vCLS virtual machines that are excluded from protection.
Prior to performing the vCenter discovery, verify the status of any virtual machines that you want to discover.
Discovering asset sources in a GCVE environment
There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.
Ensure the following permissions of any GCVE-located vCenter server:
The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the
vSphere object hierarchy.
Enable an asset source An asset source must be enabled in PowerProtect Data Manager before you can add and register the asset source for the protection of assets.
About this task
Only the Administrator role can manage asset sources.
In some circumstances, the enabling of multiple asset sources is required. For example, a vCenter Server and a Kubernetes cluster asset source must be enabled for Tanzu Kubernetes guest cluster protection.
There are other circumstances where enabling an asset source is not required, such as the following:
For application agents and other agents such as File System and Storage Direct, an asset source is enabled automatically when you register and approve the agent host. For example, if you have not enabled an Oracle asset source but have registered the application host though the API or the PowerProtect Data Manager user interface, PowerProtect Data Manager automatically enables the Oracle asset source.
When you update to the latest version of PowerProtect Data Manager from an earlier release, any asset sources that were previously enabled appear in the PowerProtect Data Manager user interface. On a new deployment, however, no asset sources are enabled by default.
Steps
1. From the PowerProtect Data Manager user interface, select Infrastructure > Asset Sources, and then click + to reveal the New Asset Source tab.
2. In the pane for the asset source that you want to add, click Enable Source. The Asset Sources window updates to display a tab for the new asset source.
Results
You can now add or approve the asset source for use in PowerProtect Data Manager. For a vCenter server, Kubernetes cluster, SMIS Server, or PowerProtect Cloud Snapshot Manager tenant, select the appropriate tab in this window and click Add. For an application host, select Infrastructure > Application Agents and click Add or Approve as required.
Enabling Virtual Machine Protection 21
NOTE: Although you can add a Cloud Snapshot Manager tenant to PowerProtect Data Manager in order to view its health,
alerts, and the status of its protection, recovery, and system jobs, you cannot manage the protection of its assets from
PowerProtect Data Manager. To manage the protection of its assets, use Cloud Snapshot Manager. For more information,
see the PowerProtect Cloud Snapshot Manager Online Help.
Disable an asset source
If you enabled an asset source that you no longer require, and the host has not been registered in PowerProtect Data Manager, perform the following steps to disable the asset source.
About this task
NOTE: An asset source cannot be disabled when one or more sources are still registered or there are backup copies of the
source assets. For example, if you registered a vCenter server and created policy backups for the vCenter Server virtual
machines, then you cannot disable the vCenter Server asset source. But if you register a vCenter server and then delete it
without creating any backups, you can disable the asset source.
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab of the asset source that you want to disable. If no host registration is detected, a red Disable button appears.
2. Click Disable.
Results
PowerProtect Data Manager removes the tab for this asset source.
Delete an asset source
If you want to remove an asset source that you no longer require, perform the following steps to delete the asset source in the PowerProtect Data Manager UI.
About this task
Only the Administrator role can manage the asset sources.
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and then select the tab for the type of asset source that you want to delete.
2. Select the asset source name in the asset source list, and then click Delete.
3. At the warning prompt that appears, click Continue. The asset source is deleted from the list.
Results
PowerProtect Data Manager removes the specified asset source in the Asset Sources window.
For all asset sources except the vCenter Server, any associated assets that are protected by the protection policy are removed from the protection policy and their status is changed to deleted. These assets are removed automatically as part of daily PowerProtect Data Manager cleanup after all associated backup copies have been deleted. These assets can also be removed manually. The PowerProtect Data Manager Administration and User Guide provides details on how to remove assets from PowerProtect Data Manager.
The copies of assets from the asset source are retained (not deleted). You can delete the copies from the copies page, if required.
22 Enabling Virtual Machine Protection
Adding a vCenter Server asset source After you register a vCenter server with PowerProtect Data Manager, you can use the Asset Sources window in the PowerProtect Data Manager user interface to add a vCenter Server asset source to the PowerProtect Data Manager environment.
Adding a vCenter Server asset source is required if you want to schedule a backup through PowerProtect Data Manager.
Add a VMware vCenter server
Perform the following steps to add a vCenter server as an asset source in the PowerProtect Data Manager UI for virtual machine protection and Tanzu Kubernetes guest cluster protection.
Prerequisites
Ensure that the asset source is enabled. Enable an asset source provides instructions. Log in as a user with the Administrator role. Only the Administrator role can manage asset sources. By default, PowerProtect Data Manager enforces SSL certificates during communication with vCenter server. If a certificate
appears and you trust the certificate, click Verify.
The SSL certificate enforcement requires that the common name (cn) of the x509 certificate on the vCenter server matches the hostname of the vCenter URL. The common name of the x509 certificate is typically the vCenter server fully qualified domain name (FQDN), but it could be the vCenter server IP address. You can inspect the vCenter server SSL certificate to determine whether the x509 common name is an FQDN or IP. When creating an asset source resource, in order to pass SSL certificate enforcement, the asset source resource hostname must match the common name of the x509 certificate on the vCenter server.
NOTE: It is recommended that you do not disable certificate enforcement. If disabling the certificate is required,
carefully review the instructions in the section Disable vCenter SSL certificate validation.
Steps
1. From the left navigation pane, select Infrastructure > Asset Sources.
The Asset Sources window appears.
2. Select the vCenter tab.
3. Click Add. The Add vCenter dialog displays.
4. Specify the source attributes:
a. In the Name field, specify the vCenter server name. b. In the Address field, specify the fully qualified domain name (FQDN) or the IP address.
NOTE: For a vCenter server, it is recommended that you use the FQDN instead of the IP address.
c. In the Port field, specify the port for communication if you are not using the default port, 443.
5. Under Host Credentials, choose an existing entry from the list to use for the vCenter user credentials. Alternatively, you can click Add from this list to add new credentials, and then click Save.
NOTE: Ensure that you specify the credentials for a user whose role is defined at the vCenter level, as opposed to being
restricted to a lower-level container object in the vSphere object hierarchy.
6. If you want to make a subset of the PowerProtect Data Manager UI functionality available within the vSphere Client, select vSphere Plugin.
Available functionality includes: The monitoring of active virtual machine/VMDK protection policies, and Restore options such as Restore to Original, Restore to New, and Instant Access.
NOTE: You can unregister the vSphere plug-in at any time by clearing vSphere Plugin.
7. By default, the vCenter discovery occurs automatically after adding the vCenter server, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, move the Schedule Discovery slider to the right, and then specify a time.
Enabling Virtual Machine Protection 23
8. If there is no hosting vCenter server and you want to make this the vCenter server that hosts PowerProtect Data Manager, select Add as hosting vCenter server. If a vCenter server has already been added as the hosting vCenter server, this option will be greyed out.
The PowerProtect Data Manager Administration and User Guide provides more information about adding a host vCenter server and specifying the PowerProtect Data Manager host.
9. If the vCenter server SSL certificate cannot be trusted automatically, a dialog box appears requesting certificate approval. Review the certificate, and then click Verify.
10. Click Save.
The vCenter server information that you entered now appears as an entry in a table on the Asset Sources window. You can click the magnifying glass icon next to the entry to view more details, such as the next scheduled discovery, the number of assets within the vCenter server, and whether the vSphere Plugin is enabled.
NOTE: Although PowerProtect Data Manager automatically synchronizes with the vCenter server under most
circumstances, certain conditions might require you to initiate a manual discovery.
After discovery, PowerProtect Data Manager starts an incremental discovery in the background periodically to keep updating PowerProtect Data Manager with vCenter changes. You can always do an on-demand discovery.
NOTE: When you add a host with existing virtual machines to PowerProtect Data Manager, or read a host with virtual
machines that was removed from one vCenter and added to another, an incremental discovery does not discover these
virtual machine assets. Wait for the next scheduled full discovery, or initiate a discovery within the PowerProtect Data
Manager UI.
11. Optionally, you can set warning and failure thresholds for the available space on the datastore. Setting these thresholds enables you to check if enough storage space is available in the datastore to save the snapshot of the virtual machine during the backup process. The backup completes with a warning in the logs if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Warning Threshold. The backup fails if the available free space in the datastore is less than or equal to the percentage indicated in the Datastore Free Space Failure Threshold. To add Datastore Free Space Warning and Failure Thresholds:
a. Click the gear icon to open the vCenter Settings dialog. b. Type a percentage value to indicate when a warning message should display due to low datastore free space. c. Type a percentage value to indicate when a virtual machine backup failure should occur due to low datastore free space. d. Click Save.
NOTE: Datastore free space thresholds are disabled by default.
12. Select Infrastructure > Assets.
The Assets window appears.
13. If not already selected, click the Virtual Machine tab.
Results
After a successful discovery of the vCenter asset source, the virtual machine assets in the vCenter server display in the Infrastructure > Assets window.
You can modify the details for the vCenter asset source by selecting the vCenter server in the Infrastructure > Asset Sources window and clicking Edit. You cannot, however, clear the Add as hosting vCenter check box when editing an asset source if this vCenter server has already been added as the hosting vCenter server. For this operation, use the Hosting vCenter window, as described in the PowerProtect Data Manager Administration and User Guide section for specifying the PowerProtect Data Manager host.
NOTE: Discovery time is based on networking bandwidth. The resources that are discovered and the resources that
are performing the discovery impact performance each time that you initiate a discovery process. It might appear that
PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
Next steps
Add a VM Direct appliance to facilitate data movement, and then create virtual machine protection policies to back up these assets. The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that external proxies be deployed since the embedded VM Direct Engine has limited capacity for performing backup streams. To add a VM Direct Engine, select Infrastructure > Protection Engines.
24 Enabling Virtual Machine Protection
Creating a dedicated vCenter user account
It is recommended that you set up a separate vCenter user account at the root level that is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine.
Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.
You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose role is defined at the vCenter level and not restricted to a lower level container object in the vSphere object hierarchy.
vSphere permissions to support discovery of distributed vCenter deployments
In a distributed vCenter deployment, such as one vCenter server with datacenters in multiple geographic locations, it is highly recommended to use permission-based discovery if a local PowerProtect Data Manager instance is protecting virtual machines in that location. The benefit of permission-based discovery is that, instead of discovering the entire vCenter, only a subset of virtual machines, hosts, and other related vSphere entities in the vCenter is discovered, which reduces the discovery time, latency impact, and chance of discovery failures.
The permission-based discovery requires a scoped vSphere service account, which is an account with privileges that are defined by PowerProtect Data Manager that are required for accessing local virtual machines, hosts, and other related vSphere entities. This account can be a new account, or you can use an existing account by adding permissions.
Once the account is created, you can apply the required permissions. The following example demonstrates the account permissions steps a user in location A is required to perform to protect virtual machines inside a container, such as a datacenter or a cluster:
Provide the account permissions to ancestor containers of the container, such as the vCenter and folders, with Propagate to children unselected.
Provide the account permissions to the container, with Propagate to children selected Provide the account permissions to all vSphere entities that relate to the virtual machines in the container, such as folders,
datastores, and networks, with Propagate to children selected
It is recommended to work with a virtual administrator within your organization to configure this service account so that the vSphere account added to PowerProtect Data Manager has its account permissions adjusted on the vCenter to resources that are mapped to the same site as the PowerProtect Data Manager instance.
NOTE: When adding or configuring this user account, note the following:
Each vCenter Server can only be added once to each PowerProtect Data Manager instance. This behavior is common to
PowerProtect Data Manager.
Setting up a user account with permissions to some remote virtual machines in addition to local ones, although possible,
is not recommended.
Specify the required privileges for a dedicated vCenter user account
You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.
The following table includes the privileges required for this user.
NOTE: For the privileges required when administering PowerProtect Data Manager in a cloud environment, see Specify the
required privileges for a dedicated cloud-based vCenter user account . For the additional privileges required when using the
Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine crash-consistent data protection, see
Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover.
Enabling Virtual Machine Protection 25
Table 6. Minimum required vCenter user account privileges
Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges
Alarms Create alarm Modify alarm
$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.AddDisk', 'Cryptographer.Access', 'Cryptographer.Encrypt', 'Cryptographer.Migrate', 'Cryptographer.RegisterVM', 'Datastore.Rename', 'Datastore.Move', 'Datastore.Delete', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Extension.Register', 'Extension.Unregister', 'Extension.Update', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'Global.Licenses', 'Global.Settings', 'Global.DisableMethods', 'Global.EnableMethods', 'Host.Config.Storage', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Config', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.Update', 'StorageProfile.View', 'Task.Create', 'Task.Update', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware',
Cryptographic operations
Add disk Direct Access Encrypt Migrate
NOTE: This privilege applies only to virtual machines enabled with Microsoft virtualization-based security (VBS) or Virtual Trusted Platform Module (vTPM).
Register VM
Datastore Allocate space Browse datastore Configure datastore Low level file operations Move datastore Remove datastore Remove file Rename datastore
Extension Register extension Unregister extension Update extension
Folder Create folder
Global Cancel task Disable methods Enable methods Licenses Log event Manage custom attributes Set custom attribute Settings
Host Configuration > Storage partition configuration
vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object
NOTE: This only applies to vCenter 7.0 and later.
Create vSphere Tag Create vSphere Tag Category
Network Assign network Configure
Profile-driven storage
(for SPBM policy restore in vCenter versions 7.0 U3 and earlier)
Profile-driven storage update Profile-driven storage view
26 Enabling Virtual Machine Protection
Table 6. Minimum required vCenter user account privileges (continued)
Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges
VM storage policies
(for SPBM policy restore in vCenter versions 8.0 and later)
'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot', )
New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)
Update VM storage policies View VM storage policies
Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine
Sessions Validate session
Tasks Create task Update task
vApp Export Import vApp application configuration
Virtual Machine
Change Configuration
Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility
Edit Inventory Create new Register Remove Unregister
Guest operations Guest operation modifications Guest operation program execution Guest operation queries
Interaction Configure CD media Connect devices Console interaction
Enabling Virtual Machine Protection 27
Table 6. Minimum required vCenter user account privileges (continued)
Setting vCenter 6.5 and later required privileges PowerCLI equivalent required privileges
Guest operating system management by VIX API
Install VMware Tools Power off Power on Reset
Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template
Snapshot Management
Create snapshot Remove snapshot Revert to snapshot
VM Direct protection engine overview The VM Direct protection engine provides two functions within PowerProtect Data Manager:
A virtual machine data protection solutionDeploy a VM Direct Engine in the vSphere environment to perform virtual machine snapshot backups, which improves performance and reduces network bandwidth utilization by using the protection storage source-side deduplication.
A Tanzu Kubernetes guest cluster data protection solutionDeploy a VM Direct Engine in the vSphere environment for protection of vSphere CSI-based persistent volumes, for which it is required to use a VM proxy instead of the cProxy, for the management and transfer of backup data.
The VM Direct protection engine is enabled after you add a vCenter server in the Asset Sources window, and allows you to collect VMware entity information from the vCenter server and save VMware virtual machines and Tanzu Kubernetes guest cluster namespaces and PVCs as PowerProtect Data Manager resources for the purposes of backup and recovery.
To view statistics for the VM Direct Engine, manage and monitor VM Direct appliances, and add an external VM Direct appliance to facilitate data movement, select Infrastructure > Protection Engines. Add a VM Direct Engine provides more information.
NOTE: In the VM Direct Engines pane, VMs Protected refers to the number of assets protected by PowerProtect Data
Manager. This count does not indicate that all the virtual machines have been protected successfully. To determine the
success or failure of asset protection, use the Jobs window.
When you add an external VM Direct appliance, the VM Direct Engines pane provides the following information:
The VM Direct appliance IP address, name, gateway, DNS, network, and build version. This information is useful for troubleshooting network issues.
The vCenter and ESXi server hostnames. The VM Direct appliance status (green check mark if the VM Direct appliance is ready, red x if the appliance is not fully
operational). The status includes a short explanation to help you troubleshoot the VM Direct Engine if the VM Direct appliance is not in a fully operational state.
The transport mode that you selected when adding the VM Direct appliance (Hot Add, Network Block Device, or the default setting Hot Add, Failback to Network Block Device).
Requirements for an external VM Direct Engine
When adding an external VM Direct Engine, note the following system requirements:
CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket) Memory: 8 GB RAM Disks: 2 disks (59 GB and 98 GB) Internet Protocol: Either only IPv4 or only IPv6 SCSI controller: maximum of 4 NIC: One vmxnet3 NIC with one port
28 Enabling Virtual Machine Protection
Protection engine limitations
Observe the following points when planning and working with protection engines: Deploy protection engines with fully qualified domain names (FQDNs) or IP addresses only. Short names are no longer
supported. Existing protection engines which were deployed with short names are deprecated. A future release will require you to delete and redeploy these protection engine with FQDNs or IP addresses instead.
When you deploy protection engines with FQDNs, each FQDN must have a DNS record. Protection engines are part of server disaster recovery backups. However, the disaster-recovery process does not
automatically redeploy protection engines.
Add a VM Direct Engine
Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies, Kubernetes cluster protection policies that require a VM proxy instead of the cProxy, and network attached storage (NAS) protection policies.
Prerequisites
Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.
About this task
The PowerProtect Data Manager software comes bundled with an embedded VM Direct Engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network
bandwidth utilization by using source-side deduplication. The embedded VM Direct Engine has limited capacity for backup streams. The embedded VM Direct Engine is not supported for VMware Cloud on AWS operations.
An external VM Direct Engine is not required for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism. For these policies, the embedded VM Direct Engine is sufficient.
NOTE: Cloud-based OVA deployments of PowerProtect Data Manager do not support the configuration of data-traffic
routing or VLANs. Those deployments skip the Networks Configuration page.
Steps
1. From the left navigation pane, select Infrastructure > Protection Engines.
The Protection Engines window appears.
2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.
3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.
Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.
vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.
NOTE: Ensure that you do not select the internal vCenter server.
ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks
(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether
the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).
Enabling Virtual Machine Protection 29
You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.
Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes
Tanzu guest cluster, or NAS asset protection.
4. Click Next.
5. On the Networks Configuration page:
If this is a cloud-based OVA deployment of PowerProtect Data Manager, click Next and proceed to step 7.
The Networks Configuration page configures the virtual network (VLAN) to use for Data traffic. To continue without virtual network configuration, leave the Preferred Network Portgroup selection blank and then click Next.
a. From the Preferred Network Portgroup list, select a VST (Virtual Switch Tagging) or VGT (Virtual Guest Tagging) network. If you select a VGT portgroup, the list displays all virtual networks within the trunk range. If you select a VST portgroup, the list displays only the virtual network for the current VLAN ID.
b. Select one or more virtual networks from the list.
A protection engine requires an IP address from the static IP pool for each selected virtual network. If there are not enough IP addresses in a pool, the wizard prompts you to supply additional addresses for that network.
Ensure that the selected virtual networks support a traffic type that is compatible with protection engines. The PowerProtect Data Manager Administration and User Guide provides more information about traffic types.
c. If required, type an available static IP address or IP address range in the Additional IP Addresses column for the indicated virtual network.
For convenience when working with multiple virtual networks, you can also use one of the Auto Expand options:
Expand Last IPThe wizard increments the host portion of the last IP address in the static IP pool. Click Apply. Same Last DigitThe wizard adds the network portion of the IP address to the specified value. Type the host
portion of the IP address and then click Apply.
The wizard updates the value in the Additional IP addresses column for each selected network. Verify the proposed IP addresses.
d. Click Next.
6. When adding a VM Direct Engine for Kubernetes guest cluster protection, add a second network interface card (NIC) if the PowerProtect controller pod running in the guest cluster cannot reach the VM Direct Engine on the primary network. Provide information for the second NIC, and then click Next.
7. On the Summary page, review the information and then click Finish.
The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.
Results
When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct Engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct Engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.
NOTE: The external VM Direct Engine is always required for VMware Cloud on AWS operations, Kubernetes cluster
protection policies that require a VM proxy instead of the cProxy, and NAS protection policies. If no external VM Direct
Engine is available for these solutions, data protection operations fail.
Next steps
If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.
When configuring the VM Direct Engine in a VMware Cloud on AWS environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute- ResourcePool.
30 Enabling Virtual Machine Protection
Additional VM Direct actions
For additional VM Direct actions, such as enabling, disabling, redeploying, or deleting the VM Direct Engine, or changing the network configuration, use the Protection Engines window in the PowerProtect Data Manager UI. To throttle the capacity of a VM Direct Engine, use a command-line tool on PowerProtect Data Manager.
To get external VM Direct Engine credentials, see the procedure in the PowerProtect Data Manager Security Configuration Guide.
Disable a VM Direct Engine
You can disable an added VM Direct Engine that you do not currently require for virtual machine backup and recovery. To disable a VM Direct Engine:
1. On the Protection Engines window, select the VM Direct Engine that you want to disable from the table in the VM Direct Engines pane.
2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable.
NOTE: A disabled VM Direct Engine is not used for any new protection activities, and is not automatically updated during a
PowerProtect Data Manager update.
Delete a VM Direct Engine
When you disable a VM Direct Engine, the Delete button is enabled. If you no longer require the VM Direct Engine, perform the following steps to delete the engine:
1. On the Protection Engines window, select the VM Direct Engine that you want to remove from the table in the VM Direct Engines pane.
2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Disable. 4. Click Delete.
Enable a disabled VM Direct Engine
When you want to make a disabled VM Direct Engine available again for running new protection activities, perform the following steps to re-enable the VM Direct Engine.
1. On the Protection Engines window, select the VM Direct Engine that you want to re-enable from the table in the VM Direct Engines pane.
2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. From the menu, select Enable.
NOTE: If a PowerProtect Data Manager version update occurred while the VM Direct Engine was disabled, a manual
redeployment of the VM Direct Engine is also required.
Redeploy a VM Direct Engine
If a PowerProtect Data Manager software update occurred while a VM Direct Engine was disabled, or an automatic update of the VM Direct Engine did not occur due to network inaccessibility or an environment error, the Redeploy option enables you to manually update the VM Direct Engine to the version currently in use with the PowerProtect Data Manager software. Perform the following steps to manually redeploy the VM Direct Engine.
1. On the Protection Engines window, select the VM Direct Engine that you want to redeploy from the table in the VM Direct Engines pane.
2. In the far right of the VM Direct Engines pane, click the three vertical dots. 3. If the VM Direct Engine is not yet enabled, select Enable from the menu. 4. When the VM Direct Engine is enabled, select Redeploy from the menu.
The VM Direct Engine is redeployed with its previous configuration details.
Enabling Virtual Machine Protection 31
Update the DNS or gateway during redeployment
Optionally, if you want to update the VM Direct Engine DNS or gateway during the VM Direct Engine redeployment, you can use one of the following commands:
To update both the gateway and DNS, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IP address -updateGateway Gateway IP4 address
To update the gateway only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateGateway Gateway IP address
To update DNS only, run ./vproxymgmt redeploy -vproxy_id VM Direct Engine ID -updateDns DNS IP address
Edit the vCenter server for a VM Direct Engine configuration
If a VM Direct Engine configuration is unsuccessful, you can change the vCenter server selection.
Perform the following steps to change the vCenter server:
1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. On the Protection Engine Configuration page, select a vCenter server from the list. Make sure that the selected
vCenter is running the ESXi host for this VM Direct Engine. 4. Click Next until you reach the Summary page. 5. On the Summary page, verify the new selection, and then click Finish.
Edit the Capacity setting for a VM Direct Engine
After adding the VM Direct Engine, you can change the percentage of the protection engine capacity that will be used. For example, you might want to change the Capacity setting to a lower value to avoid network bandwidth issues.
Perform the following steps to change the maximum percentage of the VM Direct Engine that will be used:
1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. On the Protection Engine Configuration page, type a maximum percentage value for Capacity. 4. Click Next until you reach the Summary page. 5. On the Summary page, verify the new value, and then click Finish.
Edit the network configuration for a VM Direct Engine
The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
For example, if VM Direct Engine deployment failed because of a virtual network configuration problem, you can update the configuration to add additional IP addresses to the static IP pool. You can also add the VM Direct Engine to a virtual network in the same VGT port group.
Perform the following steps to change the network configuration:
1. On the Protection Engines window, select the VM Direct Engine from the table in the VM Direct Engines pane. 2. Click Edit. The Edit Protection Engine wizard displays. 3. Click Next to navigate to the Networks Configuration page.
4. Virtual networks with a warning symbol ( ) beside the network name require attention and review. For example, if you changed the network configuration, the configured traffic types may not support VM Direct Engines. Clear any interfaces which no longer apply to the VM Direct Engine.
Select the row that corresponds to the virtual network with the configuration error, or the virtual network to which you want to add the VM Direct Engine.
5. Type an available static IP address or IP address range in the Additional IP Addresses column. 6. Click Next. 7. On the Summary page, verify the network settings, and then click Finish.
To change other network configuration settings, delete the VM Direct Engine and then deploy a new VM Direct Engine.
32 Enabling Virtual Machine Protection
Throttle the capacity of a VM Direct Engine
In performance-limited environments, you can use a command-line tool on PowerProtect Data Manager to reduce the maximum capacity of a VM Direct Engine.
The default value for VM Configured Capacity Units of an external VM Direct Engine is 100. The minimum value is 4. A VM Direct Engine can backup one disk with 4 units of capacity at a time.
Perform these steps to throttle the capacity of a VM Direct Engine:
1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Type: source /opt/emc/vmdirect/unit/vmdirect.env 3. To view the list of every VM Direct Engine and its ID, type: /opt/emc/vmdirect/bin/vproxymgmt get -list 4. To change the capacity of a VM Direct Engine, type (once per engine): /opt/emc/vmdirect/bin/vproxymgmt
modify -vproxy_id [VProxy ID] -capacity [percentage] 5. To verify the change in VM Configured Capacity Units, type: /opt/emc/vmdirect/bin/vproxymgmt get -list
Transparent Snapshot Data Mover protection mechanism
The Protection Engines window in the PowerProtect Data Manager UI includes a pane for Transparent Snapshot Data Movers. Introduced in PowerProtect Data Manager 19.9, Transparent Snapshot Data Mover (TSDM) is a protection mechanism for data movement during virtual machine protection operations. Previously, the only protection mechanism available in PowerProtect Data Manager for virtual machine protection was the VMware vStorage API for Data Protection (VADP). Any new virtual machine protection policies use TSDM as the default protection mechanism instead of VADP when the version of the vCenter and ESXi servers that host the virtual machines is a minimum version of 7.0 U3c.
Figure 1. Virtual machine backup using TSDM
A vSphere Installation Bundle (VIB) is included with the software deployment and update packages for PowerProtect Data Manager to facilitate the use of TSDM, and is enabled at the vCenter level after the PowerProtect Data Manager deployment or update. The VIB installation occurs automatically at the cluster level when a virtual machine protection policy is created, with no requirement to restart the ESXi hosts or put the hosts into maintenance mode. When updating to PowerProtect Data Manager 19.12 from a 19.9 or later release where TSDM-enabled policies were in use, the VIB has been optimized to detect if the software already exists in a datastore and only upload the VIB where the software is not shared across ESXi hosts. Also, the VIB will now update on the respective ESXi hosts concurrently instead of sequentially, in batches of 25, skipping any ESXi hosts that are powered off or in maintenance mode
Within the PowerProtect Data Manager UI, the Transparent Snapshot Data Movers pane provides a hierarchy view of the vCenter Server asset sources that have been added in PowerProtect Data Manager. Use this view to determine if the vCenter or ESXi server is enabled for VIB management, and if the hosts have the VIB installed or are eligible for VIB installation. A vSphere host cluster can have one of the following statuses:
InstalledThe VIB installation on this vSphere host is completed, and TSDM is enabled as the default protection mechanism for the virtual machines on the vSphere host.
Ready for installThe vSphere host requirements for VIB installation have been met, and the installation will proceed automatically on the vSphere host when a virtual machine running on the cluster is added to a protection policy.
Enabling Virtual Machine Protection 33
Ready for upgradeThis status displays when the VIB is installed on the vSphere host and PowerProtect Data Manager is updated, but the VIB is being managed manually. In this case, the VIB will not be updated automatically on the vSphere host.
Not eligibleThe vSphere host does not meet the requirements for VIB installation. When TSDM cannot be used, the VADP protection mechanism is used for virtual machine protection operations on this host.
FailedThe VIB installation on the vSphere host did not complete successfully. The Jobs window provides more information about the issue that caused the failure.
Use the filter icon in the status column to display only vSphere hosts with a certain status. For example, you can choose to display only hosts that are ready for VIB installation or update.
When the VIB installation is started, the Protection Engines window updates to display the progress. Also, an entry for the job Performing Host Configuration (vib_install) appears in the Jobs window.
NOTE: Any virtual machine assets that were added to a virtual machine protection policy in PowerProtect Data Manager
19.8 and earlier currently use the VADP protection mechanism. After the VIB installation on the vSphere host that contains
these virtual assets, you can migrate these assets to the TSDM protection mechanism. Migrating assets to use the
Transparent Snapshot Data Mover provides more information.
Disable or re-enable VIB on an ESXi host
In the PowerProtect Data Manager UI, you can disable VIB management on a vCenter server to prevent automatic installation or update of the VIB on the ESXi host. To disable VIB management on the vCenter server:
1. Go to Infrastructure > Protection Engines, and then select the Transparent Snapshot Data Movers pane.
2. Click to the right of the vCenter server. 3. Scroll down to the text box that displays Auto vSphere Installation Bundled (VIB) management is
enabled and click Disable.
To re-enable VIB management on a vCenter server that currently has the VIB disabled:
1. Go to Infrastructure > Protection Engines, and then select the Transparent Snapshot Data Movers pane.
2. Click to the right of the vCenter server. 3. Scroll down to the text box that displays Auto vSphere Installation Bundled (VIB) management is
disabled and click Enable.
If a VIB installation or update is required, the status indicates Ready for install or Ready for upgrade. 4. Select the check box next to this host and click Install to manually perform the VIB install or update, or wait for the
automatic VIB installation. 5. When performing a manual VIB installation, if one or more of the selections are not eligible or the VIB is already installed, a
dialog appears. Click OK to proceed.
Migrating assets to use the Transparent Snapshot Data Mover
Transparent Snapshot Data Mover (TSDM) is the recommended protection mechanism for environments with vCenter and ESXi version 7.0 U3c or later deployed, and is the default protection mechanism used for virtual machine assets protected by virtual machine crash-consistent policies in PowerProtect Data Manager 19.9 or later.
PowerProtect Data Manager defaults to using the VADP protection mechanism when one or more of the following conditions are true:
The ESXi host and vCenter server versions are earlier than 7.0 U3c The protection policy is an application-consistent policy. The protection policy is configured with the Exclude swap files from backup and Enable guest file system quiescing
enabled. PowerProtect Data Manager 19.8 or earlier is deployed.
NOTE: For existing virtual machine crash-consistent policies created with PowerProtect Data Manager version 19.8 and
earlier, modifying the Exclude swap files from backup and Enable guest file system quiescing policy options to
meet the TSDM requirements will migrate virtual machines on vSphere version 7.0 U3c and later clusters managed by a
vCenter server running version 7.0 U3c or later to use the TSDM protection mechanism.
You can manually migrate virtual machine assets from the VADP protection mechanism to the TSDM protection mechanism by using the Infrastructure > Assets window of the PowerProtect Data Manager UI.
34 Enabling Virtual Machine Protection
Before migrating assets to use TSDM, the vSphere Installation Bundle (VIB) is required. This installation occurs automatically, unless the use of TSDM is disabled on the vCenter server asset source. Go to Infrastructure > Protection Engines, select the Transparent Snapshot Data Movers pane, and verify that the VIB is enabled on the vCenter server. You can also expand the vCenter hierarchy view to confirm that the VIB installation has occurred on the vSphere hosts. Transparent Snapshot Data Mover protection mechanism provides more information.
Migrate asset protection mechanism from VADP to TSDM
To migrate VADP virtual machine assets to use TSDM in the PowerProtect Data Manager UI:
1. Go to Infrastructure > Assets and select the Virtual Machine tab. 2. Filter the view to display the Protection Mechanism column. 3. Select one or more virtual machine assets with the VADP protection mechanism. 4. Select More Actions > Protection Mechanism > Migrate to TSDM.
Migrating assets to use the TSDM protection mechanism forces a new, full backup of these assets. This backup may take several minutes.
Enabling Virtual Machine Protection 35
Managing Virtual Machine Assets and Protection
Topics:
Protection policies Additional protection policy options Before you create a protection policy Supported enhanced VMware topologies for virtual machine protection Add a protection policy for virtual machine protection Managing virtual machine backups Add a service-level agreement Add or remove assets in a protection policy Edit the retention period for backup copies Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier) Protection rules
Protection policies Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each policy type has its own set of user objectives.
Users with the Administrator role can create protection policies for VMware virtual machines. For other policy types, including specific applications within VMware virtual machines, refer to the user guide for the specific agent or application agent.
Additional protection policy options This chapter contains content that is specific to protecting virtual machines.
The PowerProtect Data Manager Administration and User Guide provides other important information about configuring settings and available actions that apply to all protection policies. These topics include cloud tiering, manual backups, and service level agreements.
This guide may not repeat information that is already covered in the PowerProtect Data Manager Administration and User Guide.
Before you create a protection policy Consider the following best practices before creating a protection policy. An asset can be protected by only one policy at a time. Assets can be moved from one policy to another policy based on the
priority of protection rules. In cases where protection rules result in assets moving from one policy to another, any assets that were manually selected for inclusion in the policy, however, will not be moved to a different policy.
NOTE: If a SQL Server is hosted on a virtual machine, you can protect the SQL database with an application-consistent
backup without interfering with the SQL agent-based backup.
When creating a policy, limit the number of database assets within the policy to under 500 and stagger the start time of replication policies to avoid potential replication failures.
Before adding replication to a protection policy, ensure that you add remote protection storage as the replication location. The PowerProtect Data Manager Administration and User Guide provides instructions about adding protection storage.
3
36 Managing Virtual Machine Assets and Protection
Before you perform any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.
Understanding backup terminology and managing backup frequency
When scheduling backups in a protection policy, be aware of the following: Different backup policy types can use different terminology to describe available backup levels. This terminology can differ
not only between policy types, but also from traditional terminology. To avoid high CPU usage that can lead to failure issues, do not schedule backups more often than recommended.
Refer to the following table to understand the different backup levels provided by each protection policy and to manage backup frequencies.
Table 7. Backup terminology and frequency
Protection-policy backup types
Available backup levels
Description Equivalent traditional terminology
Minimum frequency recommendation
VMware application-aware
Full Backs up all the blocks. Full Monthly
Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.
A differential backup is performed, followed by a merge operation that produces a full backup in storage.
12 hours
VMware crash- consistent
Full Backs up all the blocks. Full Monthly
Synthetic Full Backs up only the blocks that have changed since the last synthetic-full or full backup, and then performs an operation to merge those changes with the last synthetic-full or full backup in order to produce a full backup in storage. Only the changed blocks are actually copied over the network, but the result is still a full backup in storage.
A differential backup is performed, followed by a merge operation that produces a full backup in storage.
12 hours
Log Backs up the transaction logs. 30 minutes
NOTE: In some situations, a full backup might be performed even though a synthetic-full backup was scheduled. Possible
reasons for this include, but are not limited to, the following:
There is no existing full backup.
The size of a volume has changed.
There has been a file path change.
The asset host has been rebooted.
Managing Virtual Machine Assets and Protection 37
Replication triggers
PowerProtect Data Manager orchestrates protection policy replication objectives independently of the primary backup. When you add a replication objective to a policy, select one of the available triggers.
The default replication trigger is a schedule window that you define by setting a recurrence period plus start and end times. Replication occurs during the defined window. For example, every day between 8 p.m. and 12 a.m.
You can also trigger replication immediately after the completion of the associated primary backup, whether scheduled or manual. At the start of the primary backup, PowerProtect Data Manager generates an associated replication job that remains queued until the end of the protection job. If the backup fails or completes with exception, the associated replication job is skipped. Restarting the protection job queues the associated replication job again.
When you create a replication objective, you can specify either scheduled replication or replication after backup completion, which is applicable to both centralized and self-service protection policies.
NOTE: For replication after backup completion, PowerProtect Data Manager 19.12 or later and application agents 19.10 or
later are required. It is recommended that you update the application agents to the latest version.
Using a schedule can help you manage network traffic by replicating during off-peak hours. However, for larger backup sets, the primary backup may not finish before the start of the replication schedule, which creates a replication backlog. Replication after backup completion prevents a replication backlog from forming.
To prevent data loss, the replication after backup completion trigger replicates new backups from the primary objective and any outstanding backups that have not yet replicated.
A job status of Completed with Exceptions during replication
After a triggered replication job, you might see a job status message similar to the following:
Completed with Exceptions ABA0017: plc_linux_rac: Backup was successful for the ORACLE_DATABASE asset ORCLPP on the host blrv009d132.blr.lab.emc.com but the copy metadata information is currently unavailable.
The backup of this asset completed successfully but the copy metadata information has not yet been discovered by PowerProtect Data Manager. If the 'Replicate immediately upon backup completion' option is enabled for this protection policy, the replication job for the copy might appear in 'Unknown' or 'Cancel' state. Once the copy metadata is discovered by PowerProtect Data Manager, the copy will be replicated.
Review the backup copy details in the View Copies pane of the PowerProtect Data Manager UI Infrastructure > Assets window to determine when the discovery is complete.
If you see this message, the replication backup is not immediately available.
To correct this issue, either wait for the next automatic discovery or initiate a discovery.
Supported enhanced VMware topologies for virtual machine protection PowerProtect Data Manager provides protection for clustered ESXi server storage, networking, and enterprise management. Understanding what topologies are supported in these environments aids in the design of your network infrastructure.
Supported enhanced topologies
Supported topologies of clustered ESXi server storage, networking, and enterprise management include the following:
vSAN operations NSX-T port groups Enhanced Link Mode vCenter servers
For more information, see the E-Lab Navigator.
38 Managing Virtual Machine Assets and Protection
vSAN operations
Standard clusters, stretched clusters, two-node clusters, and HCI Mesh datastores support the following operations:
Backing up and restoring virtual machines Search Engines VM Direct Engines HA failover of Search Engines and VM Direct Engines Post-failover protection
NSX-T port groups
PowerProtect Data Manager supports the use of NSX-T with up to 2,000 port groups. These can be default VDS port groups or N-VDS port groups, and they support the following components:
PowerProtect Data Manager servers VM Direct Engines Search nodes Workload virtual machines
Enhanced Link Mode vCenter servers
Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers (PSCs). PowerProtect Data Manager supports the protection of workload virtual machines running inside Enhanced Linked Mode vCenter servers. This protection also applies during and after any vMotion operation of the virtual machines.
To support virtual machine protection workflows for vCenter servers that are in Enhanced Linked Mode, PowerProtect Data Manager requires you to add all of the linked vCenter servers as asset sources, and also to install the PowerProtect vSphere Plugin on all of these vCenter servers.
Add a protection policy for virtual machine protection A protection policy enables you to select a specific group of assets that you want to back up and replicate. Perform the following steps to create a virtual machine protection policy in the PowerProtect Data Manager UI.
Prerequisites
Dell Technologies recommends distributing virtual machine asset protection workloads over multiple ESXi hosts so that you do not exceed the ESXi Network Block Device (NBD) session limit. If the limit is reached, you can manage the workload by deploying an external VM Direct Engine on the host or cluster using Hot Add transport mode. Also, it is recommended during policy configuration to assign virtual machines to a protection policy based on logical grouping to allow for better scheduling of backups. Grouping helps avoid resource contention and creates more organized logs for review.
To create application-aware protection policies for virtual machines, ensure that:
You manually update the VMX configuration parameter disk.EnableUUID to True by using the vSphere Web Client. The vSphere version that you are running uses a supported version of VMware Tools. Software compatibility information for
the PowerProtect Data Manager software is provided by the E-Lab Navigator. The virtual machine has direct access to the DD client. The virtual machine uses SCSI disks only, and the number of available SCSI slots matches at least the number of disks. The Windows account that is used for the protection policy is limited to the local system Administrator or the domain
Administrator. This user requires both Microsoft Windows administrative rights and Microsoft SQL Server login and sysadmin rights.
SQL configuration support is limited to Microsoft SQL Server stand-alone instances, a Microsoft SQL Server Always On availability group (AAG) configured with file share witness, and Microsoft SQL Server cluster-less AAG configurations. Unsupported configurations include Microsoft SQL Server failover cluster instances that are configured with shared drives, as well as Microsoft SQL Server cluster-less AAG configurations.
For Microsoft SQL Server AAG configurations, the database administrator specifies the AAG backup preferences for backup in the Microsoft SQL Server Management Studio (SSMS). These preferences control which AAG node is selected as the preferred node when you perform a transaction log backup of AAG databases.
Managing Virtual Machine Assets and Protection 39
vCenter 7.0 U1 or later is required to protect virtual machines that use virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM).
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy. The PowerProtect Data Manager Administration and User Guide provides more information.
The PowerProtect Data Manager Administration and User Guide provides more information about working with storage units, including applicable limitations and security considerations.
NOTE: The option to create a storage unit during protection policy configuration does not support compliance mode
retention locking, only governance mode. To use compliance mode retention locking, create and configure a storage unit
before you configure an associated protection policy. If you enable retention locking and select a storage unit where
the retention lock mode is None, the retention lock defaults to governance mode. The PowerProtect Data Manager
Administration and User Guide provides more information.
Before performing any backups on a weekly or monthly schedule from the protection policy, ensure that the PowerProtect Data Manager time zone is set to the local time zone.
About this task
For virtual machine protection policies, data is moved using one of two types of protection mechanisms:
Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual machine policies when the following requirements are met: vCenter and ESXi version 7.0 U3c or later is deployed in the environment. Clear the Exclude swap files from backup and Enable guest file system quiescing check boxes when adding or
editing the protection policy. VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware
virtual machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.
The section Transparent Snapshot Data Mover protection mechanism provides more information about TSDM.
Steps
1. From the left navigation pane, select Protection > Protection Policies.
The Protection Policies window appears.
2. In the Protection Policies window, click Add.
The Add Policy wizard appears.
3. On the Type page, specify the following fields, and then click Next:
NameType a descriptive name for the protection policy. DescriptionType a description for the policy. TypeSelect Virtual Machine, which includes protection for SQL application-aware virtual machines.
4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:
Crash ConsistentSelect this type for point-in-time backup of virtual machines. Application AwareFor virtual machines with a SQL application installed, select this type to quiesce the application to
perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection-policy level or the virtual machine asset level. When you provide the credentials at both levels, the virtual machine asset credentials override the policy credentials.
ExclusionSelect this type if there are assets within the protection policy that you plan to exclude from data protection operations.
By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is appropriate for backups. If the file system cannot be quiesced on the first attempt, the snapshot and backup are performed without quiescing.
VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.
5. On the Assets page, select the assets for inclusion in this policy by choosing one of the following options from the list:
40 Managing Virtual Machine Assets and Protection
View by HostThis option enables you to view all assets within a specific host, and then select individual assets or a group of assets at a host or container level for policy inclusion. For example: Select a stand-alone host to include all assets under this host.
NOTE: If you select a host in a cluster, no assets are selected. For a host in a cluster, ensure that you select the
cluster or other containers (for example, a resource pool or vApp) under the cluster host.
Expand the tree and select a container level in the vCenter hierarchy (for example, the data center, cluster, host, or resource pool) to include all assets under that level. If assets at any level are protected by another policy, a label with the name of that policy appears next to the level.
The following types of virtual assets are saved in PowerProtect Data Manager but excluded from protection:
VMProductType.DDVE - DD Virtual Edition VMProductType.VPROXY - VM Direct protection engine VMProductType.ECDM VMProductType.VCENTER - VMware vCenter Server appliance VMProductType.VIRTUAL_HOST - Nested_ESXi appliance VMProductType.DDMC - DD Management Center VMProductType.REPORT - PowerProtect Data Manager Reporting appliance VMProductType.SEARCH - PowerProtect Data Manager Search appliance VMProductType.VRPA - RecoverPoint for VMs
When you select a container level in the View by Host view, a protection rule is automatically created to ensure that these container level selections will be retained, even if changes occur from movements within the vSphere environment or the names of resource pools or folders change. This rule is managed by the PowerProtect Data Manager system, and cannot be modified. The rule will also be updated automatically if you make changes to container selections when editing the policy, or when assets are moved into or out of a selected container.
To view this rule after policy creation, go to Protection > Protection Rules. The name in the Protection Rule Name column for this new rule matches the policy name.
If this new rule results in an overlap of protection with an existing rule, you can resolve these conflicts by changing the policy protection rule priority in the Selection Overlap page. Step 7 provides more information.
NOTE: The behavior of automatic rule creation that allows assets to move into or out of policies can only
be modified in the REST API. After updating from a previous release, if View by Host is not visible you can
enable this view by manually changing the /api/v2/common-settings/DYNAMIC_FILTER_SETTING. The
PowerProtect Data Manager Public REST API documentation provides instructions.
Expand the tree and select individual assets within containers.
When you select individual assets within this view, these selections are considered static, and no protection rule is automatically created. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.
View Asset TableThis option enables you to view all unprotected assets in the vCenter server within a table, and then select individual unprotected assets that you want to back up as part of this protection policy. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.
When you select a virtual machine asset in this view, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of these assets. To dismiss the dialog for other selections, select the check box and click OK.
Both views provide additional information about the virtual machines, such as any currently associated tags, protection rules, and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add. If the virtual machines that you want to protect are not listed, use the Search box to search by asset name.
NOTE: When you configure a virtual machine application-aware protection policy to protect a Microsoft SQL Server
Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure
proper protection. Failure to do so might result in missed transaction log backups.
For the virtual machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.
6. Optionally, if you want to exclude nonproduction VMDKs such as network shares or test disks from a protection policy:
a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.
The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.
Managing Virtual Machine Assets and Protection 41
b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from
the protection policy.
7. Click Next.
If any virtual objects or assets that were selected in the previous page overlap with assets that are already protected by another policy, the Selection Overlap page appears. Overlap can occur, for example, when two policies (the new policy and an existing policy) use the View by Host view for asset selection by container level.
a. To switch protection of any virtual objects listed in the Protection Priority Overlap table from an existing policy, update the Policy Priority field to a level equal to or higher than the other policy currently protecting these objects. The lower the value, the higher the priority. For example, 1 is the highest priority. When you change this value, the priority of the rule that is associated with this policy is also changed.
b. To switch protection of any assets that are listed in the Asset Protection Overlap table to this policy, select the check box next to one or more assets. Selecting these assets for inclusion in this policy removes the assets from the other policy.
When you change the priority or the selected assets, the protection rule is updated automatically.
8. Click Next. The Objectives page appears.
9. On the Objectives page, select a policy-level Service Level Agreement (SLA) from the Set Policy Level SLA list, or select Add to open the Add Service Level Agreement wizard and create a policy-level SLA.
Add a service-level agreement provides instructions.
10. Click Add under Primary Backup. The Add Primary Backup dialog appears.
11. On the Schedules pane of the Add Primary Backup dialog:
a. Specify the following fields to schedule the synthetic full backup of this protection policy:
Create a Synthetic Full...Specify how often to create a synthetic full backup. A Synthetic Full backs up only the changed blocks since the last backup to create a new full backup.
Retain ForSpecify the retention period for the synthetic full backup. NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For
example, the synthetic full or transaction log backups are chained to their base full backup. The backups do not
expire until the last backup in the chain expires. This ensures that all synthetic full and transaction log backups
are recoverable until they have all expired.
Start and EndFor the activity window, specify a time of day to start the synthetic full backup, and a time of day after which backups cannot be started.
NOTE: Any backups started before the End Time occurs continue until completion.
Click Save to save and collapse the backup schedule.
b. Click Add Backup if you want to periodically force one or more full (level 0) backups, and then specify the following fields to schedule the full backups of this protection policy:
NOTE: When you select this option, the backup chain is reset.
Create a Full...Specify whether you want to create an hourly, daily, weekly, monthly, or yearly full backup. Repeat onDepending on the frequency of the full backup schedule, specify the hour of the day, the day of the
week, or the date of the month for the full backup. Retain ForSpecify the retention period for the full backup. This can be the same value as the synthetic full backup
schedule, or a different value. Start and EndFor the activity window, specify a time of day to start the full backup, and a time of day after which
backups cannot be started.
NOTE: Any backups started before the End Time occurs continue until completion.
Click Save to save and collapse the backup schedule.
c. Click Add Backup and repeat the procedure for creating full backups if you want to create additional backup copies at different intervals with different retention periods.
Within this protection policy, when a full schedule conflicts with another full backup schedule, a message appears, indicating that there is a conflict. Schedule occurrences can conflict with each other when the activity windows are identical or occur entirely within the same time range. To avoid full schedule conflicts in a policy, edit the activity windows.
If you proceed with conflicting schedules, the backup of the lower priority schedule will be skipped. Schedule priority is ranked according to the following criteria:
42 Managing Virtual Machine Assets and Protection
Full schedules have a higher priority than Synthetic Full schedules. For schedules of the same backup type, the schedules that run less frequently have a higher priority than schedules
that run more frequently. For schedules with the same backup type and frequency, the schedule with the longest activity window has the
higher priority. If the activity windows are also identical, only one of these schedules will run.
NOTE: When a schedule conflict between full backups occurs, PowerProtect Data Manager retains the full backup
with the longest retention period.
d. To create a log backup for virtual machine application-aware protection policies, click Add Backup again, and then specify the following fields:
Create a Log...For application-aware protection policies, specify the interval in minutes for log generation. NOTE: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences
for a transaction log backup in the Microsoft SQL Server Management Studio.
Retain ForSpecify the retention period for the log backup. This can be the same retention value that is specified for the synthetic full or full schedule, or a different value.
NOTE: Setting a shorter retention period for log backups than the full backup can result in data loss and the
inability to restore point-in-time copies.
Start and EndFor the activity window, specify a time of day to start the log backup, and a time of day after which log backups cannot be started.
NOTE: Any backups started before the End Time occurs continue until completion.
Click Save to save and collapse the backup schedule.
12. On the Target pane of the Add Primary Backup dialog, specify the following fields:
a. Storage NameSelect a backup destination from the list of existing protection storage systems, or select Add to add a system and complete the details in the Storage Target window.
NOTE: The Space field indicates the total amount of space, and the percentage of available space, on the
protection storage system.
b. Storage UnitSelect whether this protection policy should use a New storage unit on the selected protection storage system, or select an existing storage unit from the list. Hover over a storage unit to view the full name and statistics for available capacity and total capacity, for example, testvmplc-ppdm-daily-123ab (300 GB/1 TB) When you select New, a new storage unit in the format policy name host name unique identifier is created in the storage system after policy completion. For example, testvmplc-ppdm-daily-123cd.
c. Network InterfaceSelect a network interface from the list, if applicable. d. Retention LockMove the Retention Lock slider to the right to enable retention locking for these backups.
The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.
Setting a retention lock applies to the current backup copy only, and does not impact the retention lock setting for existing backup copies.
NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are
not assigned a default retention lock period. If you enable Retention Lock for a replicated backup, ensure that you
set the Retain for field in the Add Replication dialog to a minimum number of 14 days so that the replicated backup
does not expire before the primary backup.
e. SLASelect an existing service level agreement that you want to apply to this objective from the list, or select Add to create an SLA within the Add Service Level Agreement wizard.
Add a service-level agreement provides instructions.
13. Click Save to save your changes and return to the Objectives page.
The Objectives page updates to display the name and location of the target storage system under Primary Backup.
After completing the objective, you can change any details by clicking Edit next to the objective.
14. Optionally, replicate the backups:
NOTE:
To enable replication, ensure that you add remote protection storage as the replication location. The PowerProtect Data
Manager Administration and User Guide provides detailed instructions about adding remote protection storage.
Managing Virtual Machine Assets and Protection 43
When creating multiple replicas for the same protection policy, it is recommended to select a different storage system
for each copy. If you select a storage unit that is the target of another objective for the same policy, the UI issues
a warning. The PowerProtect Data Manager Administration and User Guide provides information about replicating to
shared protection storage to support PowerProtect Cyber Recovery. Verify the storage targets and the use case before
you continue.
When you create a replication objective, you can specify either scheduled replication or replication after backup completion.
NOTE: For replication after backup completion, PowerProtect Data Manager 19.12 or later and application agents 19.10
or later are required. It is recommended that you update the application agents to the latest version.
For replicas of centralized backups, when you set retention periods for different backup types, any undefined types use the full backup retention period. For example, if you do not define a log backup in the primary objective, the log backup for the replication objective is also undefined. After you run a manual log backup, replicas of that log backup use the same retention period as the full backup.
a. Click Replicate next to Primary Backup. An entry for Replicate is created to the right of the primary backup objective. b. Under Replicate, click Add.
The Add Replication dialog appears, with information in the left pane for each schedule that has been added for the primary backup objective of this protection policy.
NOTE: Backups for all of the listed schedules will be replicated. You cannot select individual schedules for
replication.
c. Select a storage target:
Storage NameSelect a destination from the list of protection storage. Or, select Add to add a protection storage system and complete the details in the Storage Target window.
Storage UnitSelect an existing storage unit on the protection storage system. Or, select New to automatically create a storage unit.
Network InterfaceSelect a network interface from the list, if applicable. Retention LockMove the Retention Lock slider to the right to enable retention locking for these replicas.
The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.
SLASelect an existing replication service level agreement that you want to apply to this schedule from the list. Or, select Add to create a replication SLA within the Add Service Level Agreement wizard.
The PowerProtect Data Manager Administration and User Guide provides more information about replication targets, such as SLAs.
d. Select when to replicate the backups:
Replication triggers provides more information.
To replicate after the backup finishes, move the Replicate immediately upon backup completion slider to on. For scheduled replication, move the Replicate immediately upon backup completion slider to off, and then
complete the schedule details in the Add Replication dialog.
For replication of the primary backup, the schedule frequency can be every day, week, month, or x hours.
For daily, weekly, and monthly schedules, the numeric value cannot be modified. For hourly, however, you can edit the numeric value. For example, if you set Create a Full backup every 4 hours, you can set a value of anywhere from 1 to 12 hours.
By default, all replicas of the primary backup objective inherit the retention period from the Retain For value of the synthetic full and full backup schedules.
e. To specify a different retention period for individual synthetic full and full replicas, clear Set the same retention time for all replicated copies, click Edit in the row of each schedule that you want to change, update the value in the Retain For field, and then click Save.
CAUTION: Setting a retention period for the replicas of other backup types (such as log backups,
incremental, and differential backups, where applicable) that is shorter than the retention period of the
corresponding full backup may result in being unable to recover from those replicas.
f. Click Save to save your changes and return to the Objectives page.
44 Managing Virtual Machine Assets and Protection
15. Optionally, to move backups from protection storage to Cloud Tier, add a Cloud objective for the primary or replication objective:
NOTE: To move a backup or replica to Cloud Tier, objectives must have a retention time of 14 days or more.
PowerProtect Data Manager also requires the discovery of protection storage with a configured Cloud unit.
a. Click Cloud Tier next to Primary Backup. Or, if adding a Cloud objective for a replication objective that you have added, click Cloud Tier under Replicate. An entry for Cloud Tier is created to the right of the primary backup objective, or below the replication objective.
b. Under the entry for Cloud Tier, click Add. The Add Cloud Tier Backup dialog appears, with summary information for the parent objective to indicate whether you are adding this Cloud Tier objective for the primary backup objective or the replication objective.
c. Keep the All applicable full backups slider to the right if you want to tier the backups from all of the full primary backup or replication schedules of this policy. Otherwise, move the slider to the left and select the full schedule(s) that you want to tier.
NOTE: If the retention period of a schedule is less than the minimum 14 days required before tiering occurs, or is less
than the value in the Tier After field, you can still select this schedule for tiering. However, if you do not edit the
retention period of this schedule or its backup or replication copy to a value greater than the Tier After field before
the retention period of the copy expires, the backup or replication copy of this schedule will not be cloud tiered.
d. Complete the objective details in the Add Cloud Tier Backup dialog, and then click Save to save your changes and return to the Objectives page.
The PowerProtect Data Manager Administration and User Guide provides detailed instructions for adding a Cloud objective for a primary or replication objective.
16. Optionally, if Cloud Disaster Recovery is configured in the Infrastructure > Storage window, you can add a Cloud DR objective for virtual machine protection policies:
a. Click Cloud DR next to Primary Backup or, if adding a Cloud objective for a replication objective that you have added, click Cloud DR under Replicate. An entry for Cloud DR is created to the right of the primary objective, or below the replication objective.
b. Under the entry for Cloud DR, click Add. The Add Cloud DR Backup dialog appears, with summary information for the parent node to indicate whether you are adding this Cloud DR objective for the primary backup objective or the replication objective.
c. Complete the objective details in the Add Cloud DR Backup dialog, and then click Save to save your changes and return to the Objectives page.
The PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide provides detailed instructions for adding a Cloud DR objective for a primary or replication objective.
17. Click Next. The Options page appears.
18. On the Options page:
a. For Optimize For, select from one of the following backup optimization modes:
PerformanceOptimize for backup and replication speed. Selecting this mode results in more storage consumption. CapacityOptimize for backup size. Selecting this mode results in less storage consumption, but backups take
longer to complete.
NOTE: Changing the optimization mode after the first backup of the protection policy forces the next backup to
be a full backup, and results in increased storage capacity usage due to differences in how each mode uses data
deduplication. This increase continues until all backups performed using the previous optimization mode expire and
have been deleted.
b. Exclude swap files from backupSelect to exclude the C:\swapfile.sys, C:\pagefile.sys, and C: \hiberfil.sys swap and memory files of Microsoft Windows virtual machines, in the virtual machine backup. By default, this check box is cleared.
When using the Transparent Snapshot Data Mover protection mechanism, do not select the Exclude swap files from backup check box.
NOTE: Including swap and memory files in a backup unnecessarily increases the size of the backup and the time to
restore to original during recovery. These files are rebuilt by the Microsoft Windows operating system after restart,
and not required for recovery.
c. Enable indexing for file search and restoreSelect to enable indexing. This option is visible only after activating the search cluster node.
Managing Virtual Machine Assets and Protection 45
d. Enable guest file system quiescingSelect to enable VMware Tools to quiesce the file system during crash- consistent virtual machine backups.
When using the Transparent Snapshot Data Mover protection mechanism, do not select the Enable guest file system quiescing check box.
19. Click Next. The Summary page appears.
20. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.
When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.
For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine that is included with PowerProtect Data Manager. Subsequent backups are performed according to the schedule specified.
NOTE: If the target virtual machine datastore for backup is running low on free space and the datastore free space
threshold is configured in vCenter Settings, a warning message appears or a backup failure occurs. When the
Datastore Free Space Warning Threshold is reached, the backup proceeds with a warning message in the logs.
When the Datastore Free Space Failure Threshold is reached, the backup fails.
To check the warning and failure threshold values, select Infrastructure > Asset Sources and click the vCenter tab.
Click the gear icon to open the vCenter Settings dialog.
21. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.
Managing virtual machine backups The following sections describe the options that are available for virtual machine assets that are backed up as part of a protection policy.
Add and remove the credentials for virtual machine assets
You can optionally add and remove the credentials for multiple virtual machine assets simultaneously in the PowerProtect Data Manager UI. With previous versions, you could add and remove the credentials for one virtual machine asset at a time.
About this task
NOTE: The asset-level credentials take precedence over policy-level credentials for virtual machines. Asset-level
credentials have the highest precedence. Virtual machines do not support the asset source-level (host) credentials.
Use the following procedure to add or remove one or more credentials for virtual machine assets.
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Assets, and then click the Virtual Machine tab. A list of discovered virtual machine assets displays.
2. Select one or more assets by clicking the check box next to each required asset name.
3. Select More Actions > Set Credential.
4. In the Set Credential dialog box, add or remove the credentials for the selected virtual machine assets:
To add the credentials for the assets, select the appropriate value from the drop-down list in the Credential field:
To create new credentials, select Create New.
In the Add Credentials dialog box that appears, specify the required field values and then click Save. To add existing credentials, select the credentials name from the credentials list.
To remove the credentials for the assets, select Remove Credentials.
5. Click Save in the Set Credential dialog box.
46 Managing Virtual Machine Assets and Protection
Results
After you add the credentials by using these steps, the asset-level credentials are used for the selected assets during the virtual machine centralized backups, overriding the policy-level credentials.
Enable or disable Changed Block Tracking (CBT)
The Changed Block Tracking (CBT) feature is used to identify areas of the virtual machine backup that have changed since the last backup and only process those changed areas during the next backup. CBT is enabled by default.
About this task
To set Changed Block Tracking (CBT) for virtual machines, complete the following steps:
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.
2. From the Assets window, select the Virtual Machine tab. If a policy has been assigned, the virtual machine assets that have been discovered in the vCenter server display, along with the associated protection policy.
3. Select one or more virtual machine assets from the list, and click More Actions > Changed Block Tracking.
The Changed Block Tracking dialog box appears.
4. Clear the check box to disable CBT, or select the check box to enable CBT.
If there are high change rates on the virtual machine, CBT can sometimes cause backups to take longer than expected. If the backups are taking too long to complete, you can disable CBT for virtual machines. Also, if you encounter an issue with CBT, you can disable it on the virtual machine.
NOTE: If CBT is enabled in PowerProtect Data Manager but is disabled in VMware vSphere, PowerProtect Data
Manager tries to back up the virtual machine with CBT enabled. If PowerProtect Data Manager cannot enable CBT, the
backup completes with a warning that indicates CBT data is not available.
5. Click Save.
NOTE: When CBT is disabled for a virtual machine, subsequent backups no longer use CBT.
More options for managing virtual machine backups
After you create a virtual machine protection policy, additional options become available for virtual machine assets that are backed up as part of the policy.
To access these options:
1. From the PowerProtect Data Manager UI, select Infrastructure > Assets. 2. From the Assets window, select the Virtual Machine tab.
If a policy has been assigned, the virtual machine assets that have been discovered in the vCenter server display, along with the associated protection policy.
NOTE: You can click the link in the Disk Excluded column next to a virtual machine asset to view VMDKs that have
been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion from this window. To
change the disks that are excluded for a protected asset, select the policy from the Protection Policies window and
click Edit.
3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.
4. In the left pane, click the storage icon to the right of the VM icon, for example, DD. The table in the right pane lists the backup copies.
Depending on whether the asset is retention locked, you can perform the following functions from this window:
Edit the retention period of backup copies to extend or shorten the amount of time that backups are retainedSelect one or more backup copies from the table and click Edit Retention. To select a calendar date as the expiration date for backups, select Retention Date.
Managing Virtual Machine Assets and Protection 47
To define a fixed retention period in days, weeks, or months after the backup is performed, select Retention Value. For example, you could specify that backups expire after 6 months.
NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention
period.
Delete a backup copyIf you no longer require a copy and the retention lock is not enabled, select the copy from the table and click Delete.
Snapshot freeze scripts and thaw scripts for virtual machine backups
You can use custom scripts to back up a Windows or Linux virtual machine which runs an application that PowerProtect Data Manager does not directly support. These scripts run before and after the snapshot to place the virtual machine and application into a state where you can perform a backup.
NOTE: Use of these scripts is not supported for virtual machines with the Transparent Snapshot Data Mover (TSDM)
protection mechanism enabled.
Table 8. Script descriptions and related terms
Script Related terms Description
Freeze Quiesce Pre-freeze This script runs before the snapshot initialization to quiesce the virtual machine and place the application in a frozen state. Quiescing ensures that the data within the guest file system is in a consistent state that is appropriate for backups.
Thaw Unquiesce Post-thaw This script runs after the snapshot finalization to unquiesce the virtual machine, thaw the application, and then return the virtual machine to normal operation.
PowerProtect Data Manager uses the VMware Tools package to quiesce the virtual machine. The VMware documentation provides more information. Before you deploy the freeze and thaw scripts, install the latest version of the VMware Tools package on the virtual machine.
The freeze and thaw scripts are specific to each application. If the freeze script returns a nonzero exit code, snapshot creation fails.
After you create your custom scripts, deploy the scripts to the correct location on the virtual machine, as specified in the following tables.
Table 9. Script locations for Windows virtual machines
ESXi version Freeze script location Thaw script location
ESXi 6.5 or later C:\Program Files\VMware\VMware Tools\backupScripts.d\
All scripts are invoked in ascending alphabetical order with freeze as the first argument.
C:\Program Files\VMware\VMware Tools\backupScripts.d\
All scripts are invoked in descending alphabetical order with thaw or freezeFail as the first argument.
Table 10. Script locations for Linux virtual machines
ESXi version Freeze script location Thaw script location
ESXi 6.5 or later /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script
For Linux virtual machines, set the script ownership and permissions after you deploy the scripts:
sudo chown root:root /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script sudo chmod 0700 /usr/sbin/pre-freeze-script /usr/sbin/post-thaw-script
48 Managing Virtual Machine Assets and Protection
Add a service-level agreement SLA Compliance in the PowerProtect Data Manager UI enables you to add a service-level agreement (SLA) that identifies your service-level objectives (SLOs). You use the SLOs to verify that your protected assets are meeting the service-level agreements (SLAs).
About this task
NOTE: When you create an SLA for Cloud Tier, you can include only full backups in the SLA. Also, the Extended Retention
SLA applies to protection policies created in PowerProtect Data Manager 19.11 and earlier only. The Extended Retention
objective was removed in PowerProtect Data Manager 19.12. When updating to PowerProtect Data Manager 19.12 from a
previous release, any protection policies created in the earlier release with the Extended Retention SLA will continue to be
supported, however, you will not be able to edit the Extended Retention SLA in these policies.
In the SLA Compliance window, you can export compliance data by using the Export All functionality.
Steps
1. From the PowerProtect Data Manager UI, select Protection > SLA Compliance.
The SLA Compliance window appears.
2. Click Add or, if the assets that you want to apply the SLA to are listed, select these assets and then click Add.
The Add Service Level Agreement wizard appears.
3. Select the type of SLA that you want to add, and then click Next. Policy. If you choose this type, go to step 4. Backup. If you choose this type, go to step 5. Replication. If you choose this type, go to step 6. Cloud Tier. If you choose this type, go to step 7.
You can select only one type of Service Level Agreement.
4. If you selected Policy, specify the following fields regarding the purpose of the new Policy SLA:
a. The SLA Name. b. If applicable, select Minimum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. c. If applicable, select Maximum Copies, and specify the number of Backup, Replication, and Cloud Tier copies. d. If applicable, select Available Location and select the applicable locations. To add a location, click Add Location.
Options include the following: InInclude locations of all copies in the SLO locations. Selecting this option does not require every SLO location to
have a copy. Must InInclude locations of all copies in the SLO locations. Selecting this option requires every SLO location to
have at least one copy. ExcludeLocations of all copies must be non-SLO locations.
e. If applicable, select Allowed in Cloud through Cloud Tier/Cloud DR. f. Click Finish, and then go to step 9.
5. If you selected Backup, specify the following fields regarding the purpose of the new Backup SLA:
a. The SLA Name. b. If applicable, select Recovery Point Objective required (RPO), and then set the duration. The purpose of an RPO is
business continuity planning, and indicates the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.
NOTE: You can select only Recovery Point Objective required to configure as an independent objective in the
SLA, or select both Recovery Point Objective required and Compliance Window for copy type. If you select
both, the RPO setting must be one of the following:
Greater than 24 hours or more than the Compliance window duration, in which case RPO validation occurs
independent of the Compliance Window.
Less than or equal to the Compliance Window duration, in which case RPO validation occurs within the
Compliance Window.
c. If applicable, select Compliance Window for copy type, and then select a schedule level from the list, for example, All, Full, Cumulative, and set the duration. Duration indicates the amount of time necessary to create the backup
Managing Virtual Machine Assets and Protection 49
copy. Ensure that the Start Time and End Time of backup copy creation falls within the Compliance Window duration specified.
This window specifies the time during which you expect the specified activity to take place. Any specified activity that occurs outside of this Start Time and End Time triggers an alert.
d. If applicable, select the Verify expired copies are deleted option.
Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.
e. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.
NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest
retention value set for the backup levels of this policy's target objectives. For example, if you set the synthetic full
backup Retain For to 30 days but set the full backup Retain For to 60 days, the Retention Time Objective must be
set to the lower value, in this case, 30 days.
f. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. g. Click Finish, and go to step 9.
The SLA Compliance window appears with the new SLA.
6. If you selected Replication, specify the following fields regarding the purpose of the new Replication SLA:
a. The SLA Name. b. If applicable, select the Compliance Window, and specify the Start Time and End Time.
This window specifies the times that are permissible and during which you can expect the specified activity to occur. Any specified activity that occurs outside of this start time and end time triggers an alert.
c. If applicable, select the Verify expired copies are deleted option.
Verify expired copies are deleted is a compliance check to see if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.
d. If applicable, select Retention Time Objective, and specify the number of Days, Months, Weeks, or Years.
NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest
retention value set for the backup levels of this policy's target objectives.
e. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. f. Click Finish, and go to step 9.
The SLA Compliance window appears with the newly added SLA.
7. If you selected Cloud Tier type SLA, specify the following fields regarding the purpose of the new Cloud Tier SLA:
a. The SLA Name. b. If applicable, select the Verify expired copies are deleted option.
This option is a compliance check to determine if PowerProtect Data Manager is deleting expired copies. This option is disabled by default.
c. If applicable, select Retention Time Objective and specify the number of Days, Months, Weeks, or Years.
NOTE: For compliance validation to pass, the value set for the Retention Time Objective must match the lowest
retention value set for the backup levels of this policy's target objectives.
d. If applicable, select the Verify Retention Lock is enabled for all copies option. This option is disabled by default. e. Click Finish.
8. If the SLA has not already been applied to a protection policy:
a. Go to Protection > Protection Policies. b. Select the policy, and then click Edit.
9. In the Objectives row of the Summary window, click Edit.
10. Do one of the following, and then click Next: Select the added Policy SLA from the Set Policy Level SLA list. Create and add the SLA policy from the Set Policy Level SLA list. The Summary window appears.
11. Click Finish. An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.
12. Click Go to Jobs to open the Jobs window to monitor the backup and compliance results, or click OK to exit.
50 Managing Virtual Machine Assets and Protection
NOTE: Compliance checks occur automatically every day at 2 a.m. Coordinated Universal Time (UTC). If any objectives
are out of compliance, an alert is generated at 2 a.m. UTC. The Validate job in the System Jobs window indicates the
results of the daily compliance check.
For a backup SLA with a required RPO setting that is less than 24 hours, PowerProtect Data Manager performs real-time compliance checks. If you selected Compliance Window for copy type and set the backup level to All, the real-time compliance check occurs every 15 minutes only within the compliance window. If the backup level is not All, or if a compliance window is not specified, the real-time compliance check occurs every 15 minutes without stop.
NOTE: If the backup SLA has a required RPO setting of 24 hours or greater, compliance checks occur daily at 2 a.m.
UTC. Real-time compliance checks do not occur for backup SLAs with an RPO setting of 24 hours or greater.
Real-time compliance-check behavior
If the interval of time between the most recent backup of the asset and the compliance check is greater than the RPO requirement, then an alert indicates the RPO of the asset is out of compliance. This alert is generated once within an RPO period. If the same backup copy is missed when the next compliance check occurs, no further alerts are generated.
If the interval of time between the most recent backup of the asset and the compliance check is less than the RPO requirement, the RPO of the asset is in compliance.
If multiple assets in a policy are out of compliance at the same time when a compliance check occurs, a single alert is generated and includes information for all assets that are out of compliance in the policy. In the Alerts window, the asset count next to the alert summary indicates the number of assets that are out of compliance in the policy.
13. In the Jobs window, click next to an entry to view details on the SLA Compliance result.
Add or remove assets in a protection policy Perform the following steps in the PowerProtect Data Manager UI to add or remove an asset in a protection policy.
About this task
When a protection policy is edited and new assets are added, backups for the new assets start from the next scheduled FULL backup job for the protection policy.
Steps
1. From the left navigation pane, select Protection > Protection Policies.
The Protection Policies window appears.
2. Select the protection policy that you want to modify, and click Edit.
The Edit Policy window opens on the Summary page.
3. In the Assets row, click Edit. The Assets page appears.
NOTE: For virtual machine protection policies, the view that you selected when creating the policy is retained in
this page, and cannot be changed. For example, if you set up this policy with View Asset Table selected, all assets
protected by this policy will display in a table on this page, and the option to select View by Host will be disabled. Both
views provide additional information about the virtual machines, such as any currently associated tags, protection rules,
and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add
or remove from this policy.
4. To remove containers or assets from the protection policy, select the object and click Remove.
The Assets page updates with the changes.
5. To add a container or asset to the protection policy:
a. Click + Add.
The Add Unprotected Assets dialog displays any objects that are unprotected.
b. Select the individual unprotected assets that you want to add to the policy, or select a container level within the hierarchy to add all assets within that level, and then click Add.
The Assets page updates with the changes.
6. Optionally, if you want to exclude non-production VMDKs such as network shares or test disks from a protection policy:
Managing Virtual Machine Assets and Protection 51
a. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.
The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.
b. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded. c. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from
the protection policy.
7. Click Next to save the changes and go to the Summary page.
8. In the Summary page, click Finish An informational dialog box appears.
9. Click OK to exit the dialog box, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy.
Edit the retention period for backup copies You can edit the retention period of one or more backup copies to extend or shorten the amount of time that backups are retained.
About this task
You can edit retention for all asset types and backup types.
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Assets.
2. On the Assets window, select the tab for the asset type for which you want to edit retention. If a policy has been assigned, the table lists the assets that have been discovered, along with the associated protection policy.
NOTE: For virtual machine assets, you can click the link in the Disk Excluded column next to a virtual machine asset to
view VMDKs that have been excluded from the protection policy. You cannot, however, edit disk inclusion or exclusion
from this window. To change the disks that are excluded for a protected asset, select the policy from the Protection
Policies window and click Edit.
3. Select a protected asset from the table, and then click View Copies. The Copy Locations pane identifies where the backups are stored.
4. In the left pane, click the storage icon to the right of the icon for the asset, for example, DD. The table in the right pane lists the backup copies.
5. Select one or more backup copies from the table and click Edit Retention.
6. Choose one of the following options: To select a calendar date as the expiration date for backups, select Retention Date. To define a fixed retention period in days, weeks, months, or years after the backup is performed, select Retention
Value. For example, you could specify that backups expire after 6 months.
NOTE: When you edit the retention period for copies that are retention locked, you can only extend the retention
period.
7. When satisfied with the changes, click Save. The asset is displayed in the list with the changes. The Retention column displays both the original and new retention period, and indicates whether the retention period has been extended or shortened.
Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier)
NOTE: This section applies to protection policies created in PowerProtect Data Manager 19.11 and earlier only. For
protection policies created in PowerProtect Data Manager 19.12, instead of using the Extend Retention objective to
extend the retention period of certain full copies, you can now add multiple full schedules for primary backup and replication
objectives. When updating to PowerProtect Data Manager 19.12 from a previous release, any protection policies created
in the earlier release with the Extend Retention objective will continue to be supported, however, you will not be able
52 Managing Virtual Machine Assets and Protection
to edit existing extended retention objectives, or add new extended retention objectives, in these policies. The Knowledge
Base article 000204454 at https://www.dell.com/support/ provides detailed information about specific Extend Retention
objective migration scenarios when updating to PowerProtect Data Manager 19.12.
For protection policies created in PowerProtect Data Manager 19.11 and earlier, the Extend Retention objective allows you to extend the retention period for the primary backup copy for long-term retention. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can extend the retention period to keep the full backups taken on Mondays for 10 weeks.
Both centralized and self-service protection policies support weekly, monthly, and yearly recurrence schedules to meet the demands of your compliance objectives. For example, you can retain the last full backup containing the last transaction of a fiscal year for 10 years. When you extend the retention period of a backup in a protection policy, you can retain scheduled full backups with a repeating pattern for a specified amount of time.
For example:
Retain full yearly backups that are set to repeat on the first day of January for 5 years. Retain full monthly backups that are set to repeat on the last day of every month for 1 year. Retain full yearly backups that are set to repeat on the third Monday of December for 7 years.
Preferred alternatives
When you define an extended retention objective for a protection policy, you define a set of matching criteria that select preferred backups to retain. If the matching criteria do not identify a matching backup, PowerProtect Data Manager automatically retains the preferred alternative backup according to one of the following methods:
Look-backRetain the last available full backup that was taken before the matching criteria. Look-forwardRetain the next available full backup that was taken after the matching criteria.
For example, consider a situation where you configured a protection policy to retain the daily backup for the last day of the month to extended retention. However, a network issue caused that backup to fail. In this case, look-back matching retains the backup that was taken the previous day, while look-forward matching retains the backup that was taken the following day.
By default, PowerProtect Data Manager uses look-back matching to select the preferred alternative backup. A grace period defines how far PowerProtect Data Manager can look in the configured direction for an alternative backup. If PowerProtect Data Manager cannot find an alternative backup within the grace period, extended retention fails.
You can use the REST API to change the matching method or the grace period for look-forward matching. The PowerProtect Data Manager Public REST API documentation provides instructions. If there are no available backups for the defined matching period, you can change the matching method to a different backup.
For look-forward matching, the next available backup can be a manual backup or the next scheduled backup.
Selecting backups by weekday
This section applies to centralized protection policies. Self-service protection policies have no primary backup objective configuration.
When you configure extended retention to match backups by weekday, PowerProtect Data Manager may identify a backup that was taken on one weekday as being taken on a different weekday. This behavior happens where the backup window does not align with the start of the day. PowerProtect Data Manager identifies backups according to the day on which the corresponding backup window started, rather than the start of the backup itself.
For example, consider a backup schedule with an 8:00 p.m. to 6:00 a.m. backup window:
Backups that start at 12:00 a.m. on Sunday and end at 6:00 a.m. on Sunday are identified as Saturday backups, since the backup window started on Saturday.
Backups that start at 8:01 p.m. on Sunday and end at 12:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.
Backups that start at 12:00 a.m. on Monday and end at 6:00 a.m. on Monday are identified as Sunday backups, since the backup window started on Sunday.
In this example, when you select Sunday backups for extended retention, PowerProtect Data Manager does not retain backups that were taken between 12:00 a.m. and 8:00 p.m. This behavior happens even though the backups occurred on Sunday. Instead, PowerProtect Data Manager selects the first available backup that started after 8:00 p.m. on Sunday for extended retention.
Managing Virtual Machine Assets and Protection 53
If no backups were created between 8:01 p.m. on Sunday and 6:00 a.m. on Monday, PowerProtect Data Manager retains the next alternative to extended retention. In this example, the alternative was taken after 6:00 a.m. on Monday.
Extended retention backup behavior
When PowerProtect Data Manager identifies a matching backup, automatic extended retention creates a job at the beginning of the backup window for the primary objective. This job remains queued until the end of the backup window and then starts.
The following examples describe the behavior of backups with extended retention for centralized and self-service protection.
Centralized protection
For an hourly primary backup schedule that starts on Sunday at 8:00 p.m. and ends on Monday at 6:00 p.m. with a weekly extended retention objective that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup starting after 8:00 p.m. on Sunday for long-term retention.
The following diagram illustrates the behavior of backups with extended retention for a configured protection policy. In this example, full daily backups starting at 10:00 p.m. and ending at 6:00 a.m. are kept for 1 week. Full weekly backups are set to repeat every Sunday and are kept for 1 month.
Figure 2. Extend retention backup behavior
Self-service protection
For self-service backups, PowerProtect Data Manager uses a default backup window of 24 hours. For a backup schedule that starts on Sunday at 12:00 p.m and ends on Monday at 12:00 p.m. with a weekly extended retention objective that is set to repeat every Sunday, PowerProtect Data Manager selects the first available backup that is taken between 12:00 p.m. on Sunday and 12:00 p.m. on Monday for long-term retention.
Replication of extended retention backups
You can change the retention time of selected full primary backups in a replication objective by adding a replication objective to the extended retention backup. The rules in the extended retention objective define the selected full primary backups. Review the following information about replication of extended retention backups.
Before you configure replication of extended retention backups, create a replication objective for the primary backup. Configure the replication objective of the extended retention and match this objective with one of the existing replication
objectives based on the primary backup. Any changes to a new or existing storage unit in the extended retention replication objective or the replication objective of the primary backup is applied to both replication objectives.
The replication objective of extended retention backups only updates the retention time of replicated backup copies and does not create any new backup copies in the replication storage.
54 Managing Virtual Machine Assets and Protection
Protection rules Protection rules comprise one or more conditions that select matching assets and automatically assign them to a corresponding protection policy. PowerProtect Data Manager applies these rules to assets at discovery time.
When you define a protection rule, note the following requirements:
Creating protection rules requires at least one existing protection policy. An asset can only belong to one protection policy. Assets can move from one policy to another policy based on the priorities of the protection rules. Virtual machine tags created in the vSphere Client can only be applied to a protection rule. To ensure the protection of homogeneous assets, the protection rule must specify a storage asset type. A virtual machine application-aware protection policy that protects a Microsoft SQL Server Always On availability group
(AAG) must include all the virtual machines of the AAG in the same protection group. Failure to meet this requirement might result in Microsoft SQL Server transaction log backups being skipped. Ensure that the protection rules are designed to include all the AAG virtual machines.
NOTE: Ensure that Oracle protection rules do not use the DB ID and Oracle SID Name field settings that were supported
with versions prior to PowerProtect Data Manager 19.6.
You can manually move an asset into a protection policy and override automatic placement through protection rules. Manual assignment protects the asset through the specified policy but protection rules no longer apply to that asset. To apply protection rules again, remove the asset from the protection policy.
Creating virtual machine tags in the vSphere Client
Creating virtual machine tags in the vSphere Client is supported by PowerProtect Data Manager with vSphere versions 6.5 and later. Tags enable you to attach metadata to the virtual assets in the vSphere inventory, which makes assets easier to sort and search for when creating a protection policy.
Asset inclusion in a PowerProtect Data Manager protection policy is based on the filtering criteria that you specify when creating a protection rule.
When you create a tag in the vSphere Client, the tag must be assigned to a category in order to group related tags together. When defining a category, you can specify the object types to which the tags will be applied and whether more than one tag in the category can be applied to an object. Within a single rule, you can apply up to 50 rule definitions to tags and categories, as shown in the following example where Category is the category name and Bronze is the tag name:
Category:Category1,Tag:Bronze1 Category:Category2,Tag:Bronze2 Category:Category3,Tag:Bronze3 ... Category:Category50,Tag:Bronze50
In the above example, category names and tag names that exceed 9 or 7 characters respectively reduce the limit for rule definitions in a single rule to less than 50. When rule definitions exceed the maximum limit, no virtual machines are backed up as part of the group, because no members are associated with the group. As a best practice, keep the number of rule definitions within a single rule to 10 or fewer and, in cases where there are a large number of rule definitions within a single rule, keep the number of characters in category or tag names to 10 or fewer.
To view existing tags for vCenter in the vSphere Client, select Menu > Tags & Custom Attributes, and then select the Tags tab. Click a tag link in the table to view the objects associated with this particular tag.
For PowerProtect Data Manager to include tagged assets in a protection rule based on the tags created for vCenter, you must assign at least one tag to at least one virtual machine. Note that tags associated with containers of virtual machines (for example, a virtual machine folder) are not currently supported for tag associations to assets.
NOTE: Once virtual machines are associated with tags, the association is not reflected in the PowerProtect Data Manager
user interface until the timeout period has completed. The default timeout to fetch the latest inventory from the vCenter
server is 15 minutes. When adding a protection rule and using tags as the asset filter, you must select VM Tags.
Managing Virtual Machine Assets and Protection 55
Add a protection rule
Select a protection policy and then define one or more conditions. Where applicable, create compound rules by linking multiple conditions through logical operators.
About this task
Compound rules enable you to combine multiple selection criteria through AND and OR operators for higher precision. For example, assets in a particular data center with particular tags. Compound rules must have at least one condition.
The Add Protection Rule wizard displays compound rules in containers. Grouping rules in the same container represents a logical AND of those rules. Placing rules in separate containers represent a logical OR of those rules. For example, the compound rule (A AND B) OR (C) corresponds to one container with rules A and B, and another container with rule C.
The wizard validates fields as you type. As you define the protection rule, the wizard also displays a count of assets which match the entire protection rule, next to View Filtered Assets.
Steps
1. From the PowerProtect Data Manager UI, select Protection > Protection Rules. The Protection Rules window appears.
2. Click the tab to select the type of host for which you would like to add the protection rule, and then click Add. For example, Virtual Machines. The Add Protection Rule window opens to the Select Protection Policy page.
3. Select the target protection policy for the protection rule and then click Next. The Add Rule Description page appears.
4. Define the purpose of the protection rule:
a. Name. For example, Rules Prod Finance. The name must be unique.
b. Description. For example, Finance department production servers c. Click Next.
The Add Conditions page appears.
5. Define the protection rule:
a. Select an attribute. The available attributes depend on the selected host type and include names (such as Datacenter Name or Host Name), characteristics (such as asset size), tags (VM tags or namespace labels). The Power State attribute enables filtering of virtual machine hosts based on the state of the host (such as Power On, Power Off, or Suspended).
NOTE: If using the Host Name for the protection rule to determine which assets get included, ensure that you do
not specify a host in a cluster. If you specify a host in a cluster, PowerProtect Data Manager will not protect the
virtual machine assets under this host because although these assets are currently running within this host, they are
not owned by the host and can be switched to another host under the same cluster at any time.
b. Select a matching criteria. The available matching criteria depend on the selected attribute:
For names, matching criteria include options such as Begins with, Ends with, Contains, Does not contain, Equals, Match Regular Expression, and Does Not Match Regular Expression.
The VM Folder Name and VM Resource Pool attributes support protection for all VM assets and resource pools in the selected folder and its subfolders.
For characteristics, matching criteria include options such as Greater than or Less than.
For tags, matching criteria include options such as Includes, Does not include, In, or Not in. The In and Not in criteria support multiple tags.
For Power State, matching criteria include options such as Equals and Does Not Equal.
Where the available matching criteria includes regular expressions, click for a list of supported operators and effects in a separate dialog box.
NOTE: Regular expressions for the VM Folder Name and VM Resource Pool attributes use Google
RE2J syntax. The operators and effects on the Optional tab of the dialog box are unavailable for these
attributes. However, the operators and effects on the Unsupported tab are available, as are the standard
regular expression predefined character classes. For example, \d for a digit.
56 Managing Virtual Machine Assets and Protection
Regular expressions for all other attributes use ElasticSearch regex syntax. These expressions do not support
predefined character classes.
Because predefined character classes are valid for some attributes, the UI does not mark these classes as invalid
syntax. This is true even for attributes where such classes are not supported.
c. Depending on the selected attribute, supply a search phrase to compare against the attribute or select an option from the list. The wizard displays a count of matching assets beside the rule and enables new Add Rule options for compound rules.
For example, a rule with the filters VM Folder Name, Contains, and Finance can match assets belonging to your finance department to the selected protection policy.
6. To define a compound rule:
The wizard only enables some Add Rule options after the successful validation of other rules in the same container. For example, rules cannot be empty.
a. Select a logical operation, and then click the corresponding Add Rule option. If you select + (AND), the new rule appears in the same container. If you select Add Rule - OR, the new rule appears in a separate container.
b. Repeat the previous step to define the new protection rule.
c. To remove a rule from a compound rule, click for that rule.
NOTE: The wizard disables for any rules whose deletion would result in an empty container. To remove these
rules, remove the entire container.
The wizard removes the selected rule and any associated Add Rule options.
d. To remove an entire container and any rules within it, click for that container. The wizard also removes any associated Add Rule options.
e. To remove all rules, click Reset Rules.
The wizard displays a count of matching assets beside each rule and, for each container, a count of matching assets for all rules in the container.
NOTE: The counts displayed by the Protection > Protection Rules > Add Protection Rules > Add Conditions and
Protection > Protection Rules > Add Protection Rules > Add Conditions > Filtered Assets panes only count
the number of assets in the filtered folders and resource pools. The counts do not include assets in subfolders or
sub-resource pools. Despite the displayed count, all assets in subfolders and sub-resource pools are also protected. For
existing protection rules, accurate asset counts are displayed in the Protection > Protection Rules and Protection >
Protection Policies panes.
7. To see a list of unprotected assets which match the protection rule, click View Matching Assets. The Matching Assets window opens and displays the details of each matching asset. Verify that the list includes all expected assets, and then click Done.
8. If the protection rule and list of matching assets do not meet expectations, adjust the rules accordingly. Alternatively, reset the rules and then build the protection rule again.
9. If the protection rule and list of matching assets meet expectations, click Next. The Summary page appears.
10. Review the protection rule details and then click Finish.
Results
The new protection rule automatically protects any matching assets.
Manually run a protection rule
PowerProtect Data Manager automatically runs protection rules when new assets are detected or when existing assets are modified. You can also run protection rules manually.
Prerequisites
NOTE: For SQL, Oracle, SAP HANA, and file system asset types, the protection rule runs only on scheduled discovery in
PowerProtect Data Manager. Ensure that you schedule discovery for these asset types.
Managing Virtual Machine Assets and Protection 57
Steps
1. From the PowerProtect Data Manager UI, select Protection > Protection Rules.
The Protection Rules window appears.
2. Select the required protection rules, and then click Run.
PowerProtect Data Manager runs all of the selected protection rules for the current asset type.
Schedule asset discovery
To schedule discovery in the PowerProtect Data Manager UI, complete the following steps:
Steps
1. Select Infrastructure > Asset Sources.
2. Select the App/File System Host tab.
3. Select the application host, and then click Discover.
4. From the Discovery Schedule list, select the time of day to initiate the discovery.
Edit or delete a protection rule
You can change the name, description, the rule filters, and the associated protection policy.
Steps
1. Select Protection > Protection Rules.
The Protection Rules window appears.
2. To edit a protection rule, select the rule and then click Edit.
The Edit Protection Rule window appears.
a. Select a protection policy, and then click Next. b. Modify the name, description, or filter rules, and then click Next.
Add a protection rule provides more information about working with rules.
c. Review the protection rule summary, and then click Finish.
3. To delete a protection rule, select the rule and then click Delete.
PowerProtect Data Manager removes from protection policies any assets that were added because of this protection rule. PowerProtect Data Manager adds those assets again if you do not update related protection rules.
View assets applied to a protection rule
You can view the assets that are applied to a protection rule from the Protection Rules window. If the modification of a protection rule results in assets moving from one policy to another, the Protection Rules window enables you to verify the results.
About this task
To view assets that are applied to a protection rule, complete the following steps.
Steps
1. From the left navigation pane, select Protection > Protection Rules.
The Protection Rules window appears.
2. Click the link in the Assigned Assets Count column for the protection rule.
The Assets List window appears and displays the matched assets.
3. To export asset records for the protection rule, in the Assets List window, click Export All.
58 Managing Virtual Machine Assets and Protection
Change the priority of an existing protection rule
When multiple protection rules exist, you can define the priority of each rule. Priority determines which rule applies to an asset when that asset matches multiple rules and those rules have conflicting actions.
About this task
For example, if an asset matches several protection rules and each rule specifies a different protection policy, then the rule with the highest priority determines the policy assignment.
Protection rule priorities are integers. Smaller integers represent a higher priority.
Steps
1. Select Protection > Protection Rules.
The Protection Rules window appears.
2. To change a protection rule's priority, select the rule and then click Up or Down.
Remember that the smaller integer has the higher priority.
Configure protection rule behavior
You can use the REST API to configure what happens when a protection rule changes.
The PowerProtect Data Manager Public REST API documentation provides instructions.
NOTE:
If you update from a previous release of PowerProtect Data Manager, the configured behavior for protection rules changes
still applies to the current release. For example, in PowerProtect Data Manager 19.4, if you did not configure protection
rules through application.properties to move assets across policies, then you cannot change the behavior with this
method in PowerProtect Data Manager 19.5 or later.
However, if you updated the configuration file to enable protection rules to move assets across policies, then this behavior
continues to apply after the update.
Managing Virtual Machine Assets and Protection 59
Restoring Virtual Machine Data and Assets
Topics:
Prerequisites to restore a virtual machine Self-service restores View backup copies available for restore Restoring a virtual machine or VMDK Restoring a virtual machine backup with the storage policy association Image-level restores Instant Access virtual machine restore File-level restores Restore an application-aware virtual machine backup
Prerequisites to restore a virtual machine Review the following requirements before you restore a virtual machine in PowerProtect Data Manager:
Only the Administrator and the Restore Administrator roles can restore data. Ensure that you have added protection storage and the vCenter server, and that the protection of virtual machine copies
has completed successfully.
To check, select Infrastructure > Assets and Infrastructure > Asset Sources. Ensure that protection of the virtual machines completed successfully. If the virtual machines have been backed up by a
protection policy, the assets appear in the Restore > Assets window. Verify that no pre-existing snapshots exist on the virtual machine. If performing a restore to the original virtual machine, a minimum vCenter version of 6.7 is required if you want to restore the
virtual machine protection policy backup's storage-policy assignments. If performing a restore to a new location, ensure that sufficient space is available on the target datastore. Verify that the virtual machine copy that is selected for restore has not expired. For restores of virtual machine protection policy backups using the Transparent Snapshot Data Mover (TSDM) protection
mechanism, note the following: For a Restore to Original Folder and Overwrite Original Files, the virtual machine must be currently protected by a
policy that uses TSDM. For a Create and Restore to New VM, the destination ESXi host where the new virtual machine will be created must
have the vSphere Installation Bundle (VIB) installed and enabled.
Self-service restores A PowerProtect Data Manager system or security administrator can enable users to perform self-service restores of their own assets without further administrator intervention.
Self-service restores require a scope of authority which includes the Restore Administrator role for the relevant user assets or asset sources. The PowerProtect Data Manager Security Configuration Guide contains important prerequisites for self-service restores, such as configuring scopes of authority, resource groups, and role assignments.
After an administrator performs the necessary configuration, the scope of authority grants the user access to the PowerProtect Data Manager UI. Access the PowerProtect Data Manager UI provides instructions for logging in. From the UI, users can follow any of the methods that are described in this chapter to restore their data from backups.
Example
A user named Lisa owns several virtual machines on a vCenter asset source named Prototypes. Lisa is not currently a PowerProtect Data Manager user or a vCenter administrator. To meet recovery objectives and reduce overhead, Lisa requests that her system administrators configure self-service restore.
4
60 Restoring Virtual Machine Data and Assets
To fulfill the request, a system administrator creates a resource group named LisaRG. This resource group contains Lisa's virtual machines from the Prototypes asset source plus any other necessary resources. The system administrator also creates a scope of authority which grants Lisa the Restore Administrator and User roles for the LisaRG resource group.
Now, Lisa can log in to the PowerProtect Data Manager UI with her own account and browse backups of her assets. After selecting a backup, Lisa can restore an image of any of her virtual machines, perform file-level restores, or perform an Instant Access restore. Lisa only sees assets which belong to her and cannot see or affect assets which belong to others.
View backup copies available for restore When a protection policy is successfully backed up, PowerProtect Data Manager displays details such as the name of the storage system containing the asset backup, location, the creation and expiry date, and the size. To view a backup summary:
Steps
1. From the PowerProtect Data Manager UI, select Infrastructure > Assets or Restore > Assets.
2. Select the tab that corresponds to the type of assets that you want to view. For example, for vCenter virtual machine assets, click Virtual Machine.
Assets that are associated with protection copies of this type are listed. By default, only assets with Available or Not Detected status display. You can also search for assets by name.
For virtual machines, you can also click the File Search button to search on specific criteria.
NOTE: In the Restore > Assets window, only tabs for asset types supported for recovery within PowerProtect Data
Manager display. Supported asset types include the following:
Virtual Machines
File System
Storage Group
Kubernetes
3. To view more details, select an asset and click View copies.
The copy map consists of the root node and its child nodes. The root node in the left pane represents an asset, and information about copy locations appears in the right pane. The child nodes represent storage systems.
When you click a child node, the right pane displays the following information:
Storage system where the copy is stored. The number of copies Details of each copy, including the time that each copy was created, the consistency level, the size of the copy, the
backup type, the copy status, and the retention time. The indexing status of each copy at the time of copy creation:
Success indicates that all files or disks are successfully indexed. Partial Success indicates that only some disks or files are indexed and might return partial results on file search. Failed indicates that all files or disks are not indexed. In Progress indicates that the indexing job is in progress.
If indexing has not been configured for a backup copy, or if global expiration has been configured and indexed disks or files have been deleted before the backup copy expiration date, the File Indexing column displays N/A.
The indexing status updates periodically which enables you to view the latest status. For virtual machine backups, a Disk Excluded column enables you to view any virtual disks (VMDKs) that were excluded
from the backup.
Restoring Virtual Machine Data and Assets 61
Restoring a virtual machine or VMDK After virtual assets are backed up as part of a virtual machine protection policy in the PowerProtect Data Manager UI, you can perform image-level and file-level recoveries from individual or multiple virtual machine backups, and also restore individual virtual machine disks (VMDKs) to their original location.
PowerProtect Data Manager supports multiple data movers for restoring virtual machines, depending on the restore type and the vSphere capabilities. Restores are performed using one of the following data movers:
Transparent Snapshot Data MoverStarting in PowerProtect Data Manager version 19.9, Transparent Snapshot Data Mover (TSDM) is the default protection mechanism that is used for crash-consistent virtual machine policies when vCenter and ESXi version 7.0 U3c or later is deployed in the environment. Review the section Prerequisites to restore a virtual machine for specific restore type requirements for TSDM.
VADPVMware vStorage API for Data Protection (VADP) is the protection mechanism that is used for application aware virtual machine policies and crash-consistent policies that do not meet the TSDM software requirements. VADP is the only protection mechanism available in PowerProtect Data Manager versions 19.8 and earlier.
Storage vMotion from protection storage to primary storage.
All types of recoveries are performed from the Restore > Assets window. Recovery options include the following:
Restore to Original VM: Restore the virtual machine to its original location on the vCenter server, along with (optionally) the virtual machine configuration that existed at the time of the backup.
Restore Individual Virtual Disks: Restore select virtual disks to their original location on the vCenter server. Create and Restore to New VM: Create a new virtual machine using a copy of the original virtual machine backup, and
restore this backup to the new virtual machine. Instant Access VM: Instant access to the virtual machine backup for browse and restore. File Level Restore: Restore individual files/folders the original or a new virtual machine Direct Restore to ESXi: Recover the virtual machine directly to an ESXi host without a vCenter server.
The Restore button, which launches the Restore wizard, is disabled until you select one or more virtual assets in the Restore > Assets window. Selecting multiple assets disables the View Copies button, since this functionality is available within the first page of the Restore wizard.
To access the Restore and Overwrite Original VM, Create and Restore to New VM, and Instant Access VM recovery types, or the Restore Individual Virtual Disks option, select one or more virtual assets and then click Restore to launch the Restore wizard.
To access the File Level Restore and Direct Restore to ESXi recovery options, select a virtual asset and then click View Copies.
In both instances, you must select a backup copy in the first page of the Restore wizard before you can go to the Options page, which displays the available recovery options.
NOTE: For all options, recovery in the PowerProtect Data Manager UI can only be performed if the backup or replica is
on a DD system. If a replica backup does not exist on such storage, you must manually replicate this backup to DD storage
before performing the restore.
The following sections describe each recovery option and provide instructions to perform the recovery.
NOTE: Full SQL-database and transaction-log restores of a virtual machine from application-aware virtual machine
protection policies must be performed using Microsoft application agent tools. The section Restore an application-aware
virtual machine backup provides more information.
Restoring a virtual machine backup with the storage policy association vSphere storage-based policies are used to communicate to the storage system details about how the virtual machine and its contents should be stored. At the time of backup, the existing policy assignments for the virtual machine will be stored in the backup copy.
During a restore to the original virtual machine in the PowerProtect Data Manager UI or the vSphere Client, you can select the Restore Storage Policies option if you want to restore any virtual machine disk-level or non-disk specific storage policy assignments.
62 Restoring Virtual Machine Data and Assets
This option is only applicable to virtual machine backup copies taken with PowerProtect Data Manager 19.6 and later. If you select this option but the virtual machine backup copy was created with PowerProtect Data Manager version 19.5 and earlier, or the storage policy has been deleted from the vCenter Server, the virtual machine restore will proceed but any storage policy association will not be restored.
NOTE: Enabling this option requires vCenter version 6.7 and later.
Image-level restores The following topics provide instructions to perform restore operations at the virtual machine image level.
Restore to the original virtual machine
A Restore to Original VM recovers a virtual machine backup to its original location on the vCenter server. This operation rolls back virtual machines that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time. Use this process for restoring the production system.
Prerequisites
Review Prerequisites to virtual machine restore before performing the restore.
About this task
NOTE: If the original virtual machine was deleted, a Restore to Original Folder and Overwrite Original Files recovery
attempts to re-create the virtual machine. However, if the original virtual machine resources such as the datastore and
cluster are no longer available, the restore fails and a Restore to New is required.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all virtual machines available for restore.
2. Select the check box next to the appropriate virtual machines and click Restore.
Use the filter in the Name column to search for the asset name of the specific virtual machine, or use the File Search button to search on specific criteria for files within backed-up virtual machines.
The Restore wizard appears.
3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
5. Click OK to save the selection and exit the dialog, and then click Next.
6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.
NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that
disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete
successfully.
7. On the Restore Type page, select Restore to Original VM, and then click Next.
NOTE: If the system determines that the original virtual machine datastores may be insufficient to complete the restore
a warning is displayed. In this case, create more space in the original datastores, and then, select Proceed Anyways.
If the virtual machine disk configuration has changed since the original backup, the Disk Configuration page appears. Otherwise, the Options page appears.
8. On the Disk Configuration page, review the current configuration of the virtual machine along with any disks that have been added since the last backup:
a. For any hard disks in the current virtual machine configuration that were not part of the backup copy, select Delete disks that will be detached to remove these disks after restore, or clear the check box to keep these disks in their
Restoring Virtual Machine Data and Assets 63
original folders on the virtual machine after the restore. These disks will not be in the virtual machine configuration, but after the restore you can use the vSphere Client to manually reattach or download these disks as appropriate.
b. Click Next.
9. On the Options page:
a. Select Restore VM Tags to restore the vCenter tags and categories that are associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.
NOTE: You can only select this option when restoring entire virtual machines. Selecting this option replaces any
existing tags and categories on the assets in the restore location with tags and categories from the assets in the
restored copy. Tags and categories being restored that do not exist on the vCenter server at the time of the
restore, or have been deleted, are re-created as part of the restore, along with the tag description and the cardinality
settings that determine the relationship of tags within a category. If tags and categories on the vCenter server have
been renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For
example, if a tag ID is the same but the tag name has been changed since the backup, a new tag is created based on
the tag name in the backup copy being restored.
After a successful restore, the replaced tags and categories are not deleted in the vSphere Client, and can be
viewed in the Tags & Custom Attributes window, or the Tags pane of the Summary window when the virtual
machine is selected.
b. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.
If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore proceeds but any storage policy association is not restored.
NOTE: Enabling this option requires vCenter version 6.7 or later.
c. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
d. Select Restore VM Configuration if the disk configuration has changed since the original virtual machine backup to restore the configuration that existed at the time of this backup. If there were changes to the VM disk configuration, you cannot clear this option.
e. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.
10. The Networks page displays the network interface controllers and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.
NOTE: If a network used by an adapter is no longer accessible to the current virtual machine, a warning is displayed, and
a different network should be selected for that adapter.
a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.
b. To change the initial power-on connection status of a network interface controller, select or clear the associated check box in the Connect at Power On column.
11. Click Next. The Summary page appears with a confirmation message indicating that the virtual machine will be powered off and that the virtual machine in the datastore will revert to the point in time of the selected backup copy before being powered back on.
12. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.
13. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.
NOTE: A full backup typically occurs automatically after a restore to the original virtual machine is completed.
64 Restoring Virtual Machine Data and Assets
Restore individual virtual disks
A Restore Individual Virtual Disks recovers individual virtual disks (VMDKs) to their original location on the vCenter server, rolling the VMDKs that you backed up with the protection policy in PowerProtect Data Manager to an earlier point in time.
Prerequisites
Review Prerequisites to virtual machine restore before you perform the following procedure.
About this task
NOTE: When you restore individual VMDKs, only the selected disks are restored. The virtual machine configuration does not
change.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all virtual machines available for restore.
2. Select the check box next to the appropriate virtual machines and click Restore.
You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to search on specific criteria.
The Restore wizard appears.
3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
5. Click OK to save the selection and exit the dialog, and then click Next.
6. On the Purpose page, select Restore Individual Virtual Disks, and then click Next.
7. On the Select Disks page, from the Backup Properties pane, select the VMDKs that you want to restore, and then click Next. Note that individual VMDKs can only be restored to the original location.
8. On the Options page:
a. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
b. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.
c. Click Next.
The Summary page appears with a confirmation message indicating that the selected disk(s) will be overwritten in the current configuration with the copy from the backup.
9. On the Summary page, click Restore. An informational dialog box appears indicating that the restore has started.
10. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.
Restore to a new virtual machine
A Create and Restore to New VM enables you to create a new virtual machine using a copy of the original virtual machine backup. Other than having a new name or location and a new vSphere VM Instance UUID, this copy is an exact replica of the virtual machine that you backed up with the protection policy in PowerProtect Data Manager.
Prerequisites
Review Prerequisites to virtual machine restore before you perform this procedure.
Restoring Virtual Machine Data and Assets 65
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all virtual machines available for restore.
2. Select the check box next to the appropriate virtual machines and click Restore.
You can also use the filter in the Name column to search for the name of the specific virtual machine or click the File Search button to run file-level restore workflows on specific files within virtual machines.
The Restore wizard appears.
3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
5. Click OK to save the selection and exit the dialog, and then click Next.
6. On the Purpose page, select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.
NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that
disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete
successfully.
7. On the Restore Type page, select Create and Restore to New VM, and then click Next.
8. On the VM Information page:
a. From the vCenter list, select the vCenter server for the new virtual machine restore. This list displays any vCenter server that has been added from the Assets window.
When you select a vCenter server, available data centers appear.
b. Select the destination data center. c. Click Next.
9. On the Restore Location page:
a. Select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster.
b. Click Next.
If you selected an ESXi host within the cluster, the Datastore page displays.
If you selected a cluster but did not select a host, the ESX Host page displays.
10. On the ESX Host page, select a host that is connected with the cluster, and then click Next.
11. On the Datastore page, select the datastore where you want to restore the virtual machine disks.
NOTE: The Total Estimated Space Needed for Recovery is displayed and updated according to the specified disk
provisioning type.
In the datastore list:
The free space in each datastore is displayed.
If a datastore is estimated to be smaller than required for recovery, it is displayed in red alongside an error icon.
Select Browse... to display the total capacity, provisioned capacity, and free capacity of all available datastore(s),
and select a datastore.
a. If you are restoring multiple virtual machines, select the Datastore and Provisioning Type to use for all virtual machines.
b. If you are restoring one virtual machine: To restore all disks to the same location, keep Configure Per Disk disabled, and select the datastore from the
datastore list in the Storage column. To restore disks to different locations, enable Configure Per Disk, and for each disk, select a datastore from the
datastore list in the Storage column. Select how to provision the disk from the provisioning types in the Disk Format column.
NOTE: If you select a datastore whose estimated free space is smaller than required for recovery, a warning is
displayed. In this case, you can select Proceed Anyways to continue, but it is recommended to create more space in
the specified datastore(s) before doing so.
c. Click Next.
66 Restoring Virtual Machine Data and Assets
12. On the Options page:
a. If restoring a single virtual machine, specify the New VM name. b. If restoring multiple virtual machines, select whether you want to use the original virtual machine names for the virtual
machine restore, or rename the virtual machines by appending a suffix to the original name. c. For Select Access Level, keep the slider set to Yes if you want to enable instant access for this restore.
When you select this option, the virtual machine is created and turned on while temporarily accessing the VMDKs from DD storage. Storage vMotion is initiated to the target datastore. The virtual machine becomes available for use when it is turned on.
d. (Optional) For the recovery options, select Power on the virtual machine when the restore completes and Reconnect the virtual machine's NIC when the restore completes. Power on the virtual machine when the restore completes is selected by default when instant access is enabled.
e. Select Restore VM Tags to restore vCenter tags and categories associated with this backup copy. Tags are backed up by default as part of the virtual machine protection policy backup.
NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories on
the assets in the restore location will be replaced with the tags and categories from the assets in the restored copy.
If the tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been
deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings
that determine the relationship of tags within a category. If tags and categories on the vCenter server have been
renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For example, if
a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag
name in the backup copy being restored.
After a successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom
Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.
f. Select Restore Storage Policies if you also want to restore any virtual machine disk-level or non-disk specific storage policy assignments.
If you select this option but the backup copy was taken with PowerProtect Data Manager 19.5 and earlier, or the storage policy is not available, the virtual machine restore proceeds but any storage policy association is not restored.
NOTE: Enabling this option requires vCenter version 6.7 or later.
g. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
h. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.
i. Click Next.
13. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.
NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a
different network should be selected for that adapter.
a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.
b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.
c. Click Next.
14. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore.
15. Go to the Jobs window to monitor the restore.
A restore job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.
Restoring Virtual Machine Data and Assets 67
Direct restore to ESXi
If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.
Prerequisites
Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.
Additionally, ensure that you disconnect the ESXi host from the vCenter server.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all of the virtual machines available for restore.
2. Select the check box next to the desired virtual machine and click View Copies.
NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name
of the specific virtual machine or click the File Search button to search on specific criteria.
The Restore > Assets window provides a map view in the left pane and copy details in the right pane.
When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.
3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.
5. On the Options page:
a. (Optional) Select Reconnect the virtual machine's NIC when the restore completes, if desired. This option is selected by default.
b. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
c. Click Next.
6. On the ESX Host Credentials page:
a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.
7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the
datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:
a. For each available disk that you want to recover, select a datastore from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.
8. On the Summary page:
a. Review the information to ensure that the details are correct. b. Click Restore.
9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.
Instant Access virtual machine restore An Instant Access VM restore enables you to create a new virtual machine directly from the original virtual machine backup on protection storage for the purposes of instant backup validation and recovery of individual files. The instant access virtual
68 Restoring Virtual Machine Data and Assets
machine is initially available for 7 days. This process does not copy or move any data from protection storage to the production datastore. An instant access virtual machine restore also provides the option to move the virtual machine to a production datastore when you want to retain access to the virtual machine for a longer time.
Prerequisites
If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all virtual machines available for restore.
2. Select the check box next to the appropriate virtual machines and click Restore.
You can also use the filter in the Name column to search for the name of the specific virtual machine, or click the File Search button to search on specific criteria.
The Restore wizard appears.
3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog box appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
5. Click OK to save the selection and exit the dialog, and then click Next.
6. On the Purpose page: Select Restore Entire VMs to restore the image-level virtual machine backup, and then click Next.
NOTE: If you specified any disk exclusions in the virtual machine protection policy, a message appears indicating that
disks were excluded from this backup. If one of the excluded disks was a boot disk, the restore might not complete
successfully.
7. On the Restore Type page, select Instant Access VM, and then click Next.
8. On the VM Information page:
a. From the vCenter list, select the vCenter server for the instant access virtual machine restore. You can select the vCenter server of the original virtual machine backup, or another vCenter server. This list displays any vCenter server that has been added from the Assets window.
When you select a vCenter server, available data centers appear.
b. Select the destination data center. c. Click Next.
9. On the Restore Location page, select the location within this data center that you want to restore the virtual machine by expanding the hierarchical view. For example, select a specific cluster, and then select a host within the cluster. If you selected an ESXi host within the cluster, the Networks or Options page displays.
If you selected a cluster but did not select a host, the ESX Host page displays.
10. On the ESX Host page, select a host that is connected with the cluster, and then click Next.
11. On the Options page:
a. If restoring a single virtual machine, specify the Instant Access VM name. b. If restoring multiple virtual machines, select whether you want to use the original virtual machine names for the instant
access virtual machine restore, or rename the instant access virtual machines by appending a suffix to the original name. c. Optionally, select Power on the virtual machine when the restore completes and Reconnect the virtual
machine's NIC when the restore completes. Power on the virtual machine when the restore completes is selected by default for instant access virtual machine restores.
d. Select the Restore VM Tags check box to restore vCenter tags and categories associated with this backup copy.
NOTE: You can only select this option when restoring entire virtual machines. Any existing tags and categories
on the assets in the restore location will be replaced with the tags and categories from the restored copy. If the
tags and categories being restored do not exist on the vCenter server at the time of the restore, or have been
deleted, they will be re-created as part of the restore, along with the tag description and the cardinality settings
that determine the relationship of tags within a category. If tags and categories on the vCenter server have been
Restoring Virtual Machine Data and Assets 69
renamed since the last backup, the renamed tags and categories will not be overwritten after restore. For example, if
a tag's ID is the same but the tag's name has been changed since the backup, a new tag is created based on the tag
name in the backup copy being restored.
After a successful restore, the replaced tags and categories can be viewed in the vSphere Client Tags & Custom
Attributes window, or the Tags pane of the Summary window when the virtual machine is selected.
e. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
f. For Select a Protection Engine, move the slider to the right if you want to override the automatic protection engine selection, and then select another VM Direct Engine to use for the restore. When the restore job is started, the name of the protection engine used for the restore displays in the Jobs window Details pane.
g. Click Next.
12. The Networks page appears if the virtual machine was backed up using PowerProtect Data Manager 19.9 or later. It displays the network adaptors and associated networks the virtual machine had used when it was backed up. Click Next after reviewing this information and optionally performing one or both of the following actions.
NOTE: If a network used by an adapter is no longer accessible to the new virtual machine, a warning is displayed, and a
different network should be selected for that adapter.
a. To select a different network, click the associated drop-down control in the Network column, and then select an entry from the list.
b. To change the initial power-on connection status of a network adapter, select or clear the associated check box in the Connect at Power On column.
c. Click Next.
13. On the Summary page, verify that the information you specified in the previous steps is correct, and then click Restore. A confirmation message displays indicating that the restore has been initiated and providing the option to go to the Jobs window to monitor the restore progress.
14. Go to the Jobs window to view the entry for the instant access virtual machine recovery and verify when the recovery
completes successfully. You can also click next to the job to verify what steps have been performed, for example, when the instant access session has been created.
Results
To monitor and manage the instant access virtual machine recovery, select Restore > Running Sessions, and then click the Instant Access tab. From this window, you can also extend the instant access virtual machine session beyond the default period of 7 days.
NOTE: On a single-node protection storage system such as a DD system, instant access/restore functionality has been
enhanced to return a failure message when overwhelmed with traffic. For example, if on the target node or the ESXi host
there are Live VM and/or Instant Restore sessions that are in conflict, instant access/restore jobs will fail with a message
indicating a resource contention issue. If this occurs, you need to clear the conflicts and then restart the session in order for
the job to execute.
Manage and monitor Instant Access sessions
In the PowerProtect Data Manager UI, the Instant Access tab of the Restore > Running Sessions window enables you to monitor vMotion events, and to manage the status of a virtual machine restore to new or instant access virtual machine restore. For example, you can extend the availability period or delete an instant access virtual machine.
NOTE: The Instant Access Sessions that are used by a SQL application-aware self-service restore are displayed in the
PowerProtect Data Manager UI, but management is disabled. Use the SQL application-aware self-service restore UI to
manage these sessions.
When the Jobs window indicates that a recovery has completed successfully, go to Restore > Running Sessions > Instant Access to access information about the sessions. This window enables you to monitor and manage all exported copies that you have created from protection storage. An active restore session with a state of Mounting indicates that the restore is still in progress. Once the state changes to Mounted, the restore is complete and the instant access virtual machine is ready. When you select the session in the table, you can choose from three options:
70 Restoring Virtual Machine Data and Assets
Extend Click to extend the number of days the instant access virtual machine restore is available. The default retention period of an instant access virtual machine restore is 7 days.
Migrate Click to open the Migrate Storage vMotion wizard, which enables you to move the instant access virtual machine to a protection datastore. Migrate an instant access session provides instructions.
Delete Click if you no longer require the active restore session. Note that you can also vMotion from inside the vCenter server, and PowerProtect Data Manager removes the Instant Access Session after detection.
For instant access virtual machine restores, availability of the instant access virtual machine session is also indicated in the vSphere Client. The session appears in the Recent Tasks pane, and you can expand the cluster and select the instant access virtual machine to view summary information, as shown in the following figure.
Figure 3. instant access virtual machine restore in the vSphere Client
Migrate an Instant Access session
Once you validate that the instant access virtual machine is the virtual machine that you require for production, click Migrate to open the Migrate Storage vMotion wizard, which enables you select the session and move the virtual machine to a production datastore.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Running Sessions, and then click the Instant Access tab.
2. Select a session from the table that is in Mounted state, and click Migrate. The Migrate Storage vMotion wizard displays.
3. On the Disk Files Datastore page, select the datastore where you want to relocate the instant access virtual machine, and then click Next. To migrate all VMDKs to the same datastore, keep the Configure per disk slider to the left, and then select the
datastore from the Storage list. To migrate VMDKs to separate datastores, move the Configure per disk slider to the right, and then:
a. Select a datastore for each disk from the Storage list. b. Select the type of provisioning you want to apply to the disk from the Disk Format list.
4. On the Summary page, review the information to ensure that the details are correct, and then click Migrate.
5. Go to the Jobs window or the Instant Access window to view the progress of the migration.
In the Jobs window, the migration job appears with a progress bar and start time. You can also click next to the job to verify what steps have been performed. In the Instant Access window, you can monitor the vMotion status of the
Restoring Virtual Machine Data and Assets 71
migration. When a vMotion is in progress, the status indicates VMotioning. Once the storage vMotion for the session is complete, the status of the session changes to Deleting as the session is being removed from the Instant Access window.
File-level restores You can use PowerProtect Data Manager to perform restore operations at the file level.
The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. The agent is installed automatically during a file-level restore, but you can choose to manually install it before performing a file-level restore. Manually installing the agent allows the user account performing the file-level restore to have different permissions from the user account installing the agent.
NOTE: In some installation paths, application messages, and log files, the VM Direct agent is named the vProxy Agent.
There are two methods of restoring individual virtual machine files within the PowerProtect Data Manager UI:
Using the File Level Restore wizard Using the File Search functionality
Manually install the VM Direct agent on Linux
You can manually install the VM Direct agent.
Prerequisites
The destination virtual machine is a supported Linux platform. To determine which Linux platforms are supported, see the compatibility information provided by the E-Lab Navigator.
When logging in to the destination virtual machine in the following steps, log in as a root user or a user in the local sudousers list of the operating system.
NOTE: Even if you log in as a user with privileges similar to a root user, the VM Direct agent installation fails.
If you log in to the destination virtual machine in the following steps as a user in the local sudousers list of the operating system, ensure you have already completed the following steps on the destination virtual machine: 1. Provide sudo access to the following files at a minimum:
RPM command (SLES, Red Hat Enterprise Linux, CentOS) and dpkg command (Debian/Ubuntu)
/opt/emc/vproxyra/bin/postinstall.sh /opt/emc/vproxyra/bin/preremove.sh
Note the following additional requirements:
The sudo user or group must be configured for no password prompt.
The sudo user or group must be provided with the no requiretty option.
When user elevation is enabled for file-level restore: To browse files, you must have the appropriate authority in the destination virtual machine operating system. For
example, you must be permitted to run vflrbrowse using sudo without being prompted for a password.
To perform the restore, the user account must have the appropriate authority. For example, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.
NOTE: If the Run with Elevated Privileges file-level restore is unsuccessful, an error displays indicating Unable to perform FLR Agent operation 'recover_files' on VM virtual machine name. This might
occur when a typographical error has been made in the sudo commands. To determine if this has occurred, review
the log file output for the following text:
sudo: a password is required /etc/sudoers.d/admin: syntax error near line 1 sudo: no valid sudoers sources found, quitting
It is recommended that you test the sudo command before performing a file-level restore in order to resolve any
potential errors.
2. Create the file /etc/sudoers.d/linuxuser, where linuxuser is the Linux login user, and then add the following contents to the file.
72 Restoring Virtual Machine Data and Assets
On CentOS, OpenSuSE Leap, Oracle Linux, Red Hat Enterprise Linux, and SuSE Linux Enterprise Server operating systems:
username ALL=NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty Defaults:username !authenticate
NOTE: On SuSE 12, the location is /bin/rpm instead of /usr/bin/rpm.
On Debian and Ubuntu Server operating systems:
username ALL=NOPASSWD: /usr/bin/dpkg, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty
About this task
To manually install the VM Direct agent, perform the following steps.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Run the command cd /opt/emc/sw-repo/vflragent/linux.
3. Run the following command:
scp
If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, replace
If the destination virtual machine operating system is Debian or Ubuntu Server, replace
Replace
Replace
Replace with a directory path on the destination virtual machine to which the VM Direct agent installer package should be copied.
NOTE: If you are installing the VM Direct agent as a non-root user, ensure the non-root user has read and execute
permissions to files in this directory path.
4. Log in to a shell prompt of the destination virtual machine.
5. Change directories to the location of the file copied in step 3.
6. If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, run the following command:
rpm -ivh
Replace
7. If the destination virtual machine operating system is Debian or Ubuntu Server, run the following command:
dpkg -i
Replace
8. Run the command /opt/emc/vproxyra/bin/postinstall.sh.
Results
You can now perform file-level restore operations as a non-root user.
Restoring Virtual Machine Data and Assets 73
Manually install the VM Direct agent on Windows
You can manually install the VM Direct agent.
Prerequisites
The destination virtual machine is a supported Windows platform. To determine which Windows platforms are supported, see the compatibility information provided by the E-Lab Navigator.
When logging in to the destination virtual machine in the following steps, log in as a user with administrator rights. If you need to enable the administrator account, perform the following steps: 1. Open a command prompt in administrative mode, and then type net user administrator /active: yes.
2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.
3. In the User Accounts pane, right-click the user, select Properties, and then clear the Account is disabled option.
About this task
To manually install the VM Direct agent, perform the following steps.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Run the command cd /opt/emc/sw-repo/vflragent/windows.
3. Copy emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi to the destination virtual machine.
4. Log in to the destination virtual machine.
5. Install the VM Direct agent by double-clicking emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi. The Programs and Features Control Panel tool displays Dell vProxy Agent as installed.
Results
You can now perform file-level restore operations as a user without administrator rights.
File-level restore to the original virtual machine
A file-level restore to the original virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to the same or a new location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.
Prerequisites
Review the section Supported platform versions for file-level restore for supported platform and operating system versions. In order to complete the VM Direct agent installation, the user must be an administrator account on Windows virtual
machines, or a root user account or a user in the operating system's local sudousers list on Linux virtual machines.
If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows virtual machine, or from a
Linux backup to a Linux virtual machine.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all the virtual machines available for restore.
2. Select the check box next to the virtual machine that you want to recover from, and then click View Copies.
You can also use the filter in the Name column to search for a specific virtual machine name.
74 Restoring Virtual Machine Data and Assets
NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File
Search button is used for virtual machine file-level restore when restoring files from multiple copies across one or more
virtual machines. See File-level restore to the original virtual machine for more information.
The Restore > Assets window provides a map view in the left pane and copy details in the right pane.
When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.
3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.
5. On the Restore Type page, select Restore to Original Virtual Machine, and then click Next.
6. On the Mount Copy page:
a. To initiate the disk mount, type the guest operating system user credentials:
If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.
If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.
b. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machine after the restore completes.
c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.
d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.
NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.
When validated, the VM Direct agent is installed automatically on the restore destination, if it is not already installed. e. After a successful disk mount, click Next.
7. On the Select Files to Recover page:
a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.
b. Click Next.
NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,
when you select an object from one location, the object is selected in the duplicate location as well.
8. On the Options page, select from one of the following options, and then click Next. Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original
location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original
virtual machine. NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you
are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.
9. On the Summary page:
a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information.
b. Click Restore.
10. Go to the Jobs window to monitor the restore. A restore job appears with a start time and progress bar.
Restoring Virtual Machine Data and Assets 75
File-level restore to alternate virtual machine
A file-level restore to alternate virtual machine enables you to recover individual files from backups of virtual machines or VMDKs performed in PowerProtect Data Manager to a new location on a new virtual machine. This restore can be performed to a primary or secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.
Prerequisites
Review the section Supported platform versions for file-level restore for supported platform and operating system versions. In order to complete the VM Direct agent installation, the user must be an administrator account on Windows virtual
machines, or a root user account or a user in the operating system's local sudousers list on Linux virtual machines.
If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
NOTE: For file-level restores, you can only restore files from a Windows backup to a Windows virtual machine, or from a
Linux backup to a Linux virtual machine.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all the virtual machines available for restore.
2. Select the check box next to the virtual machine that you want to recover from, and then click View Copies.
You can also use the filter in the Name column to search for a specific virtual machine name. NOTE: If the Search cluster is enabled, you can click the File Search button to search on specific criteria. The File
Search button is used for virtual machine file-level restore when restoring files from multiple copies across one or more
virtual machines. See File-level restore to alternate virtual machine using File Search for more information.
The Restore > Assets window provides a map view in the left pane and copy details in the right pane.
When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a location in the left pane, for example, a DD system, the copies on that system display in the right pane.
3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click File Level Restore. The File Level Recover wizard appears.
5. On the Restore Type page, select Restore to Alternate Virtual Machine, and then click Next.
6. On the Select Target VM page, choose from one of the following options: Search for a target virtual machine by typing the name. Browse from the available vCenter servers to locate the destination virtual machine.
7. On the Mount Copy page:
a. To initiate the disk mount, type the guest operating system user credentials:
If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.
If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.
b. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machine after the restore completes.
c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.
d. Click Start Mount to initiate the disk mount. A progress bar indicates when the mount completes.
NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.
When validated, the VM Direct agent is installed automatically on the restore destination, if it is not already installed. e. After a successful disk mount, click Next.
8. On the Select Files to Recover page:
76 Restoring Virtual Machine Data and Assets
a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.
b. Click Next.
NOTE: When you browse for objects to recover on this page, each directory or hard drive appears twice. As a result,
when you select an object from one location, the object is selected in the duplicate location as well.
9. On the Restore Location page, perform one of the following actions to choose where to restore the files, and then click Next. Browse the folder structure of the destination virtual machine to select a folder. Create a new folder.
NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you
are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.
10. On the Summary page:
a. Review the information to ensure that the restore details are correct. You can click Edit next to any row to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.
b. Click Restore.
11. Go to the Jobs window to monitor the restore. A restore job appears with a start time and progress bar.
Virtual machine file-level restore from a search
Within the Restore window of the PowerProtect Data Manager UI, File Search enables you to restore files from protected virtual machine backup copies to: The original virtual machine An alternate virtual machine.
NOTE: Only file-level virtual machine restore is available from File Search.
File-level restore to original virtual machine using File Search
Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to the same location on the original vCenter server. Only the Administrator and the Restore Administrator roles can restore data.
Prerequisites
Review the section Supported platform versions for file-level restore for supported platform and operating system versions. If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the
destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
NOTE: For file-level restores to the original machine:
The files must be restored from a Windows backup to a Windows virtual machine, or from a Linux backup to a Linux
virtual machine.
Restoring files from multiple copies with identical file names and paths from the same asset is not supported. In this
case, only a file-level restore to the alternate virtual machine is available.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all the virtual machines available for restore.
2. Click File Search, and then perform the following:
a. Select a virtual machine from the VM Name list. b. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the
search. The files that match the search criteria display in the Results pane.
c. In the Results pane, select the files that you want to restore, and then click Add.
Restoring Virtual Machine Data and Assets 77
The Results pane is collapsed, and the Selected Files pane updates to display the current file selections. d. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click
Restore.
The VM File Restore wizard appears, displaying the Location page.
3. On the Location page:
a. Select Restore to Original Location. b. (Optional) Select Overwrite existing files with the same name to replace files in the original location with the files
being restored if the files have the same name. c. If you selected files from multiple virtual machines, and these virtual machines share the same credentials, move the Use
one set of credentials for all VMs slider to the right to avoid retyping the credentials for each virtual machine. d. For one or more virtual machines, type the virtual machine User Name and Password, and then click Verify to validate
the credentials.
If there are administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify end-user credentials.
If there are no administrator-level credentials that are associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials are handled as end-user credentials.
You are not required to wait for validation to complete before clicking Verify for another set of virtual machine credentials.
When validated, if the VM Direct agent is not already installed, it is installed automatically on the restore destination. The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic VM Direct agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list.
e. (Optional) Leave Keep FLR Agent Installed selected to keep the on the destination virtual machines after the restore completes.
f. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.
g. Click Next.
The Summary page appears.
4. On the Summary page:
a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information.
b. Click Restore or Finish.
5. Go to the Jobs window to monitor the restore. A batch file-level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.
File-level restore to alternate virtual machine using File Search
Use File Search in the PowerProtect Data Manager UI to restore files from multiple copies across one or more virtual machines to a new location on a new virtual machine. The files can be restored to the primary vCenter server or a secondary vCenter server. Only the Administrator and the Restore Administrator roles can restore data.
Prerequisites
Review the section Supported platform versions for file-level restore for supported platform and operating system versions. If your environment has multiple isolated virtual networks, create a dedicated VMkernel port on the data network for the
destination ESXi host. Create a VMkernel port for a standard vSwitch configuration and Create a VMkernel port for a distributed vSwitch configuration provide instructions. The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks.
NOTE: For file-level restores to an alternate virtual machine:
You can only restore files from a Windows backup to a Windows virtual machine, or from a Linux backup to a Linux
virtual machine.
Restore of multiple files from different operating systems to the same target virtual machine is not supported. In this
case, only a file-level restore to the original virtual machine is available.
78 Restoring Virtual Machine Data and Assets
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all the virtual machines available for restore.
2. Click File Search, and then perform the following:
a. Select a vCenter server from the vCenter Name list. b. Select a virtual machine from the VM Name list. c. Use the File Name and File Type fields to search for specific files, or specify a file size or folder path to perform the
search. The files that match the search criteria display in the Results pane.
d. In the Results pane, select the files that you want to restore, and then click Add. The Results pane is collapsed, and the Selected Files pane updates to display the current file selections.
e. Repeat steps b through d to select files from other virtual machines and copies. When finished with your selections, click Restore. The VM File Restore wizard appears, displaying the Location page.
3. On the Location page:
a. Select Restore to Alternate Location. The table on the page updates to display the available destination virtual machines within the vCenter server and the location of any selected virtual machine.
b. Expand the vCenter server to locate the virtual machine that you want to restore to, and then select the virtual machine. A prompt appears, requesting the credentials of this virtual machine.
c. Type the virtual machine User Name and Password, and then click Verify to validate the credentials. When validated, if the VM Direct agent is not already installed, it is installed automatically on the restore destination. The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. In order to complete the automatic VM Direct agent installation, on Windows virtual machines the user must be an administrator account, and on Linux virtual machines the user must be the root user account, or a user in the operating system's local sudousers list.
d. (Optional) Leave Keep FLR Agent Installed selected to keep the VM Direct agent on the destination virtual machines after the restore completes.
e. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.
f. When validation completes, click Close to return to the Location page. The Location page updates with the available destination folders on the selected virtual machine.
g. Browse to the destination folder, or select a location and click Add Folder to create a destination within this folder.
NOTE: If you are performing the restore to a new folder on a Linux virtual machine when logged in as a user in
the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root
user. Ensure the user you are logged in as has permissions to the directory. Otherwise, the restored files cannot be
viewed.
h. Optionally, select Overwrite existing files with the same name to replace files in the destination folder with the files being restored if the files have the same name.
i. Click Next.
The Summary page appears.
4. On the Summary page:
a. Review the information to ensure that the restore details are correct. You can click Edit next to certain rows to change the information. If you are not restoring to the original virtual machine, an additional field appears for the Target VM.
b. Click Restore or Finish.
5. Go to the Jobs window to monitor the restore. A batch file-level restore job with multiple files appears as a job group, with a progress bar and start time. A separate job entry is created for each copy that is being restored from.
Restoring Virtual Machine Data and Assets 79
Restore an application-aware virtual machine backup When virtual machine applications are protected within a protection policy in PowerProtect Data Manager, you can recover the application data using the Microsoft application agent, or perform a centralized restore within the PowerProtect Data Manager UI.
The PowerProtect Data Manager Microsoft SQL Server User Guide provides instructions on how to restore an application- aware virtual machine using the VM Direct SQL Server Management Studio (SSMS) plug-in.
80 Restoring Virtual Machine Data and Assets
Protecting Virtual Machines Using the Transparent Snapshot Data Mover
Topics:
Overview of transparent snapshots for virtual machine protection vSphere Installation Bundle monitoring and management Transparent snapshot data mover system requirements Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Virtual machine transparent snapshot unsupported features and limitations Transparent Snapshot Performance and Scalability
Overview of transparent snapshots for virtual machine protection The transparent snapshot data mover (TSDM) is a new protection mechanism in PowerProtect Data Manager 19.9 and later designed to replace the VMware vStorage API for Data Protection (VADP) protection mechanism for crash-consistent virtual machine protection.
The advantages of using the TSDM protection mechanism for virtual machine data protection include the following:
Eliminates the latency and performance impact on the production virtual machine during the protection policy life cycle. Reduces the CPU, storage, and memory consumption required for backups. After the initial full backup, only incremental
backups using the immediate previous snapshot will be performed. An external VM Direct Engine is not required. The VM Direct Engine embedded with PowerProtect Data Manager is
sufficient. Automatic scaling.
vSphere Installation Bundle monitoring and management The vSphere Installation Bundle (VIB) is a software package that is bundled with the PowerProtect Data Manager OVA and update package. The VIB is installed automatically on a vSphere ESXi 7.0 U3c and later host during the PowerProtect Data Manager deployment or update, and is required to enable the transparent snapshot data mover (TSDM) for virtual machines.
Prerequisites to VIB installation and update
The VIB package will be installed or updated provided that the following requirements are met:
The PowerProtect Data Manager version is 19.9 or later. The hosting ESXi Server is version 7.0 U3c or later. The managing vCenter Server is version 7.0 U3c or later. *The installation can be performed on all eligible hosts of the cluster and all hosts added to the cluster. VIB management is enabled on the vCenter server asset source. The section Transparent Snapshot Data Mover protection
mechanism provides more information.
During the VIB installation:
A VIB file (approximately 4 MB) is uploaded to the ESXi datastore. An entry for the job Performing Host Configuration (vib_install) appears in the PowerProtect Data Manager UI.
5
Protecting Virtual Machines Using the Transparent Snapshot Data Mover 81
Information for the vCenter and ESXi host is detected to verify that the supported versions are installed.
You can use the Transparent Snapshot Data Movers tab in the Protection Engines window of the PowerProtect Data Manager UI to monitor and manage the installation of the VIB. This window provides a vCenter hierarchy view which is based on the asset sources that are enabled in PowerProtect Data Manager. If an ESXi host is not eligible or available for the VIB installation, the status displays as Not Eligible in the Protection Engines window. Transparent Snapshot Data Mover protection mechanism provides more information.
NOTE: The VIB cannot be deployed until virtual machine assets from an ESXi cluster are added to a protection policy. It is
recommended that you perform an installation pre-check before the backup of any TSDM-enabled protection policies.
During the creation of a crash-consistent virtual machine protection policy, the VIB is deployed automatically on the vSphere cluster being protected. If all requirements are met, TSDM is used as the default protection mechanism instead of VADP. If crash-consistent policies that were created in PowerProtect Data Manager 19.8 and earlier are configured with the following options, these policies can be migrated to use TSDM:
Exclude swap files from backup is off. Enable guest file system quiescing is off.
You can use the PowerProtect Data Manager UI to apply TSDM as the data mover for virtual machine assets.
Transparent snapshot data mover system requirements The following software is required to automatically enable use of the Transparent Snapshot Data Mover (TSDM) for virtual machine data protection operations.
NOTE: TSDM for virtual machine protection also requires that the protection policy is a crash-consistent policy, with the
quiescing and swap file exclusion options disabled.
Table 11. Software requirements
Software required Version supported Notes
vCenter server 7.0 U3c and later vCenter and ESXi 7.0 U3c is the minimum version that is required to use TSDM. Until this version is deployed in the environment, TSDM is not used for virtual machine protection policies.
ESXi server 7.0 U3c and later
Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover Review the following recommendations for use of the Transparent Snapshot Data Mover (TSDM) protection mechanism for virtual machine protection.
Additional privileges required for a dedicated vCenter user account to use Transparent Snapshot Data Mover
You can use the vSphere Client to specify the required privileges for the dedicated vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.
The following table includes the additional privileges required to use the Transparent Snapshot Data Mover (TSDM) for virtual machine protection operations. For the remaining privileges required for the dedicated vCenter user account, see Specify the required privileges for a dedicated vCenter user account .
82 Protecting Virtual Machines Using the Transparent Snapshot Data Mover
Table 12. Minimum required vCenter user account privileges
Setting vCenter 7.0.3 and later required privileges PowerCLI equivalent required privileges
Datastore Datastore > Browse datastore Datastore > Low level file operations
$privileges = @( 'Host.Config.Patch', 'Host.Config.Image', 'Host.Config.NetService', 'Datastore.FileManagement', 'Datastore.Browse', 'vSphereDataProtection.Protectio n', 'vSphereDataProtection.Recovery' , 'System.Read', 'Task.Create', 'Task.Update' ) New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)
Host Configuration > Image configuration Configuration > Security profile and firewall Configuration > Query patch
System System > Read
Tasks Tasks > Create task Tasks > Update task
vSphere Data Protection
Protection Recovery
Creating VMkernel ports for TSDM
For backup and restore of virtual assets from the ESXi hosts and their respective virtual machines using the Transparent Snapshot Data Mover (TSDM) protection engine, It is strongly recommended that you create a dedicated VMkernel port for all ESXi hosts in the cluster to facilitate data transfer.
Before you begin:
For optimal data transfer between ESXi hosts and protection storage, use the same network subnet that is used for backup storage.
For each ESXi host in the cluster, it is recommended to use a 10G physical network adapter port for TSDM backup traffic. Plan a unique network subnet to use exclusively for TSDM protection engine that does not overlap with any other existing
network subnets. This subnet must contain the following: An IP address for each VMkernel port in each ESXi host. An IP address for each port in protection storage target interfaces.
Complete Create a VMkernel port for a standard vSwitch configuration or Create a VMkernel port for a distributed vSwitch configuration. Use the switch and IP settings recommended above.
Create a VMkernel port for a standard vSwitch configuration
For each ESXi host in the cluster:
Steps
1. In the vSphere Client, navigate to the ESXi host and select the host.
2. Right-click the host and select Add Networking.
3. Select VMkernel Network Adapter, and then click Next.
4. Create a new switch, or choose an existing one.
When creating a new switch, assign the NIC adapter to Active Adapters.
5. In the Port Properties settings IP settings, select either IPv4 or IPv6, and clear all other check boxes under Available services.
6. In the IP settings, specify the VMkernel IP settings.
Protecting Virtual Machines Using the Transparent Snapshot Data Mover 83
Create a VMkernel port for a distributed vSwitch configuration
Steps
1. On the vSphere Client home page, click Networking, and then navigate to and select a distributed port group.
2. From the Actions menu, select Add VMkernel Adapters.
3. On the Select hosts page, click Attached hosts, select from the hosts that are associated with the distributed switch, and then click OK.
4. Click Next.
5. On the Configure VMkernel adapter page, select either IPv4 or IPv6, and clear all other check boxes under Available services.
6. In the IP settings, specify the VMkernel IP settings.
Virtual machine transparent snapshot unsupported features and limitations Review the following unsupported features and limitations for the transparent snapshot data mover (TSDM) in PowerProtect Data Manager.
Unsupported virtual machine platforms and configurations
TSDM virtual machine protection is not supported for the following virtual machines, configurations, and platforms:
Physical RDMs Virtual RDMs Encrypted virtual machines Fault Tolerant virtual machines Azure VMware Solution (AVS) on Microsoft Azure Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) VMware Cloud (VMC) on Amazon Web Services (AWS) Virtual machines with Site Recovery Manager enabled.
Full synchronization performed under certain conditions
The following conditions will result in a full synchronization operation for TSDM-enabled virtual machine protection policy backups:
PowerProtect Data Manager is updated from a previous release. NOTE: The full backup completes successfully but with exceptions to indicate that the backup was forced to maintain
the integrity of the data in the backup chain.
The full synchronization is scheduled as part of a PowerProtect Data Manager protection policy. A manual backup is performed of the protection policy using Backup Now in the PowerProtect Data Manager UI. The most recent virtual machine backup has been deleted. Disks were added to the virtual machine. Disks that were previously marked as excluded are added to the protection policy backup. The VMware DPD service was removed and then readded to the virtual machine. This can occur, for example, when the
virtual machine is removed from a TSDM-enabled policy and then added to the same or a different TSDM policy, or when the virtual machine protection mechanism is manually changed from TSDM to VADP and then back to TSDM.
The ESXi host, virtual machine, or daemon becomes unresponsive and crashes. The vSphere version is updated to 8.0 or later on the vCenter/ESXI hosts. A restore to a managed snapshot. The virtual machine encryption/decryption setting is changed.
NOTE: A full synchronization is not required after vMotion operations.
84 Protecting Virtual Machines Using the Transparent Snapshot Data Mover
Site Recovery Manager unsupported for TSDM-protected virtual machines (vSphere versions previous to 8.0)
In vSphere versions earlier than version 8.0, enabling of VMware's Site Recovery Manager (SRM) for virtual machines that are protected in PowerProtect Data Manager with TSDM is not supported. Ensure that you disable SRM protection for any virtual machines that use the TSDM protection mechanism, or manually configure these virtual machines to use the VADP data mover instead to continue using SRM.
NOTE: Array-based replication for SRM is unsupported, regardless of the vSphere version.
Asset copy size reported differently for TSDM backups with thin- provisioned disks in release 19.10 and later
An increase in the asset copy size of TSDM backups with thin-provisioned disks might be observed due to the manner in which asset copy size is reported in PowerProtect Data Manager 19.10 and later. For thin-provisioned disks, the asset copy size now reflects the capacity (provisioned size) of the disks instead of the used size. No actual increase in size has occurred.
VADP restore of TSDM backup restores disks as thick-provisioned in some circumstances
If VADP data path is used to restore a virtual machine that was backed up using the TSDM protection mechanism, the disks are restored as thick-provisioned instead of thin-provisioned. PowerProtect Data Manager uses VADP data path for restores in the following circumstances:
The virtual machine is restored in a vSphere environment running with a version previous to 7.0 U3. The virtual machine is restored to an ESXi host that does not have the TSDM vSphere Installation Bundle (VIB) installed. The virtual machine is restored directly to the ESXi host, since the vCenter server is not used for a Direct Restore to ESXi.
Virtual Machine Disk (VMDK) limit for virtual machines protected with TSDM
TSDM-based protection supports a maximum of 40 VMDKs per virtual machine. If this limit is exceeded, backups are queued for a longer time, and must be canceled manually.
For virtual machines with more than 40 VMDKs, you can override the protection mechanism at the asset level to use VADP. The section Migrating assets to use the Transparent Snapshot Data Mover provides more information.
Size of thin provisioned files created by vSphere during TSDM operations does not reflect the true size written to file system (fixed in vSphere 7.0 U3f and later)
VMware vSphere creates files that are displayed as two times larger than the VMDK files of the virtual machines that are protected by TSDM. The names of these files end in -flat.ses, and the files are located in the same VMFS volume and directory as the VMDK files of the protected virtual machines. These are thin-provisioned files and part of normal TSDM operations.
To determine the real amount of data that is written to the file system, use the du command, or update to vSphere version 7.0 U3f or later.
vMotion of TSDM protected virtual machines
vSphere disables the vMotion migration of virtual machines to an ESXi host version previous to 7.0 U3 when the virtual machine is protected with TSDM. In order to migrate the TSDM protected virtual machine to an ESXi version that does not support
Protecting Virtual Machines Using the Transparent Snapshot Data Mover 85
TSDM, you must disable the VMware DPD service that is attached to the virtual machine during the initial protection policy configuration. To disable the filter, remove the virtual machine from the TSDM protected virtual machine protection policy. Once the virtual machine is removed from the policy, a job is automatically initiated to disable the filter.
Once the vMotion completes, you can re-add the virtual machine to the protection policy. This virtual machine is then protected by the VADP protection mechanism, since the new ESXi/cluster host version is lower than the version required by TSDM.
Removal of managed snapshots required before running virtual machine protection policies
A PowerProtect Data Manager virtual machine protection policy cannot be configured to use the TSDM protection mechanism when the virtual machine contains managed snapshots. Verify that no managed snapshots exist for the virtual machine, and then retry the configuration job from the System Jobs window of the PowerProtect Data Manager UI.
TSDM only available for virtual machine crash-consistent policies
Use of the TSDM protection mechanism is only supported for crash-consistent virtual machine protection policies. Also, the virtual machine crash-consistent policy must have the swap file exclusion and quiescing options disabled.
Transparent Snapshot Performance and Scalability Review the following information related to performance considerations to scale your environment.
NOTE: As a VMware infrastructure best practice, it is recommended that you spread the workload across ESXi servers as
much as possible. With the Transparent Snapshot Data Mover protection mechanism, you can move backup data in streams
from multiple ESXi servers.
Table 13. Scalability limits for the vCenter and ESXi server
Component Maximum limit
Number of protected virtual machines per ESXi server Unlimited
Number of protected VMDKs per ESXi server 1000
Size of VMDK 64 TB
Transparent Snapshot Data Mover (TSDM) backups Up to 3000 virtual machine backups, and up to 180 concurrent virtual machine backups.
NOTE: An external VM Direct Engine is not required when using TSDM as the protection mechanism for crash-consistent virtual machine protection. For application consistent and application aware virtual machine protection, add a VM Direct Engine.
Table 14. TSDM maximum concurrent protection operations and memory consumption
Component Maximum limit Notes
Number of concurrent virtual machine backups per ESXi host (ESXi and vCenter 7.0 U3d and later)
18 To obtain the maximum concurrent operations, the ESXi hosting the protected virtual machines must be version 7.0 U3d or later. This maximum is based on improvements to TSDM performance that result in faster processing of these sessions, and will vary based on the type of operations being performed (for example, single disk vs multiple disk virtual machine backups).
NOTE: A lower number of concurrent streams helps to avoid over-subscription to the ESXi host memory.
Number of concurrent virtual machine restores per ESXi host (ESXi and vCenter 7.0 U3d and later)
16
Total number of concurrent virtual machine backups and restores per ESXi host (ESXi and vCenter 7.0 U3d and later)
20
86 Protecting Virtual Machines Using the Transparent Snapshot Data Mover
Table 14. TSDM maximum concurrent protection operations and memory consumption (continued)
Component Maximum limit Notes
Number of concurrent virtual machine backups per ESXi host (ESXi and vCenter 7.0 U3c)
10 This maximum is based on improvements to TSDM performance that result in faster processing of these sessions. Also, a lower number of concurrent streams helps to avoid over-subscription to the ESXi host memory.
Number of concurrent virtual machine restores per ESXi host (ESXi and vCenter 7.0 U3c)
10
Concurrent VMDK backups Up to 28 disks A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.
256 MB/9 MB per disk=up to 28 VMDK backups in parallel.
For a single virtual machine, as an example, there might be a maximum of four parallel VMDKs per virtual machine during a full sync, and a maximum of 10 parallel VMDKs per virtual machine during a delta sync.
NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 parallel VMDK backups is not always possible.
Total TSDM memory consumption on ESXi host
Up to 768 MB 256 MB/9 MB per disk=up to 28 VMDK backups in parallel.
TSDM memory consumption on ESXi host for DD streams
Up to 256 MB
Up to 28 streams
A full sync uses 29 MB/disk; a delta sync uses 9 MB/disk.
256 MB/9 MB per stream=up to 28 DD streams in parallel.
NOTE: Depending on the combination of full and delta syncs and their respective memory consumption, 28 streams is not always possible.
Protecting Virtual Machines Using the Transparent Snapshot Data Mover 87
PowerProtect Functionality Within the vSphere Client
Topics:
PowerProtect functionality within the vSphere Client Overview of the PowerProtect plug-in for the vSphere Client Overview of VASA and VMware Storage Policy Based Management
PowerProtect functionality within the vSphere Client The vSphere Client integrates with PowerProtect Data Manager to provide the following functionality: PowerProtect portletWhen adding a vCenter server as an asset source in the PowerProtect Data Manager UI, if you
enable the vSphere Plugin option, a pane for PowerProtect appears in the vSphere Client. This pane provides a subset of PowerProtect Data Manager functionality, including the availability to perform a manual backup, image-level restore and file-level restore of PowerProtect Data Manager virtual machine protection policies.
Storage policy association with a PowerProtect Data Manager virtual machine protection policyvSphere Storage APIs for Storage Awareness (VASA) leverages VMware Storage Policy Based Management (SPBM) to support data protection operations, allowing you to pair SPBM policies that are created in the vSphere Client with protection policies that are created in PowerProtect Data Manager. This association allows you to manage all virtual machine storage and protection requirements in a centralized location (the vSphere Client), instead of requiring multiple user interfaces.
Overview of the PowerProtect plug-in for the vSphere Client When adding a vCenter server in the PowerProtect Data Manager user interface, if you enable the vSphere Plugin option, a subset of the user-interface functionality becomes available within the vSphere Client.
The PowerProtect Data Manager portlet appears when you select Hosts and Clusters or VMs and Templates in the left pane of the vSphere Client home page, and then select a virtual machine within the datacenter.
6
88 PowerProtect Functionality Within the vSphere Client
Figure 4. PowerProtect portlet in the vSphere Client
NOTE: If you were already logged into the vSphere Client when the vCenter discovery was started in PowerProtect Data
Manager, you must log out and log back in to see the PowerProtect Data Manager user interface.
If the virtual assets in the vCenter server have not yet been assigned to a PowerProtect Data Manager protection policy, only the PowerProtect name displays in the portlet. Adding the virtual machine to a protection policy provides additional information, as shown in the following figure.
PowerProtect Functionality Within the vSphere Client 89
Figure 5. PowerProtect portlet with protected virtual machine
After you set up a virtual machine protection policy, you can perform the following PowerProtect Data Manager functionality within the vSphere Client:
View information about protection policies and information about available protection copies. Monitor in-progress backup and restore operations for the virtual machine protection policy. You can also view information
for successfully completed protection copies that are available for restore. Perform a manual backup. Perform an image-level restore (Restore to Original, Restore to New, or Instant Access). Perform a file-level restore.
Prerequisites for enabling the vSphere Client PowerProtect plug-in
To use the vSphere Client PowerProtect plug-in for backup and restore operations, complete the following tasks in the vSphere Client and the PowerProtect Data Manager UI.
Add the vCenter serverIn the PowerProtect Data Manager UI, select Infrastructure > Asset Sources, and select vSphere Plugin to enable the plug-in. Add a VMware vCenter server provides information.
Add privileges for the Virtual machine power user group (if you are already an administrator, this task is optional)In the vSphere Client, go to Administration > Roles, select the Virtual Machine power user (PPDM), and then open the Edit Role window.
Add the following PowerProtect Data Manager privileges:
Backup File Level Restore to Original Instant Access Restore to New Restore to Original
90 PowerProtect Functionality Within the vSphere Client
Figure 6. PowerProtect privileges added for the virtual machine power user
NOTE: If you edit the vCenter server in the PowerProtect Data Manager user interface to unregister the vSphere
Plugin for PowerProtect Data Manager, these PowerProtect Data Manager privileges are not removed from the user
group.
For the virtual asset (virtual machine, cluster, host) and all its child elements, add permissions to the Virtual machine power user group that you enabled with PowerProtect Data Manager privileges. To add these permissions, select the asset in the left pane of the vSphere Client, and then click the Permissions tab.
Add a virtual machine protection policy in the PowerProtect Data Manager user interface Protection > Protection Policies window to schedule a backup of the virtual machines. Add a protection policy for virtual machine protection provides information.
Monitor PowerProtect Data Manager virtual machine protection copies
You can use the Monitor tab in the vSphere Client to view PowerProtect Data Manager protection copies that are available for restore, and monitor in-progress backup and restore operations for the PowerProtect Data Manager virtual machine protection policy.
With a virtual machine selected, in the Monitor tab's navigation pane, select PowerProtect > Protection Copies to view information about completed PowerProtect Data Manager protection policy backups for this virtual machine. This view is the same as the view in the PowerProtect Data Manager UI Infrastructure window. A copy map enables you to view the available protection copies when you click on the storage icon, as described in More options for managing virtual machine backups.
To view the status of active backup and restore operations initiated from the PowerProtect Data Manager UI or the vSphere Client, click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane. You can also view this pane from the Summary window.
Perform a manual PowerProtect-policy backup in the vSphere Client
You can back up one or more PowerProtect Data Manager virtual machine protection policies at any time by performing a manual backup in the vSphere Client.
Prerequisites
Ensure that you are logged in to the vSphere Client as an administrator.
PowerProtect Functionality Within the vSphere Client 91
Add the Backup privilege to the Administrator group in the vSphere Client. To add the Backup privilege, complete the following steps: 1. Select Administration > Roles. 2. Select Administrator, and then click Privileges in the right pane. 3. In the PowerProtect Backup section, select Backup.
Ensure that virtual machine assets have been added to a virtual machine protection policy. You cannot perform manual backups of unprotected virtual machines.
Steps
1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.
2. Perform a manual backup of a virtual machine protection policy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Backup. Within the PowerProtect portlet, click Backup Now. The vSphere Client starts the backup operation. A message appears indicating whether the request was processed successfully.
Results
An entry for the backup job appears in the Jobs > Protection window of the PowerProtect Data Manager UI. To view the status of operations, you can also click the arrows icon in the lower right corner of the window to expand the Recent Tasks pane.
Perform an image-level restore of a PowerProtect backup in the vSphere Client
You can use the vSphere Client PowerProtect plug-in to perform an image-level restore of a PowerProtect Data Manager virtual machine protection policy backup.
About this task
Available image-level restore options in the vSphere Client include:
Restore to OriginalRestore the virtual machine to the original location on the same vCenter server. Restore Individual Virtual DisksRestore selected VMDKs to the original location on the same vCenter server. Restore to NewRestore the virtual machine to a new location on the original vCenter server. Instant AccessRestore the backup as a live virtual machine to view the backup and then determine whether you want to
do a full restore. Instant Access sessions are made available for a default period of 7 days, which can be extended.
Steps
1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter.
2. In the Summary window, access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > Restore. Within the PowerProtect portlet, click Restore.
3. On the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy. The Choose Copy dialog appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. In the Choose Copy dialog:
a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.
5. On the Purpose page, select from one of the following options: Restore Entire VMsSelect this option if you want to restore the entire virtual machine.
92 PowerProtect Functionality Within the vSphere Client
Restore Individual Virtual DIsksSelect this option if you want to restore only specific virtual machine disks (VMDKs).
NOTE: Individual VMDKs can only be restored to the original location.
6. Click Next. If restoring entire virtual machines, the Restore Type page appears. If restoring individual VMDKs, the Select Disks page appears.
7. On the Restore Type page, select from one of the available restore types.
For Instant Access restore, review the section Instant Access virtual machine restore. For Restore to New, review the section Restore to a new virtual machine. For Restore to Original, review the section Restore to the original virtual machine. For Restore Individual Virtual Disks, review the section Restore individual virtual disks. The wizard updates to display the options specific to the restore type that you selected.
NOTE: Options such as vCenter server, resource pool, and datastore are limited to the logged-in vSphere user's
permissions, and are not necessarily the same as a PowerProtect Data Manager administrator.
8. Click Next. The Summary page appears.
9. Review your selections and then click Restore.
Results
An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.
Next steps
For Instant Access restores, when the virtual machine is powered on and you select the virtual machine in the left pane of the Summary window, the session information appears within the PowerProtect portlet. If you need extra time for this session, you can click Extend Session and increase session availability by up to 7 days.
File-level restores of a PowerProtect backup in the vSphere Client
You use the PowerProtect portlet in the vSphere Client and the VM Direct agent to perform a file-level restore of a PowerProtect Data Manager virtual machine protection-policy backup.
The VM Direct agent facilitates the mounting and unmounting of disks and the browsing of files in the destination virtual machine and the backup copy. The agent is installed automatically during a file-level restore, but you can choose to manually install it before performing a file-level restore. Manually installing the agent allows the user account performing the file-level restore to have different permissions from the user account installing the agent.
NOTE: In some installation paths, application messages, and log files, the VM Direct agent is named the vProxy Agent.
Manually install the VM Direct agent on Linux
You can manually install the VM Direct agent.
Prerequisites
The destination virtual machine is a supported Linux platform. To determine which Linux platforms are supported, see the compatibility information provided by the E-Lab Navigator.
When logging in to the destination virtual machine in the following steps, log in as a root user or a user in the local sudousers list of the operating system.
NOTE: Even if you log in as a user with privileges similar to a root user, the VM Direct agent installation fails.
If you log in to the destination virtual machine in the following steps as a user in the local sudousers list of the operating system, ensure you have already completed the following steps on the destination virtual machine: 1. Provide sudo access to the following files at a minimum:
RPM command (SLES, Red Hat Enterprise Linux, CentOS) and dpkg command (Debian/Ubuntu)
/opt/emc/vproxyra/bin/postinstall.sh /opt/emc/vproxyra/bin/preremove.sh
PowerProtect Functionality Within the vSphere Client 93
Note the following additional requirements:
The sudo user or group must be configured for no password prompt.
The sudo user or group must be provided with the no requiretty option.
When user elevation is enabled for file-level restore: To browse files, you must have the appropriate authority in the destination virtual machine operating system. For
example, you must be permitted to run vflrbrowse using sudo without being prompted for a password.
To perform the restore, the user account must have the appropriate authority. For example, this account requires sudo access and must be able to run vflrcopy without being prompted for a password.
NOTE: If the Run with Elevated Privileges file-level restore is unsuccessful, an error displays indicating Unable to perform FLR Agent operation 'recover_files' on VM virtual machine name. This might
occur when a typographical error has been made in the sudo commands. To determine if this has occurred, review
the log file output for the following text:
sudo: a password is required /etc/sudoers.d/admin: syntax error near line 1 sudo: no valid sudoers sources found, quitting
It is recommended that you test the sudo command before performing a file-level restore in order to resolve any
potential errors.
2. Create the file /etc/sudoers.d/linuxuser, where linuxuser is the Linux login user, and then add the following contents to the file.
On CentOS, OpenSuSE Leap, Oracle Linux, Red Hat Enterprise Linux, and SuSE Linux Enterprise Server operating systems:
username ALL=NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty Defaults:username !authenticate
NOTE: On SuSE 12, the location is /bin/rpm instead of /usr/bin/rpm.
On Debian and Ubuntu Server operating systems:
username ALL=NOPASSWD: /usr/bin/dpkg, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/ vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/ vflrcopy Defaults:username !requiretty
About this task
To manually install the VM Direct agent, perform the following steps.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Run the command cd /opt/emc/sw-repo/vflragent/linux.
3. Run the following command:
scp
If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, replace
If the destination virtual machine operating system is Debian or Ubuntu Server, replace
Replace
Replace
94 PowerProtect Functionality Within the vSphere Client
Replace with a directory path on the destination virtual machine to which the VM Direct agent installer package should be copied.
NOTE: If you are installing the VM Direct agent as a non-root user, ensure the non-root user has read and execute
permissions to files in this directory path.
4. Log in to a shell prompt of the destination virtual machine.
5. Change directories to the location of the file copied in step 3.
6. If the destination virtual machine operating system is CentOS, OpenSuSE Leap, Oracle Linux, RedHat Enterprise Linux, or SuSE Linux Enterprise Server, run the following command:
rpm -ivh
Replace
7. If the destination virtual machine operating system is Debian or Ubuntu Server, run the following command:
dpkg -i
Replace
8. Run the command /opt/emc/vproxyra/bin/postinstall.sh.
Results
You can now perform file-level restore operations as a non-root user.
Manually install the VM Direct agent on Windows
You can manually install the VM Direct agent.
Prerequisites
The destination virtual machine is a supported Windows platform. To determine which Windows platforms are supported, see the compatibility information provided by the E-Lab Navigator.
When logging in to the destination virtual machine in the following steps, log in as a user with administrator rights. If you need to enable the administrator account, perform the following steps: 1. Open a command prompt in administrative mode, and then type net user administrator /active: yes.
2. To set a password for the administrator account, go to Control Panel > User Accounts and select the Advanced tab. Initially, the account password is blank.
3. In the User Accounts pane, right-click the user, select Properties, and then clear the Account is disabled option.
About this task
To manually install the VM Direct agent, perform the following steps.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Run the command cd /opt/emc/sw-repo/vflragent/windows.
3. Copy emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi to the destination virtual machine.
4. Log in to the destination virtual machine.
5. Install the VM Direct agent by double-clicking emc-vProxy-FLRAgent-ppdm-version_1.x86_64.msi. The Programs and Features Control Panel tool displays Dell vProxy Agent as installed.
Results
You can now perform file-level restore operations as a user without administrator rights.
PowerProtect Functionality Within the vSphere Client 95
Perform a file-level restore of a PowerProtect backup in the vSphere Client
You can use the PowerProtect portlet in the vSphere Client to perform a file-level restore of a PowerProtect Data Manager virtual machine protection policy backup.
Prerequisites
Note the following before performing file-level restore in the vSphere Client:
A minimum vCenter version of 6.7 U1 is required. Review the section Supported platform versions for file-level restore for supported platform and operating system versions. Review the section File-level restore and SQL restore requirements and limitations.
NOTE:
For file-level restores, you can only restore files:
From a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.
To virtual machines within the same vCenter server.
About this task
Available file-level restore options in the vSphere Client include:
Restore single or multiple files to the original folder and overwrite the original files within the same virtual machine, or Restore single or multiple files to a new folder with a new name within the same virtual machine.
Steps
1. In the left pane of the vSphere Client home page, select Hosts and Clusters or VMs and Templates, and then select a virtual machine within the datacenter. The Summary window displays.
2. Access the backup copy by using one of the following methods: In the left pane, right-click the virtual machine, and then select PowerProtect > File Level Restore. Within the PowerProtect portlet, click File Level Restore.
3. From the Select Copy page, for each virtual machine that is listed in the table, select the radio button next to the virtual machine and click Choose Copy.
The Choose Copy dialog appears.
NOTE: If you click Next without choosing a copy, the most recent backup copy is used.
4. In the Choose Copy dialog:
a. Select the storage icon to access the backup copies. b. Choose from one of the available copies that appears in the table. c. Click OK to close the dialog and return to the Select Copy page. d. Click Next.
5. From the Mount Copy page:
a. To initiate the disk mount, type the destination virtual machine operating system user credentials:
If there are administrator-level credentials associated with the virtual assets or protection policy being restored, specify end-user credentials.
If there are no administrator-level credentials associated with the virtual assets or protection policy being restored, specify administrator credentials. These credentials will be handled as end-user credentials.
b. (Optional) Leave Keep FLR Agent Installed selected when you want the VM Direct agent to remain on the destination virtual machine after the restore completes.
c. (Optional) If you are logged in as a user without administrator rights or root permissions to the destination virtual machine, select Run with Elevated Privileges. to override any authentication or elevation prompts that appear when restoring to folders. To enable this option, the VM Direct agent must already be installed.
d. Click Start Mount to initiate the disk mount.
If not already installed, the VM Direct agent is automatically installed on the destination virtual machine. A progress bar indicates when the mount completes.
NOTE: You cannot browse the contents of the virtual machine backup until the disk mount completes successfully.
96 PowerProtect Functionality Within the vSphere Client
e. After a successful disk mount, click Next.
6. From the Select Files to Recover page:
a. Expand individual folders to browse the original virtual machine backup, and select the objects that you want to restore to the destination virtual machine.
b. Click Next.
NOTE: In the browse view, each directory or hard drive appears twice. Selecting an object from one location selects the
object in the duplicate location as well.
7. From the Options page, select from one of the following options: Restore to Original Folder and Overwrite Original FilesSelect this option to restore all selected files to their original
location on the original virtual machine. Restore to an Alternate FolderSelect this option if you want to restore to a new folder in a new location on the original
virtual machine. NOTE: If you are performing the restore to a Linux virtual machine when logged in as a user in the local sudousers list and Run with Elevated Privileges is selected, the new folder is owned by the root user. Ensure the user you
are logged in as has permissions to the directory. Otherwise, the restored files cannot be viewed.
8. Click Next. If performing the restore to the original virtual machine, the Summary page displays. You can go to the final step. If performing the restore to an alternate location on the original virtual machine, the Restore Location page displays.
9. From the Restore Location page:
a. Browse the folder structure of the virtual machine to select the new folder where you want to restore the objects. b. Click Next.
10. From the Summary page:
a. Review the information to ensure that the restore details are correct. You can click Edit next to the Restore Location or Files Selected rows to change the information.
b. Click Restore.
Results
An entry for the restore job appears in the Recent Tasks pane of the vSphere Client and in the Restore > Running Sessions window of the PowerProtect Data Manager UI.
Overview of VASA and VMware Storage Policy Based Management vSphere Storage APIs for Storage Awareness (VASA) is a set of application program interfaces (APIs) that allow arrays to integrate with vCenter for management functionality. Storage Vendor Providers allow the vCenter server to retrieve information from storage arrays, including topology, capabilities (such as native thin provisioning and deduplication), and status. The policy-based management functionality of a VASA provider helps administrators choose the appropriate storage device, and monitors and reports information about existing storage policies.
Starting in vSphere version 7.0 U1, VASA support is extended to Data Protection operations by leveraging VMware Storage Policy Based Management (SPBM). SPBM spans all storage offerings from VMware, allowing policies to provision and manage storage for any virtual machine application. The integration of PowerProtect Data Manager and SPBM allows you to:
Pair SPBM policies with protection policies, allowing you to meet virtual machine storage and protection requirements within vSphere without requiring the PowerProtect Data Manager UI for data protection operations.
Add new or existing virtual assets to an SPBM policy. You can also reassign these assets and remove them from the policy. View policy compliance status, including data protection policy information. Protect virtual machines at scale, allowing you to manage capacity resources and overcome challenges such as capacity
planning and different service level requirements.
Enabling VASA and SPBM within the vSphere Client for integration with PowerProtect Data Manager requires you to perform the following:
Register the VASA provider to allow for storage provisioning information flow between PowerProtect Data Manager and the vCenter server.
Select the PowerProtect Data Manager storage awareness provider within the vCenter server storage policy component creation workflow, which exposes the list of available PowerProtect Data Manager virtual machine protection policies.
PowerProtect Functionality Within the vSphere Client 97
Assign the PowerProtect Data Manager protection policy to an SPBM policy, which is automatically assigned to virtual machines when they are represented by an instance.
Monitor the status of storage compliancy of the virtual assets protected by these PowerProtect Data Manager policies.
If you replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved certificate authority, you must exchange the new security certificates with vCenter. The PowerProtect Data Manager Security Configuration Guide provides instructions.
Register the VASA provider for policy association
The following procedure describes how to register the VASA provider to enable PowerProtect Data Manager communication with the vCenter server and use the provider to enable an association between a virtual machine storage policy and a PowerProtect Data Manager virtual machine protection policy.
Prerequisites
The vSphere version must be a minimum 7.0 U1.
Steps
1. In the vSphere Client, go to Menu > Hosts and Clusters.
2. In the left pane, select the vCenter server, and then select the Configure tab.
3. Under Security, select Storage Providers, and then click + Add. The New Storage Provider dialog appears.
4. On the New Storage Provider dialog:
a. Specify a name for the provider. b. Specify a URL in the format https://my-ppdm.example.com:9009/vasa/version.xml, where my-
ppdm.example.com is the PowerProtect Data Manager fully qualified hostname. c. Provide PowerProtect Data Manager credentials for a user with the Administrator role, and then click OK.
These credentials are only required for the initial login to perform the registration. Subsequent log-in attempts use certificates.
If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt appears, asking if you want to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.
NOTE: For self-signed or untrusted certificates, an error might appear. You can dismiss and ignore this error.
5. Provide PowerProtect Data Manager administrator level credentials, and then click OK. The dialog updates to indicate that the registration is in progress. If the vCenter server does not trust the SSL certificate of the PowerProtect Data Manager server, a prompt displays to accept the certificate as trusted. You can trust this certificate, or alternatively, you can securely obtain a copy of the certificate as a file, and then click Browse within this prompt to select and trust the certificate. The vCenter documentation provides more information.
NOTE: For self-signed or untrusted certificates, an error might appear. You can ignore this error.
6. When the registration is complete, click OK to exit the New Storage Provider dialog. The Configure tab updates to display the new VASA provider.
Results
You can now use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.
NOTE: If the provider goes offline at any point, you can select the provider in the table and click Rescan to reestablish a
connection. Also, If the provider is removed and then readded, any policies that were previously assigned to the provider are
restored.
98 PowerProtect Functionality Within the vSphere Client
Add an SPBM policy and associate with a PowerProtect Data Manager virtual machine policy
Use the vSphere Client to create a virtual machine storage policy and associate this policy with an existing PowerProtect Data Manager virtual machine protection policy.
Steps
1. In the vSphere Client, select the vCenter server in the left pane.
2. Go to Menu > Policies and Profiles.
3. In the left pane, select VM Storage Policies, and then click Create in the right pane. The Create VM Storage Policy wizard appears.
4. Provide a name and description that helps identify this policy as a storage policy that you want to associate with a PowerProtect Data Manager protection policy, and then click Next.
5. On the Policy Structure page, select Enable host based rules, and then click Next.
6. On the Host based services page, select the Data Protection tab, and then perform the following:
a. Select Custom. b. From the Provider list, select DellEMC PowerProtect as the registered provider. c. From the PPDM Protection Policy list, select an existing PowerProtect Data Manager virtual machine protection policy
that you want to associate with this storage policy.
NOTE: It is recommended that you use a descriptive name for the PowerProtect Data Manager virtual machine
protection policy so that the purpose is easy to identify, since the vSphere Client does not provide policy details
within the PowerProtect portlet. If you decide to rename the PowerProtect Data Manager policy at any point, the
association is retained since the UUID of the policy is used to create the connection.
d. Click Next.
7. Complete the storage policy details, and click Finish.
Results
The VM Storage Policies window displays the new storage policy in the table. An association is created between the PowerProtect Data Manager policy and the virtual machine storage policy, and the PowerProtect portlet in the vSphere Client updates to display the PowerProtect Data Manager protection policy. You can now perform manual backups and scheduled restores of the virtual assets in this policy.
When you assign the new storage policy to a virtual machine, that virtual machine should automatically be assigned to the associated PowerProtect Data Manager protection policy as well. Also, if you are creating a new virtual machine, you can assign a storage policy to the new virtual machine during this process.
NOTE: You can create separate storage policies for each virtual machine disk, but only the policy that is associated with the
virtual machine is used for data protection.
NOTE: If you want to remove a virtual machine from protection, assign the virtual machine to a different policy, or to the
Datastore Default policy.
Monitor virtual machine protection policy compliance
You can use the Storage Policies portlet within the vSphere Client to monitor the compliance of virtual assets in PowerProtect Data Manager virtual machine protection policies.
To access the portlet:
Select the Summary tab, or Select the Configure tab, select a virtual machine in the left pane, and then click Policies.
If a virtual asset was unassigned from the policy within PowerProtect Data Manager, the policy displays as Non-compliant.
PowerProtect Functionality Within the vSphere Client 99
VMware Cloud (VMC) on Amazon Web Services (AWS)
Topics:
PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the VMC-on-AWS portal Interoperability with PowerProtect Data Manager features vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations
PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for VMware Cloud (VMC) on Amazon Web Services (AWS).
Using PowerProtect Data Manager to protect virtual machine assets in VMC on AWS is similar to how you protect virtual machine assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.
Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in VMC on AWS, PowerProtect Data Manager and DDVE can be deployed in several ways.
When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are VMware Cloud on AWS (VMC on AWS) and the AWS Marketplace (AWS). The following table describes the supported deployment configurations of the two products:
Table 15. Supported deployment configurations
PowerProtect Data Manager DDVE
VMware Cloud on AWS VMware Cloud on AWS
VMware Cloud on AWS AWS Marketplace
AWS Marketplace AWS Marketplace
When deploying PowerProtect Data Manager to VMC on AWS, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the VMC-on-AWS environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to AWS, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the VMC-on-AWS environment to be protected.
For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Amazon Web Services Deployment Guide.
7
100 VMware Cloud (VMC) on Amazon Web Services (AWS)
Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual machine assets.
To perform data protection and disaster recovery tasks in VMC on AWS, consider the following recommendations for the backup infrastructure:
Deploy PowerProtect Data Manager and DDVE either to VMC on AWS or to AWS. Deploy the VM Direct appliance to VMC on AWS. Deploy at least one VM Direct appliance for each software-defined data center (SDDC) cluster in the VMC-on-AWS
environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP
points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as
the PowerProtect Data Manager server, the VM Direct appliance, and the DDVE appliance. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:
Specify the login credentials for the cloudadmin@vmc.local user. Refer to Creating a dedicated cloud-based vCenter user account to create a dedicated cloud-based vCenter user
account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in the same environment as the first instance. This type of
deployment enables backup copies to be stored for longer retention, leveraging the AWS network for transferring data at lower latency and cost when compared to the public Internet.
You can store backups outside of the VMC-on-AWS environment. For example, store backups on an AWS virtual private cloud (VPC). This type of deployment enables efficient data transfer over the fast ENI connection that is used by VMware to communicate with AWS.
Configuring the VMC-on-AWS portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and DDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.
Ensure that the VMC-on-AWS portal meets the following requirements:
By default, there is no external access to the vCenter server in the software-defined data center (SDDC). You can open access to the vCenter server by configuring a firewall rule. To enable communication to the vCenter public IP address from the SDDC logical network, set the firewall rule in the compute gateway of VMC on AWS. If the firewall rule is not configured in the SDDC, PowerProtect Data Manager does not allow you to add the vCenter server.
The default compute gateway firewall rules prevent all virtual machine traffic from reaching the Internet. To enable the PowerProtect Data Manager virtual machine to connect to the Internet, create a compute gateway firewall rule. This action enables outbound traffic on the logical network to which the PowerProtect Data Manager server virtual machine is connected.
Configure DNS to allow machines in the SDDC to resolve FQDNs to their public IP addresses. If the DNS server is not configured in the SDDC, the PowerProtect Data Manager server does not allow you to add the vCenter server by using the server's public FQDN or IP address.
It is recommended that you deploy the DD system as a virtual appliance. If deploying DDVE to VMC-on-AWS, connect the SDDC to an AWS account during the SDDC creation, and then select a VPC and subnet within that account.
DDVE must be connected to the SDDC through the VMC-on-AWS Elastic Network Interfaces (ENIs). This action allows the SDDC, the services in the VPC, and subnet in the AWS account to communicate without having to route traffic through the Internet gateway.
The same ENI channel is recommended for access to DDVE.
For more information about configuring ENIs, see https://vmc.vmware.com/console/aws-link. If DDVE is running in VMC-on-AWS, configure the inbound and outbound firewall rules of the compute gateway for DDVE
connectivity.
VMware Cloud (VMC) on Amazon Web Services (AWS) 101
For detailed information on what incoming and outgoing ports need to be opened for the PowerProtect-VM proxy solution, refer to the PowerProtect Data Manager Security Configuration Guide.
If using NSX-T, configure DNS to resolve to the internal IP address of the vCenter server. Navigate to SDDC Management > Settings > vCenter FQDN, and then select the Private vCenter IP address to directly access the management network over the built-in firewall.
Open TCP port 443 of the vCenter and ESXi servers in both the management and compute gateways.
For a VMC-on-AWS environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.
If DDVE is running in VMC-on-AWS, the inbound and outbound firewall rules of the VMC-on-AWE VPC security group are configured to provide connectivity between the SDDC compute gateway and DDVE.
If there is replication between DDVE instances, ensure the following: The security group in AWS is configured to allow all inbound traffic from the private IPs of the DDVE instances The DDVE instances can ping each other using their FQDNs .
Interoperability with PowerProtect Data Manager features VMC on AWS has certain restrictions on workloads and resource pools. To ensure proper operation, select the Workload and Compute sections in AWS.
Do not use the following non-accessible areas:
vSANdatastore datastore Management VMs folder in VMs and Templates view Mgmt-ResourcePool resource pool in Hosts and Clusters view
vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:
An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.
The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.
Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.
Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.
You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.
102 VMware Cloud (VMC) on Amazon Web Services (AWS)
Specify the required privileges for a dedicated cloud-based vCenter user account
You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.
The following table includes the privileges required for this user.
NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required
privileges for a dedicated vCenter user account .
Table 16. Minimum required cloud-based vCenter user account privileges
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Alarms Create alarm Modify alarm
$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend',
Cryptographic operations
Direct Access NOTE: This only applies to AVS and GCVE.
Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file
Folder Create folder
Global Cancel task Log event Manage custom attributes Set custom attribute
vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object
NOTE: This only applies to vCenter 7.0 and later.
Create vSphere Tag Create vSphere Tag Category
Network Assign network
Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine
Sessions Validate session
SPBM policy restore
Profile-driven storage
vApp Export Import vApp application configuration
Virtual Machine
Change Configuration
Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count
VMware Cloud (VMC) on Amazon Web Services (AWS) 103
Table 16. Minimum required cloud-based vCenter user account privileges (continued)
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility
'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )
New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)
Edit Inventory Create new Register Remove Unregister
Guest operations Guest operation modifications Guest operation program execution Guest operation queries
Interaction Configure CD media Connect devices Console interaction Guest operating system management by
VIX API Install VMware Tools Power off Power on Reset
Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template
Snapshot Management
Create snapshot Remove snapshot Revert to snapshot
Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.
Prerequisites
Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.
104 VMware Cloud (VMC) on Amazon Web Services (AWS)
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.
About this task
The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network
bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.
NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing
or VLANs. Skip the Networks Configuration page.
Steps
1. From the left navigation pane, select Infrastructure > Protection Engines.
The Protection Engines window appears.
2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.
3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.
Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.
vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.
NOTE: Ensure that you do not select the internal vCenter server.
ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks
(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether
the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).
You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.
Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes
Tanzu guest cluster, or NAS asset protection.
4. Click Next.
5. Click Next to skip the Networks Configuration page..
6. On the Summary page, review the information and then click Finish.
The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.
Results
When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.
NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.
If no external VM Direct Engine is available for these solutions, data protection operations fail.
VMware Cloud (VMC) on Amazon Web Services (AWS) 105
Next steps
If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.
When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.
Unsupported operations PowerProtect Data Manager image backup and restore in VMC on AWS does not currently support the following operations:
PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the
privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover
(TSDM) protection mechanism.
NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to AWS, Cloud
Disaster Recovery (Cloud DR) and Search Clusters are also unsupported.
106 VMware Cloud (VMC) on Amazon Web Services (AWS)
Azure VMware Solution (AVS) on Microsoft Azure
Topics:
PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the AVS-on-Azure portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations
PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Azure VMware Solution (AVS) on Microsoft Azure.
Using PowerProtect Data Manager to protect virtual machine assets AVS on Azure is similar to how you protect virtual machine assets in an on-premises data center. This section provides information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.
Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in AVS on Azure, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.
When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Azure VMware Solution (AVS on Azure) and the Azure Marketplace (Azure). The following table describes the supported deployment configurations of the two products:
Table 17. Supported deployment configurations
PowerProtect Data Manager DDVE
Azure VMware Solution Azure Marketplace
Azure Marketplace Azure Marketplace
When deploying PowerProtect Data Manager to AVS on Azure, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the AVS-on-Azure environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to Azure, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the AVS-on-Azure environment to be protected.
For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Azure Deployment Guide.
8
Azure VMware Solution (AVS) on Microsoft Azure 107
Deployment and configuration best practices and requirements Deploying and configuring PowerProtect Data Manager, DDVE, and other components in a certain way provides an efficient protection of virtual machine assets.
To perform data protection and disaster recovery tasks in AVS on Azure, consider the following recommendations and requirements for the backup infrastructure:
Deploy PowerProtect Data Manager either to AVS on Azure or to Azure. Deploy DDVE to Azure. Deploy the VM Direct appliance to AVS on Azure. Deploy at least one VM Direct appliance for each software-defined data
center (SDDC) cluster in the AVS-on-Azure environment. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP
points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as
the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:
Specify the login credentials for the cloudadmin@vsphere.local user. Refer to Creating a dedicated cloud-based vCenter user account to create a dedicated cloud-based vCenter user
account, and then specify the login credentials for that user. You can clone backups to another instance of DDVE running in Azure. This type of deployment enables backup copies to be
stored for longer retention, leveraging the Azure network for transferring data at lower latency and cost when compared to the public Internet.
Configuring the AVS-on-Azure portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and the DDVE appliance. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.
Ensure that the AVS-on-Azure portal meets the following requirements:
If you have deployed a PowerProtect Data Manager OVA to AVS on Azure or a PowerProtect Data Manager machine image to Azure, it is configured to use a custom DNS server.
NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to
redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data
Manager Azure Deployment Guide.
Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in Azure. If you have more than one DDVE instance running in Azure to perform replication, the DDVE
instances have the ability to ping each other using their FQDNs.
NOTE: DDVE running in AVS-on-Azure is not supported.
DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to an Azure account, and an Azure cloud and subnet within that account is selected. Any DDVE instance on Azure is connected to the SDDC through a Vnet. This action allows the SDDC, the services in
the Azure cloud, and subnets in the Azure account to communicate without having to route traffic through the Internet gateway.
For an AVS-on-Azure environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect- VM proxy solution.
The same Vnets are recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.
108 Azure VMware Solution (AVS) on Microsoft Azure
vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:
An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.
The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.
Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.
Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.
You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.
Specify the required privileges for a dedicated cloud-based vCenter user account
You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.
The following table includes the privileges required for this user.
NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required
privileges for a dedicated vCenter user account .
Table 18. Minimum required cloud-based vCenter user account privileges
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Alarms Create alarm Modify alarm
$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement', 'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y',
Cryptographic operations
Direct Access NOTE: This only applies to AVS and GCVE.
Datastore Allocate space Browse datastore Configure datastore Low level file operations Remove file
Folder Create folder
Global Cancel task Log event Manage custom attributes Set custom attribute
vSphere Tagging Assign or Unassign vSphere Tag
Azure VMware Solution (AVS) on Microsoft Azure 109
Table 18. Minimum required cloud-based vCenter user account privileges (continued)
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Assign or Unassign vSphere Tag on Object NOTE: This only applies to vCenter 7.0 and later.
Create vSphere Tag Create vSphere Tag Category
'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access', 'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )
New-VIRole -Name 'PowerProtect'
Network Assign network
Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine
Sessions Validate session
SPBM policy restore
Profile-driven storage
vApp Export Import vApp application configuration
Virtual Machine
Change Configuration
Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility
Edit Inventory Create new Register Remove Unregister
Guest operations Guest operation modifications Guest operation program execution Guest operation queries
Interaction Configure CD media Connect devices Console interaction
110 Azure VMware Solution (AVS) on Microsoft Azure
Table 18. Minimum required cloud-based vCenter user account privileges (continued)
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Guest operating system management by VIX API
Install VMware Tools Power off Power on Reset
-Privilege (Get-VIPrivilege -Id $privileges)
Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template
Snapshot Management
Create snapshot Remove snapshot Revert to snapshot
Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.
Prerequisites
Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.
About this task
The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network
bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.
NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing
or VLANs. Skip the Networks Configuration page.
Steps
1. From the left navigation pane, select Infrastructure > Protection Engines.
The Protection Engines window appears.
2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.
3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.
Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.
vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.
NOTE: Ensure that you do not select the internal vCenter server.
ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine.
Azure VMware Solution (AVS) on Microsoft Azure 111
NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks (VLANs), this network carries Management traffic.
Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).
You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.
Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes
Tanzu guest cluster, or NAS asset protection.
4. Click Next.
5. Click Next to skip the Networks Configuration page..
6. On the Summary page, review the information and then click Finish.
The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.
Results
When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.
NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.
If no external VM Direct Engine is available for these solutions, data protection operations fail.
Next steps
If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.
When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.
Unsupported operations PowerProtect Data Manager image backup and restore in AVS on Azure does not currently support the following operations:
PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server Backup and restore operations with anything other than the CloudAdmin role or a customized role that has all of the
privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover
(TSDM) protection mechanism.
NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to Azure, Cloud
Disaster Recovery (Cloud DR), Search Clusters, and Microsoft Exchange Server are also unsupported.
112 Azure VMware Solution (AVS) on Microsoft Azure
Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)
Topics:
PowerProtect Data Manager image backup and recovery Supported PowerProtect Data Manager and DDVE deployment configurations Deployment and configuration best practices and requirements Configuring the GCVE-on-GCP portal vCenter server inventory requirements Creating a dedicated cloud-based vCenter user account Add a VM Direct Engine Unsupported operations
PowerProtect Data Manager image backup and recovery PowerProtect Data Manager provides image backup and restore support for Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP).
Using PowerProtect Data Manager to protect virtual machine assets in GCVE on GCP is similar to how you protect virtual machines assets in an on-premises data center. The following sections provide information on network configuration requirements, PowerProtect Data Manager best practices, and unsupported PowerProtect Data Manager operations.
Supported PowerProtect Data Manager and DDVE deployment configurations In order to protect virtual machine assets in GCVE on GCP, PowerProtect Data Manager and DDVE can be deployed in a couple of ways.
When deploying PowerProtect Data Manager and DDVE, two possible deployment environments are Google Cloud VMware Engine (GCVE on GCP) and the Google Cloud Marketplace (GCP). The following table describes the supported deployment configurations of the two products:
Table 19. Supported deployment configurations
PowerProtect Data Manager DDVE
Google Cloud VMware Engine Google Cloud Marketplace
Google Cloud Marketplace Google Cloud Marketplace
When deploying PowerProtect Data Manager to GCVE on GCP, an Open Virtualization Appliance (OVA) is used. This puts PowerProtect Data Manager into the GCVE-on-GCP environment in order to protect the VMware assets. When deploying PowerProtect Data Manager to GCP, a machine image is used. This puts PowerProtect Data Manager into a cloud-marketplace environment, but still allows the VMware assets in the GCVE-on-GCP environment to be protected.
For more information about the different deployment types, see the PowerProtect Data Manager Deployment Guide and the PowerProtect Data Manager Google Cloud Platform Deployment Guide.
9
Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 113
Deployment and configuration best practices and requirements For GCVE-on GCP support, ensure that the following requirements are met:
To perform data protection and disaster recovery tasks in GCVE on GCP, consider the following recommendations and requirements for the backup infrastructure deployment:
Deploy PowerProtect Data Manager either to GCVE on GCP or to GCP. Deploy DDVE to GCP. Deploy the VM Direct appliance in a GCVE-on-GCP environment. Deploy at least one VM Direct appliance for each software-
defined data center (SDDC) cluster in GCVE on GCP. When deploying or configuring PowerProtect Data Manager or the VM Direct appliance, ensure that the DNS server IP
points to the internal DNS server that is running in vCenter inventory. Ensure that the internal DNS server has both forward and reverse lookup entries for all of the required components, such as
the PowerProtect Data Manager server, the VM Direct appliance, and DDVE. If using NSX-T, add the vCenter server toPowerProtect Data Manager by using the FQDN. If using NSX-V, add the vCenter server to PowerProtect Data Manager by using the public FQDN of the vCenter server. When adding the vCenter server to PowerProtect Data Manager, perform one of the following actions:
Specify the login credentials for the CloudOwner@gve.local user. Refer to the following section to create a dedicated cloud-based vCenter user account, and then specify the login
credentials for that user. You can clone backups to another DDVE instance running in GCP. This type of deployment enables backup copies to be
stored for longer retention, leveraging the GCP network for transferring data at lower latency and cost when compared to the public Internet.
Configuring the GCVE-on-GCP portal Domain Name System (DNS) resolution is critical for deployment and configuration of PowerProtect Data Manager, the PowerProtect Data Manager external proxy, and DDVE. All infrastructure components should be resolvable through a fully qualified domain name (FQDN). Resolvable means that components are accessible through both forward (A) and reverse (PTR) lookups.
Ensure that the GCVE-on-GCP portal meets the following requirements:
If you have deployed a PowerProtect Data Manager OVA to GVCE on GCP or a PowerProtect Data Manager machine image to GCP, it is configured to use a custom DNS server.
NOTE: If you have already deployed PowerProtect Data Manager without a custom DNS server, you will have to
redeploy it. For more information, see the PowerProtect Data Manager Deployment Guide or the PowerProtect Data
Manager Google Cloud Platform Deployment Guide.
Forward and reverse DNS lookups exist for PowerProtect Data Manager, vCenter, DDVE, ESXi, and each VM Direct Engine. DNS is configured to allow machines in the SDDC to resolve FQDNs to their IP addresses. DDVE is running in GCP. If you have more than one DDVE instance running in GCP to perform replication, both DDVE
instances have the ability to ping each other using their FQDNs.
NOTE: DDVE running in GCVE on GCP is not supported.
DDVE has DNS entries for PowerProtect Data Manager and each VM Direct Engine. SDDC is connected to a Google account, and a Google cloud and subnet within that account is selected. Any DDVE instances running in GCP is connected to the SDDC through a Vnet. This action allows the SDDC, the services in
GCP, and subnets in GCP to communicate without having to route traffic through the Internet gateway. For a GCVE-on-GCP environment, open the ESXi server inbound firewall rule with ports 902 and 443 for the PowerProtect-
VM proxy solution.
The same Vnet is recommended for access to DDVE instances. For more information about configuring Vnets, see About Virtual Network.
114 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)
vCenter server inventory requirements In the vCenter server inventory of the SDDC, ensure that the following requirements are met:
An internal DNS name server must be running inside vCenter inventory. This will be referenced by all the workloads running in the SDDC.
The internal DNS server must have Forwarders enabled to access the internet. This action is required to resolve the vCenter server's public FQDN. Forwarders are DNS servers that the server can use to resolve DNS queries for records that the server itself cannot resolve.
Discovering asset sources in a GCVE environment
There are special discovery considerations in a GCVE environment. Discovery fails unless GCVE-located vCenter servers have additional permissions.
Ensure the following permissions of any GCVE-located vCenter server:
The GVE.LOCAL\CloudOwner user is mapped to the Cloud-Owner-Role role at the vCenter level. The GVE.LOCAL\CloudOwner to Cloud-Owner-Role mapping is not restricted to a lower-level container object in the
vSphere object hierarchy.
Creating a dedicated cloud-based vCenter user account It is recommended that you set up a separate vCenter user account at the root level of the vCenter hierarchy. This account is strictly dedicated for use with PowerProtect Data Manager and the VM Direct protection engine in cloud-based environments.
Use of a generic user account such as Administrator could make future troubleshooting efforts difficult as it might not be clear which Administrator actions are actually interfacing or communicating with PowerProtect Data Manager. Using a separate vCenter user account ensures maximum clarity if it becomes necessary to examine vCenter logs.
You can specify the credentials for a vCenter user account when you add the vCenter server as an asset source in the user interface. When you add the vCenter server, ensure that you specify a user whose cloud-based role is defined at the vCenter level and not restricted to a lower-level container object in the vSphere object hierarchy.
Specify the required privileges for a dedicated cloud-based vCenter user account
You can use the vSphere Client to specify the required privileges for the dedicated cloud-based vCenter user account, or you can use the PowerCLI, which is an interface for managing vSphere.
The following table includes the privileges required for this user.
NOTE: For the privileges required when administering on-premises PowerProtect Data Manager, see Specify the required
privileges for a dedicated vCenter user account .
Table 20. Minimum required cloud-based vCenter user account privileges
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Alarms Create alarm Modify alarm
$privileges = @( 'System.Anonymous', 'System.View', 'System.Read', 'Alarm.Create', 'Alarm.Edit', 'Cryptographer.Access', 'Datastore.Browse', 'Datastore.DeleteFile', 'Datastore.FileManagement',
Cryptographic operations
Direct Access NOTE: This only applies to AVS and GCVE.
Datastore Allocate space Browse datastore Configure datastore
Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 115
Table 20. Minimum required cloud-based vCenter user account privileges (continued)
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Low level file operations Remove file
'Datastore.AllocateSpace', 'Datastore.Config', 'Folder.Create', 'Global.ManageCustomFields', 'Global.SetCustomField', 'Global.LogEvent', 'Global.CancelTask', 'InventoryService.Tagging.AttachTag', 'InventoryService.Tagging.ObjectAttacha ble', 'InventoryService.Tagging.CreateTag', 'InventoryService.Tagging.CreateCategor y', 'Network.Assign', 'Resource.AssignVMToPool', 'Resource.HotMigrate', 'Resource.ColdMigrate', 'Sessions.ValidateSession', 'StorageProfile.View', 'VApp.ApplicationConfig', 'VApp.Export', 'VApp.Import', 'VirtualMachine.Config.Rename', 'VirtualMachine.Config.Annotation', 'VirtualMachine.Config.AddExistingDisk' , 'VirtualMachine.Config.AddNewDisk', 'VirtualMachine.Config.RemoveDisk', 'VirtualMachine.Config.RawDevice', 'VirtualMachine.Config.HostUSBDevice', 'VirtualMachine.Config.CPUCount', 'VirtualMachine.Config.Memory', 'VirtualMachine.Config.AddRemoveDevice' , 'VirtualMachine.Config.EditDevice', 'VirtualMachine.Config.Settings', 'VirtualMachine.Config.Resource', 'VirtualMachine.Config.UpgradeVirtualHa rdware', 'VirtualMachine.Config.ResetGuestInfo', 'VirtualMachine.Config.AdvancedConfig', 'VirtualMachine.Config.DiskLease', 'VirtualMachine.Config.SwapPlacement', 'VirtualMachine.Config.DiskExtend', 'VirtualMachine.Config.ChangeTracking', 'VirtualMachine.Config.ReloadFromPath', 'VirtualMachine.Config.ManagedBy', 'VirtualMachine.GuestOperations.Query', 'VirtualMachine.GuestOperations.Modify' , 'VirtualMachine.GuestOperations.Execute ', 'VirtualMachine.Interact.PowerOn', 'VirtualMachine.Interact.PowerOff', 'VirtualMachine.Interact.Reset', 'VirtualMachine.Interact.ConsoleInterac t', 'VirtualMachine.Interact.DeviceConnecti on', 'VirtualMachine.Interact.SetCDMedia', 'VirtualMachine.Interact.ToolsInstall', 'VirtualMachine.Interact.GuestControl', 'VirtualMachine.Inventory.Create', 'VirtualMachine.Inventory.Register', 'VirtualMachine.Inventory.Delete', 'VirtualMachine.Inventory.Unregister', 'VirtualMachine.Provisioning.DiskRandom Access',
Folder Create folder
Global Cancel task Log event Manage custom attributes Set custom attribute
vSphere Tagging Assign or Unassign vSphere Tag Assign or Unassign vSphere Tag on Object
NOTE: This only applies to vCenter 7.0 and later.
Create vSphere Tag Create vSphere Tag Category
Network Assign network
Resource Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine
Sessions Validate session
SPBM policy restore
Profile-driven storage
vApp Export Import vApp application configuration
Virtual Machine
Change Configuration
Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change Memory Change Settings Change Swapfile placement Change resource Configure Host USB device Configure Raw device Configure managedby Extend virtual disk Modify device settings Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Upgrade virtual machine compatibility
Edit Inventory Create new Register
116 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)
Table 20. Minimum required cloud-based vCenter user account privileges (continued)
Setting vCenter 6.0 and later required privileges PowerCLI equivalent required privileges
Remove Unregister
'VirtualMachine.Provisioning.DiskRandom Read', 'VirtualMachine.Provisioning.GetVmFiles ', 'VirtualMachine.Provisioning.MarkAsTemp late', 'VirtualMachine.State.CreateSnapshot', 'VirtualMachine.State.RevertToSnapshot' , 'VirtualMachine.State.RemoveSnapshot' )
New-VIRole -Name 'PowerProtect' -Privilege (Get-VIPrivilege -Id $privileges)
Guest operations Guest operation modifications Guest operation program execution Guest operation queries
Interaction Configure CD media Connect devices Console interaction Guest operating system management by
VIX API Install VMware Tools Power off Power on Reset
Provisioning Allow disk access Allow read-only disk access Allow virtual machine download Mark as template
Snapshot Management
Create snapshot Remove snapshot Revert to snapshot
Add a VM Direct Engine Perform the following steps in the Protection Engines window of the PowerProtect Data Manager UI to deploy an external VM Direct Engine, also referred to as a VM proxy. The VM Direct Engine facilitates data movement for virtual machine protection policies.
Prerequisites
Review the sections Requirements for an external VM Direct Engine, Transport mode considerations, and Protection engine limitations.
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks. The PowerProtect Data Manager Administration and User Guide provides more information.
About this task
The PowerProtect Data Manager software comes bundled with an embedded VM Direct engine, which is automatically used as a fallback proxy for performing backups and restores when the added external proxies fail or are disabled. It is recommended that you deploy external proxies by adding a VM Direct Engine for the following reasons: An external VM Direct Engine for VM proxy backup and recovery can provide improved performance and reduce network
bandwidth utilization by using source-side deduplication. The embedded VM Direct engine has limited capacity for backup streams. The embedded VM Direct engine is not supported for VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP operations.
NOTE: Cloud-based deployments of PowerProtect Data Manager do not support the configuration of data-traffic routing
or VLANs. Skip the Networks Configuration page.
Steps
1. From the left navigation pane, select Infrastructure > Protection Engines.
The Protection Engines window appears.
2. In the VM Direct Engines pane of the Protection Engines window, click Add. The Add Protection Engine wizard displays.
Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 117
3. On the Protection Engine Configuration page, complete the required fields, which are marked with an asterisk.
Hostname, Gateway, IP Address, Netmask, and Primary DNSNote that either only IPv4 addresses or only IPv6 addresses are supported.
vCenter to DeployIf you have added multiple vCenter server instances, select the vCenter server on which to deploy the protection engine.
NOTE: Ensure that you do not select the internal vCenter server.
ESX Host/ClusterSelect on which cluster or ESXi host you want to deploy the protection engine. NetworkDisplays all the networks that are available under the selected ESXi Host/Cluster. For virtual networks
(VLANs), this network carries Management traffic. Data StoreDisplays all datastores that are accessible to the selected ESXi Host/Cluster based on ranking (whether
the datastores are shared or local), and available capacity (the datastore with the most capacity appearing at the top of the list).
You can choose the specific datastore on which the protection engine resides, or leave the default selection of to allow PowerProtect Data Manager to determine the best location to host the protection engine.
Transport ModeSelect Hot Add. Supported Protection TypeSelect whether this protection engine is intended for Virtual Machine, Kubernetes
Tanzu guest cluster, or NAS asset protection.
4. Click Next.
5. Click Next to skip the Networks Configuration page..
6. On the Summary page, review the information and then click Finish.
The protection engine is added to the VM Direct Engines pane. An additional column indicates the engine purpose. Note that it can take several minutes to register the new protection engine in PowerProtect Data Manager. The protection engine also appears in the vSphere Client.
Results
When an external VM Direct Engine is deployed and registered, PowerProtect Data Manager uses this engine instead of the embedded VM Direct engine for any data protection operations that involve virtual machine protection policies. If every external VM Direct Engine is unavailable, PowerProtect Data Manager uses the embedded VM Direct engine as a fallback to perform limited scale backups and restores. If you do not want to use the external VM Direct Engine, you can disable this engine. Additional VM Direct actions provides more information.
NOTE: The external VM Direct Engine is always required for VMC-on-AWS, AVS-on-Azure, and GCVE-on-GCP operations.
If no external VM Direct Engine is available for these solutions, data protection operations fail.
Next steps
If the protection engine deployment fails, review the network configuration of PowerProtect Data Manager in the System Settings window to correct any inconsistencies in network properties. After successfully completing the network reconfiguration, delete the failed protection engine and then add the protection engine in the Protection Engines window.
When configuring the VM Direct Engine in a VMC-on-AWS, AVS-on-Azure, or GCVE-on-GCP environment, if you deploy the VM Direct Engine to the root of the cluster instead of inside the Compute-ResourcePool, you must move the VM Direct Engine inside the Compute-ResourcePool.
Unsupported operations PowerProtect Data Manager image backup and restore in GCVE on GCP does not currently support the following operations:
PowerProtect Search functionality The vSphere Storage Policy Based Management (SPBM) integration with PowerProtect Data Manager A VM Direct appliance that is configured with dual-stack or IPv6 Application-consistent data protection for Microsoft SQL with the VM Direct appliance VM Backup and Recovery HTML5 plug-in functionality for vSphere Image-based backups and restores that use NBD or the NBDSSL transport mode Image-based backups and restores when a datacenter is placed inside a folder in the SDDC File-level recoveries of an image-based backup Instant-access restores of an image-based backup Emergency restores of an image-based restore directly to an ESXi host, bypassing the vCenter server
118 Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)
Backup and restore operations with anything other than the CloudOwner role or a customized role that has all of the privileges listed in Specify the required privileges for a dedicated cloud-based vCenter user account
Backup and restore operations for virtual machine protection policies that use the Transparent Snapshot Data Mover (TSDM) protection mechanism.
NOTE: If protecting virtual machine assets with a PowerProtect Data Manager machine image deployed to GCP, Cloud
Disaster Recovery (Cloud DR), Search Clusters, Microsoft Exchange Server, and block-based backups (BBB) with the File
System agent (FSA) are also unsupported.
Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP) 119
Backing Up and Recovering a vCenter Server
Topics:
Backing up and recovering a vCenter server vCenter deployments overview Protecting an embedded PSC Protecting external deployment models vCenter server restore workflow Platform Services Controller restore workfow Additional considerations Command reference
Backing up and recovering a vCenter server The following sections describe how to protect the vCenter Server Appliance (VCSA) and the Platform Services Controllers (PSC). It is intended for virtual administrators who utilize the distributed model of the vCenter server and require protection of the complete vCenter server infrastructure.
vCenter deployments overview You can protect vCenter 6.5 and later deployments with PowerProtect Data Manager by using the VM Direct Engine appliance. The vCenter server and Platform Services Controller (PSC) must be deployed as virtual machines.
For the restores to complete successfully:
Ensure that Ensure that these virtual machines use a fully qualified domain name (FQDN) with correct DNS resolution. Ensure that the host name of the machine is configured as an IP address. Note that if the host name is configured as an IP
address, the IP address cannot be changed.
There are mainly two types of vCenter deployments:
vCenter server appliances and Windows virtual machines with an embedded PSC. vCenter server appliances and Windows virtual machines with an external PSC.
This type has two sub categories:
vCenter server environments with a single external PSC. vCenter server environments with multiple PSC instances. This environment contains multiple vCenter server instances
registered with different external PSC instances that replicate their data.
Protecting an embedded PSC The following section describes backup and recovery options for protecting an embedded PSC.
Backup
You can perform a backup of an embedded PSC by using the following guidelines.
1. Create a protection policy, and then add the vCenter virtual machine to the protection policy. 2. Select the full virtual machine and not individual disks.
10
120 Backing Up and Recovering a vCenter Server
3. Run the scheduled or on-demand (ad-hoc) protection policy.
Recovery
Depending on the type of failure, you can perform the virtual machine recovery by using one of the following methods.
Restore to original This method is valid only when the vCenter Server Appliance (VCSA) is intact and running, but corrupted.
Recover as a new virtual machine to a managed ESXi server (Virtual Machine Recovery). Use this method if you have completely lost your VCSA. Note that this vCenter server must be registered with PowerProtect Data Manager.
Direct restore to ESXi server. Direct restore to ESXi will be the main use case.
Direct restore to ESXi
If the virtual machine you protected with PowerProtect Data Manager was a vCenter virtual machine, but the virtual machine and vCenter server are now lost or no longer available, direct restore to ESXi enables you to recover the virtual machine directly to an ESXi host without a vCenter server.
Prerequisites
Direct Restore to ESXi restore requires either the embedded VM Direct Engine with PowerProtect Data Manager, or an external VM Direct appliance that is added and registered to PowerProtect Data Manager.
Additionally, ensure that you disconnect the ESXi host from the vCenter server.
Steps
1. From the PowerProtect Data Manager UI, select Restore > Assets, and then select the Virtual Machine tab.
The Restore window displays all of the virtual machines available for restore.
2. Select the check box next to the desired virtual machine and click View Copies.
NOTE: If you cannot locate the virtual machine, you can also use the filter in the Name column to search for the name
of the specific virtual machine or click the File Search button to search on specific criteria.
The Restore > Assets window provides a map view in the left pane and copy details in the right pane.
When a virtual machine is selected in the map view, the virtual machine name displays in the right pane with the copy locations underneath. When you select a specific location in the left pane to view the copies, for example, on a DD system, the copies on that system display in the right pane.
3. If the backup is on a DD system, click DD, and then select from one of the available copies that display in the table.
4. In the right pane, select the check box next to the virtual machine backup you want to restore, and then click Direct Restore to ESXi. The Direct Restore to ESXi wizard appears.
5. On the Options page:
a. (Optional) Select Reconnect the virtual machine's NIC when the restore completes, if desired. This option is selected by default.
b. For low-bandwidth environments, select Enable DDBoost Compression.
This option reduces network usage by compressing data on the protection storage system before transfer to the VM Direct Engine, which decompresses the data. Compression reduces restore times but increases CPU usage on both systems.
c. Click Next.
6. On the ESX Host Credentials page:
a. In the ESX Host field, type the IP of the ESXi server where you want to restore the virtual machine backup. b. Specify the root Username and Password for the ESXi Server. c. Click Next.
7. On the Datastore page, select the datastore where you want to restore the virtual machine disks, and then click Next. To restore all of the disks to the same location, keep the Configure per disk slider to the left, and then select the
datastore from the Storage list. To restore disks to different locations, move the Configure per disk slider to the right, and then:
a. For each available disk that you want to recover, select a datastore from the Storage list.
Backing Up and Recovering a vCenter Server 121
b. Select the type of provisioning you want to apply to the disk from the Disk Format list.
8. On the Summary page:
a. Review the information to ensure that the details are correct. b. Click Restore.
9. Go to the Jobs window to monitor the restore. A restore job appears with a progress bar and start time.
Protecting external deployment models Review the backup and recovery options for protecting external deployments.
Backup
You can perform a backup by using the following guidelines:
1. Create a protection policy and add the vCenter virtual machine and PSC virtual machine to the policy. This will ensure that snapshots are taken at the same time.
2. Ensure that you select the full virtual machine and not individual disks. 3. Run the scheduled or on-demand (ad-hoc) protection policy.
NOTE: Ensure that you back up all vCenter server and PSC instances at the same time
Recovery
Depending on the failure, you can perform virtual machine recovery by using one of the following methods:
Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server: Use this method of you have completely lost your VCSA. Note
that the vCenter server where the VCSA resides must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server. For Emergency recovery, perform the steps specified in the section Direct restore to
ESXi.
NOTE: In the event of a complete environment failure, PSC should be restored first, followed by the vCenter server
restore.
The following scenarios provide specific instructions based on the number of vCenter server appliances and external PSCs in the environment and the extent of the failure.
vCenter server appliance with one external PSC where PSC fails
Steps
1. Perform an image-level recovery of the PSC by using one of the methods indicated above, and then power ON the virtual machine.
2. Verify that all PSC services are running. For a PSC deployed as an appliance, run the service-control --status --all command in the appliance shell.
For a PSC installed on Windows, from the Windows Start menu, select Control Panel > Administrative Tools > Services.
3. Log into the vCenter server appliance shell as root.
4. Verify that no vCenter services are running, or stop any vCenter services that are running by typing service-control --stop.
5. Run the vc-restore script to restore the vCenter virtual machines. For a vCenter server appliance, type vcenter-restore -u psc_administrator_username -p
psc_administrator_password For a vCenter server installed on Windows, go to C:\Program Files\VMware\vCenter Server\, and then run
vcenter-restore -u psc_administrator_username -p psc_administrator_password where psc_administrator_username is the vCenter Single Sign-On administrator user name, which must be in UPN format.
122 Backing Up and Recovering a vCenter Server
6. Verify that all vCenter services are running and the vCenter Server is started, as specified in step two.
7. Perform a log in test to the vCenter server. If the restore was successful, the login completes successfully.
vCenter server appliance is lost but the PSC remains
Steps
1. Perform an image-level recovery of the lost vCenter server by using one of the following methods, and then power ON. Restore to original This method is valid only when the VCSA is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your VCSA.
Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.
2. After a successful boot, verify that all services are started.
3. Perform a login test.
vCenter server appliance with multiple PSCs where one PSC is lost but one remains
Steps
1. Repoint the vCenter instance (insert link) to one of the functional PSCs in the same SSO domain.
NOTE: Log in to all vCenter servers one by one to determine which vCenter login fails. This will be the vCenter server
that requires the repoint steps.
2. Run the following command on the vCenter server appliance:
cmsso-util repoint --repoint-psc psc_fqdn_or_static_ip [--dc-port port_number] NOTE: The square brackets enclose the command options.
3. Perform a login test on the vCenter server.
4. Deploy the new PSC and join to an active node in the same SSO and site, replacing lost ones.
5. Repoint the vCenter server to the new PSC.
vCenter server appliance remains but all PSCs fail
About this task
NOTE: In this scenario, none of the vCenter logins (SSO user) have been successful.
Steps
1. Restore the most recent PSC backup and wait for the vCenter services to start
2. Log in to the vCenter server appliance's shell as root.
3. Verify that no vCenter services are running, or stop vCenter services.
4. Run the vc-restore script to restore the VCSA (refer above for detailed steps).
NOTE: If the login test to any vCenter server appliance fails, then the restored PSC is not the PSC that the vCenter
server appliance is pointing to, in which case you may be required to perform a repoint, as described above.
5. Deploy the new PSC and join to an active node in the same SSO domain and site.
6. Repoint vCenter connections as required
Backing Up and Recovering a vCenter Server 123
vCenter server appliance remains but multiple PSCs fail
Steps
1. Restore one PSC.
2. Test the vCenter server appliance login. If the login fails, repoint the vCenter server appliance to an active PSC.
3. Deploy the new PSC and join to an active node in the same SSO domain and site.
vCenter server appliance fails
About this task
NOTE: If all PSCs and vCenter server appliances have failed, restore one PSC first before restoring the vCenter server
appliance.
Steps
1. Perform an image-level restore of the lost vCenter server by using one of the following methods, and then power ON the vCenter. Restore to original This method is valid only when the vCenter server appliance is intact and running, but corrupted. Recover as a new virtual machine to a managed ESXi server Use this method if you have completely lost your vCenter
server appliance. Note that this vCenter server must be registered with PowerProtect Data Manager. Emergency recovery to an ESXi server.
2. After a successful boot, verify that all vCenter services have started.
3. Perform a log in test.
4. If the login test fails, then this vCenter server appliance is pointing to an inactive PSC. Repoint to an active node.
124 Backing Up and Recovering a vCenter Server
vCenter server restore workflow The following diagram shows the restore workflow for a vCenter server.
Figure 7. vCenter server restore workflow
Backing Up and Recovering a vCenter Server 125
Platform Services Controller restore workfow The following diagram shows the restore workflow for a Platform Services Controller (PSC).
Figure 8. PSC restore workflow
Additional considerations Review the following additional considerations when backing up and restoring the vCenter server and PSC.
Backing up the vCenter server will not save the Distributed switch (vDS) configuration as it is stored on the hosts. As a best practice, back up the vDS configuration by using a script that can be used after restoring the virtual center.
After restoring the PSC, verify that replication has been performed as designed by using the following commands to display the current replication status of a PSC and any of the replication partners of the PSC: For VCSA, go to /usr/lib/vmware-vmdir/bin and type ./vdcrepadmin -f showpartnerstatus -h
localhost -u administrator -w Administrator_Password For Windows, open a command prompt and type cd "%VMWARE_CIS_HOME%"\vmdird\
126 Backing Up and Recovering a vCenter Server
For the vCenter server or PSC, do not select advanced quiesce-based backup options. Selecting these options will result in application quiescing on virtual machines, which impacts the overall environment due to stunning.
The VMware vCenter server documentation, available at https://docs.vmware.com/en/VMware-vSphere/index.html, provides more information about the vCenter server and PSC.
Command reference Use the following command to start or stop services in the vCenter server and PSC, or obtain the status:
service-control -status/start/stop -all You can use other Replication topology commands, as in the following example.
Replication topology command
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u PSC_Administrator -w password
NOTE: You can replace localhost with another PSC FQDN to obtain all of the partnerships in the current vSphere
domain.
Backing Up and Recovering a vCenter Server 127
Backing Up VMware Cloud Foundation (VCF) on VxRail
Topics:
Backing up VCF on VxRail VCF and VxRail overview VCF components and backup methods Check VMware certification Backup prerequisites The backup script Quick protection Selective protection: SDDC and NSX-T Managers Selective protection: vCenter servers Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines SFTP password change: SDDC and NSX-T Managers SFTP password change: vCenter servers Backup-script troubleshooting
Backing up VCF on VxRail The following sections describe how to protect VMware Cloud Foundation (VCF) on VxRail by using a PowerProtect Data Manager command-line backup script.
NOTE: VxRail is the preferred Dell Technologies platform for VCF. However, environments that use other VMware-
supported vSAN Ready Nodes are also supported by Dell Technologies. The following sections also apply to those
environments.
VCF and VxRail overview VCF integrates a VMware cloud infrastructure with cloud management services by using the vRealize software suite to run enterprise applications. The VCF infrastructure is managed by the SDDC Manager, and it includes vSphere compute, vSAN storage, NSX networking, and a range of security implementations.
Dell Technologies VxRail is an all-in-one solution that uses Dell Technologies PowerEdge servers and its own VxRail hyperconverged infrastructure (HCI) software to provide a fully functional VCF environment to enterprise customers.
For more information about VCF and VxRail, see the following resources:
The VMware Cloud Foundation documentation The VxRail Administration Guide at Customer Support About VMware Cloud Foundation on Dell VxRail
11
128 Backing Up VMware Cloud Foundation (VCF) on VxRail
VCF components and backup methods Understanding the backup method used by a VCF component aids in understanding how the VCF component is protected by the backup script. The following tables show the VCF components of the different backup methods.
Table 21. VCF components of file-based backups
Backup Method Component
File based NSX-T Data Center
SDDC manager
vCenter server
Assets of these components are first copied to an external server that uses Secure File Transfer Protocol (SFTP) or another supported protocol. After that, the external server is backed up by PowerProtect Data Manager.
If using quick protection, these components are automatically protected.
Table 22. VCF components of image-based backups
Backup Method Component Automatically discovered
Image based vRealize Suite Lifecycle Manager (vRSLCM) VCF 4.0
vRealize Automation VCF 4.1
vRealize Business No
vRealize Log Insight VCF 4.1
vRealize Network Insight No
vRealize Operations Manager VCF 4.1
VxRail Manager No
Workspace ONE Access VCF 4.1
Assets of these components are backed up directly by PowerProtect Data Manager. The Automatically discovered column displays the minimum required version of VCF for a component to be automatically
discovered, as well as those components that are not automatically discovered by any version of VCF. If using quick protection, the automatically discovered components are automatically protected.
All image-based backups follow the VMware quiescing recommendations for VCF virtual machines that are part of VMware Validated Design (VVD):
Table 23. VCF components and quiescing
Component Quiescing
vRealize Suite Lifecycle Manager Enabled
Workspace ONE Access Enabled
vRealize Log Insight Disabled
vRealize Operations Manager Disabled
vRealize Automation Enabled
Backing Up VMware Cloud Foundation (VCF) on VxRail 129
Check VMware certification Use this method to check the versions of PowerProtect Data Manager that VMware has certified to work with their products.
About this task
VMware certification allows customers to receive support from VMware for any VMware-specific features related to PowerProtect Data Manager.
NOTE: VMware will only certify a version of PowerProtect Data Manager after it has been released and tested. If you are
waiting for the current version of PowerProtect Data Manager to be certified, you can continue to check its status.
Steps
1. In a browser, navigate to the VMware Compatibility Guide.
2. Select All > Dell EMC > All.
3. Click Update and View Results.
4. In the Solution Name column, look for EMC PowerProtect Data Manager entries.
5. Review the information in the corresponding Solution Version and Supported Releases columns.
Backup prerequisites Ensure the following prerequisites are met before backing up VCF on VxRail:
VCF is at a supported version. For more information, see the PowerProtect Data Manager compatibility matrix provided by the E-Lab Navigator.
Any external server (using SFTP or another supported protocol) used in a file-based backup has been discovered as a File System asset in PowerProtect Data Manager.
Any vCenter server being protected has been added as an asset source in PowerProtect Data Manager. PowerProtect Data Manager and the vCenter server and SDDC, and NSX-T managers are all set to the same time zone and
have their clocks synchronized. PowerProtect Data Manager and VCF do not have backup schedules that would back up the same assets at the same time. A VM Direct Engine exists. Any backup directory path specified by an external server in a file-based backup exists. All credentials provided during the execution of the backup script resolve to accounts with the required permissions to
access the related resources. This includes but is not limited to the following: The vCenter username being used belongs to the vCenter Administrators group. The SDDC manager username being used has the SDDC manager Admin role.
The backup script You use a PowerProtect Data Manager script to protect VCF components.
The script is accessible from the PowerProtect Data Manager command line. It provides a series of guided procedures that automate multiple backup operations into a single process. The script can also be used to change external SFTP passwords.
NOTE: This script only backs up the data of protected VCF components. It cannot be used to restore any of the data
that is backed up. To restore the data, use the PowerProtect Data Manager and VMware user-interface tools. Ensure that
you restore VCF-management data to components in a manner supported by VMware. For more information, go to the
VMware Validated Design Documentation website and review the backup and restore procedures of the documentation
that corresponds to your version of VCF. If disaster recovery must be performed, see VMware Cloud Foundation Disaster
Recovery With PowerProtect Data Manager at Customer Support.
130 Backing Up VMware Cloud Foundation (VCF) on VxRail
Quick protection This procedure uses default backup settings and values to protect all VCF components at once. Every vCenter server and any automatically discovered VCF component will be protected. Quick protection requires the least amount of input, but also provides the least amount of choice. For information about the default settings and values used, review the selective-protection procedures that follow.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 1.
NOTE: Quick protection uses the same external SFTP server and backup schedule for both the SDDC Manager
and vCenter servers. It also overrides the existing backup configurations of the SDDC and vCenter servers without
prompting.
5. Enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.
The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp://server_address:port_number/folder/subfolder.
Examples:
sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup
6. Enter the encryption passphrase for SDDC Manager backups.
The encryption passphrase must be between 12 and 20 characters in length and contain at least two lowercase letters, two uppercase letters, two numerals, and a special character.
NOTE: The encryption passphrase is also used for vCenter server backups, and is required when restoring data. Store
the passphrase in a secure location that is separate from the backup files and VCF environment you are protecting.
7. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.
Enter n to be prompted for the credentials for each individual server.
Provide vCenter credentials for a user with the Administrator role.
8. Select the days of the week a backup takes place, and then enter the time of day.
Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:
1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:
13:25
9. Select both a File System and Virtual Machine protection policy to use.
If a default protection policy of either type does not exist, it will be automatically created with a frequency of DAILY, a time of 8:00 PM to 6:00 AM, and a retention of 7 days.
A protection policy with the name VCF-Image-Based-Protection is used as the default image-based protection policy. A protection policy with the name VCF-File-Based-(SFTP)-Protection is used as the default file-based protection policy. If a default protection policy has just been automatically created and it is the only protection policy of that type, it will be
automatically used.
Backing Up VMware Cloud Foundation (VCF) on VxRail 131
If a default protection policy already exists, confirm if it should be used or if the protection policy to use should be selected from a list.
10. Enter the IP address or FQDN of any image-based VCF component that is not automatically discovered and that you want to protect. For a list of components that are not automatically discovered, see VCF components and backup methods.
Results
You can monitor the progress of the backup script as it protects the VCF components.
Selective protection: SDDC and NSX-T Managers This procedure protects just the SDDC and NSX-T manager file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 2, and then 1.
5. To override an existing SDDC Manager backup configuration, enter y.
6. To add or modify SDDC Manager backup configuration information, enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.
The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp://server_address:port_number/folder/subfolder.
Examples:
sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup
7. Enter the encryption passphrase for SDDC Manager backups.
The encryption passphrase must be between 12 and 32 characters in length and contain at least two lowercase letters, two uppercase letters, two numbers, and a special character.
NOTE: The encryption passphrase is required when restoring data. Store this passphrase in a secure location that is
separate from the backup files and VCF environment you are protecting.
8. The default SSH fingerprint of the external SFTP server is displayed. Confirm that it should be used, or enter a new one.
NOTE: With quick protection, the default SSH fingerprint of the external SFTP server is always used.
9. Select the backup frequency. If you select HOURLY, enter the minute of each hour a backup takes place. If you select WEEKLY, select the days of the week a backup takes place, and then enter the time of day.
For a weekly backup frequency, type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:
1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:
13:25
10. Enter the backup-retention values described in the following table. The values automatically used by quick protection are also listed.
132 Backing Up VMware Cloud Foundation (VCF) on VxRail
Table 24. Backup-retention values
Parameter Value range Quick-protection default value
Days of daily backups to retain 030 7
Days of hourly backups to retain 014 7
Backup files to retain 1600 15
Take backups on state change Yes or no Yes
11. Confirm if a new File System protection policy should be created in order to protect the external SFTP server. Enter y to provide details of the new protection policy.
Enter n to either select from a list of existing protection policies or skip protection of the external SFTP server.
Results
You can monitor the progress of the backup script as it protects the selected VCF components.
Selective protection: vCenter servers This procedure protects just the vCenter server file-based VCF components, while providing more control over the backup settings used for them than quick protection. To protect other VCF components, refer to the other selective-protection procedures.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 2 twice.
5. Select the automatically discovered vCenter servers to protect.
Enter a to protect all the servers. Otherwise, enter the numbers that correspond to the individual servers to protect, separating each number with a space.
6. Enter the FQDN or IP address of an external SFTP server, including the backup directory path, followed by credentials to access the server.
Supported protocols for the external server are FTP, SFTP, FTPS, HTTP, HTTPS, NFS, and SMB. The external SFTP server is also used for vCenter server configuration. The external SFTP server and backup directory path uses the format sftp:// server_address:port_number/folder/subfolder.
Examples:
sftp://172.17.62.201:22/upload/backup sftp://a053.ppdm.vmware.com:22/upload/backup
7. Select the days of the week a backup takes place, and then enter the time of day.
Type a number that represents a day of the week, where 1 represents Sunday. If selecting multiple days of the week, separate the numbers with a space. For example, to select Sunday and Monday:
1 2 The time of day uses the format HH:MM in 24-hour notation. For example, to enter 1:25 p.m.:
13:25
8. Confirm if the backups should be encrypted. If they should be encrypted, enter an encryption password.
Backing Up VMware Cloud Foundation (VCF) on VxRail 133
If you enter an encryption password, it must be between 8 and 20 characters in length and contain at least one lowercase letter, one uppercase letter, one number, and one special character.
9. Confirm if historical data should be backed up and the number of backups to retain.
NOTE: In quick protection, the default is to back up historical data and retain all backups.
10. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.
Enter n to be prompted for the credentials for each individual server.
Provide vCenter credentials for a user with the Administrator role.
11. If there is an existing vCenter server backup configuration, confirm if it should be overridden.
NOTE: Should the existing backup configuration fail to be overridden, the vCenter server will be left without a backup
configuration.
12. Confirm if a new File System protection policy should be created in order to protect the external server. Enter y to provide details of the new protection policy.
Enter n to either select from a list of existing protection policies or skip protection of the external server.
Results
You can monitor the progress of the backup script as it protects the selected VCF components.
Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines This procedure protects all of the image-based VCF components, while providing more control over the backup settings used for them than quick protection. The components protected include vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines. To protect file-based VCF components, refer to the other selective-protection procedures.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 2, and then 3.
5. Select an image-based VCF component type to protect.
NOTE: You can only select a single component type. To protect more than one component, follow the selective
protection steps for each component.
If you select vRSLCM, select a discovered vRSLCM server to protect. If you select any other component type, enter the IP address or fully qualified domain name (FQDN) of the server to
protect.
6. Confirm if a new Virtual Machine protection policy should be created in order to protect the component. Enter y to provide details of the new protection policy.
Enter n to select from a list of existing protection policies.
Results
You can monitor the progress of the backup script as it protects the selected VCF component.
134 Backing Up VMware Cloud Foundation (VCF) on VxRail
SFTP password change: SDDC and NSX-T Managers While using the backup script to protect VCF components, you might want to change the password of the external SFTP server account associated with the SDDC and NSX-T Managers.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 3, and then 1.
5. Confirm if you want to change the password of the external SFTP server account. Enter y to change the password, and then perform the following actions:
a. Enter the new password. b. Enter y to confirm if the automatically generated SSH fingerprint should be used. Otherwise, enter n to provide your
own SSH fingerprint. Enter n to skip the password change.
Results
You can monitor the progress of the backup script as it changes the password of the external SFTP server account associated with the SDDC and NSX-T managers.
SFTP password change: vCenter servers While using the backup script to protect VCF components, you might want to change the password of an external SFTP server associated with an automatically discovered vCenter server.
Steps
1. From a PowerProtect Data Manager command line, type the following two commands:
cd /usr/local/brs/lib/sysmgr/bin ./ppdm-vcf-component-protection.sh
2. Provide PowerProtect Data Manager credentials for a user with the Administrator role.
3. Enter the IP address or fully qualified domain name (FQDN) of the SDDC Manager server, and then provide SDDC Manager credentials for a user with the Administrator role.
4. From the backup-script main menu, enter 3, and then 2.
5. Confirm if common credentials should be used. Enter y to provide common credentials for all vCenter servers.
Enter n to be prompted for the credentials for each individual server.
Provide vCenter credentials for a user with the Administrator role.
6. Confirm if you want to provide a backup encryption password. This password will be used when backing up the VCF components of all vCenter servers.
7. For each automatically discovered vCenter server, confirm if you want to change the password of the external SFTP server account associated with it.
Backing Up VMware Cloud Foundation (VCF) on VxRail 135
Results
You can monitor the progress of the backup script as it changes the passwords of all external SFTP server accounts associated with the selected vCenter servers.
Backup-script troubleshooting The following table provides common error codes and messages, along with explanations or recommended areas of investigation to resolve the problem.
Table 25. Error codes and explanations
Error code or message Explanation or area of investigation
INVALID_ENCRYPTION_PASSPHRASE
Provided encryption passphrase
The encryption passphrase specified for external SFTP server is invalid.
Validate Backup Location Details FAILED The backup location specified for the external SFTP server in the SDDC Manager backup configuration does not exist.
INPUT_PARAM_ERROR
Failed to establish SFTP connection to
The credentials specified for the external SFTP server in the SDDC Manager backup configuration are incorrect.
INVALID_ARGUMENT
The entered backup password does not adhere to the password requirements.
The encryption passphrase specified in the vCenter server backup configuration is invalid.
INVALID_ARGUMENT
Plugin error occurred. Access to the backup server is denied. Check your credentials.
The password specified for the external server in the vCenter server backup configuration is incorrect.
UNAUTHENTICATED
Authentication required.
com.vmware.vapi.endpoint.method.authenticat ion.required
The credentials specified for the vCenter server are incorrect.
Perform validations for backup server fingerprint FAILED
The SSH fingerprint specified for the external SFTP server in the SDDC Manager backup configuration is invalid.
136 Backing Up VMware Cloud Foundation (VCF) on VxRail
Table 25. Error codes and explanations (continued)
Error code or message Explanation or area of investigation
SCHEDULING_SDDC_MANAGER_BACKUPS_FAILED_REAS ON_UNKNOWN
Unexpected error occurred. Provided backup schedule not applied.
Check for errors on the SDCC Manager.
LOCK_NOT_AVAILABLE
Lock is not available - SDDC Manager DEPLOYMENT lock to perform Backup & Restore operation.
There are too many pending SDDC Manager jobs. Try running the backup script at another time.
503
The data store service is not available. Try again later.
remediation timestamp
PowerProtect Data Manager assets cannot currently be queried. Try running the backup script at another time.
503
The service is not available. Try again later.
remediation timestamp
Protection policies cannot currently be queried. Try running the backup script at another time.
Backing Up VMware Cloud Foundation (VCF) on VxRail 137
Virtual Machine Best Practices and Troubleshooting
Topics:
Software and hardware requirements Scalability limits for vCenter server, VM Direct Engine, and DD systems PowerProtect Data Manager resource requirements in a VMware environment Best practices and additional considerations for the VM Direct Engine Best practices for vCenter server backup and restore Changing the vCenter server FQDN Replacing security certificates Support for backup and restore of encrypted virtual machines Troubleshooting network setup issues Troubleshooting virtual machine backup issues Troubleshooting virtual machine restore issues Troubleshoot virtual machine SQL application consistent policy issues Troubleshooting vSphere Plugin deployments VMware knowledge base articles and product documentation
Software and hardware requirements The following table lists the required components for PowerProtect Data Manager and the VM Direct protection engine.
Table 26. PowerProtect Data Manager and VM Direct engine requirements
Component Requirements Notes
PowerProtect Data Manager with the VM Direct Engine
Version 19.12 or later.
vCenter server vSphere and ESXi versions 6.5, 6.7, 7.0, 7.0 U1 or later. Refer to the VMware documentation ESXi 6.5 and later minimum requirements for physical host requirements for the ESXi hosts.
VMware has announced the end of general support for vSphere version 6.0. The Knowledge Base article at https:// kb.vmware.com/s/article/66977 provides more information.
Version 6.5 and later is required to perform Microsoft SQL Server application-aware protection. Also, file-level restore in the vSphere Client requires a minimum vCenter version 6.7 U1.
Any new virtual machine protection policies use Transparent Snapshot Data Mover (TSDM) as the default protection mechanism instead of VADP, provided that the vCenter/ESXi Server that hosts the virtual machines is a
A
138 Virtual Machine Best Practices and Troubleshooting
Table 26. PowerProtect Data Manager and VM Direct engine requirements (continued)
Component Requirements Notes
minimum version of 7.0 U3c and the policy options selected for the virtual machine crash- consistent protection policy are supported by TSDM.
VMware Tools Version 10 or later. Install VMware Tools on each virtual machine by using the vSphere Client. VMware Tools adds additional backup and recovery capabilities that quiesce certain processes on the guest operating system before backup.
Version 10.1 and later is required to perform Microsoft SQL Server application- aware protection.
PowerProtect DD System models and software
All models of PowerProtect DD System in production are supported.
DD Operating System (DDOS) version 6.2 or later and the PowerProtect DD Management Center (DDMC).
Make note of the hosts writing backups to your DD systems.
Web browser Google Chrome. The latest version of the Google Chrome browser is recommended to access the PowerProtect Data Manager user interface.
Scalability limits for vCenter server, VM Direct Engine, and DD systems The following limits have been tested successfully with PowerProtect Data Manager for vCenter server, VM Direct Engine, and DD systems.
NOTE: These numbers are not maximum or hard limits, but should be considered when scaling your environment.
Table 27. Scalability limits
Component Tested limits
Number of vCenter servers supported with a single PowerProtect Data Manager server
12 NOTE: The vCenter server limit is subject to the VM Direct Engine overall limit of 40 and the per vCenter server limit of 25. For example, using the maximum tested number of vCenter servers of 12, you could add an average of 3 VM Direct Engines per vCenter server.
Number of external VM Direct Engines supported with a single PowerProtect Data Manager server
40 NOTE: This number was tested across 10 vCenter servers. For example, 4 VM Direct Engines per vCenter server.
Number of DD systems supported per PowerProtect Data Manager server
10
Network latency between the PowerProtect Data Manager server and VM Direct Engines
200 ms
Network latency between the PowerProtect Data Manager server and the DD systems
200 ms
Number of virtual machines per PowerProtect Data Manager server
10,000
Virtual Machine Best Practices and Troubleshooting 139
PowerProtect Data Manager resource requirements in a VMware environment Review the following minimum system requirements for PowerProtect Data Manager in a VMware environment (ESXi server).
CPU10 CPU cores Memory24 GB RAM for PowerProtect Data Manager Seven disks with the following capacities:
Disk 1100 GB Disk 2500 GB Disks 3 and 410 GB each Disks 5 through 75 GB each
1 GB network interface card (NIC)
NOTE: If you plan to use Cloud DR, your system must also meet the following requirements:
CPU14 CPU cores
Memory28 GB
Best practices and additional considerations for the VM Direct Engine Review the following information for recommendations and best practices when adding a VM Direct protection engine in PowerProtect Data Manager.
VM Direct Engine performance and scalability
The VM Direct Engine performance and scalability of depends on several factors, including the number of vCenter servers and proxies and the number of concurrent virtual machine backups. The following table provides information on these scalability factors and maximum recommendations, in addition to concurrence recommendations for sessions created from backups using the VM Direct Engine.
The count of sessions is driven by the number of proxies and backups running through this server.
Table 28. Performance and scalability factors
Component Maximum limit
Recommended count Notes
Number of concurrent NBD and Preferred Hot Add backups per ESXi host
48 Ensure that your network has a bandwidth of 10 Gbps or higher. VMware uses Network File Copy (NFC) protocol to read VMDK using NBD transport mode. You need one VMware NFC connection for each VMDK file being backed up. The VMware Documentation provides more information on vCenter NFC session connection limits.
Concurrent VMDK backups per vCenter server
180 Can be achieved with a combination of the number of proxies multiplied by the number of configured Hot Add sessions per VM Direct Engine.
Number of proxies per vCenter server
25 7 A limit of 25 concurrent backup and recovery sessions.
Number of files and directories per file-level restore
200,000 File-level restores are recommended for quickly restoring a small set of files. Image-level or VMDK-level restores are optimized and recommended for restoring a large set of files and folders.
140 Virtual Machine Best Practices and Troubleshooting
When you reach the limit for concurrent backup sessions, a warning message displays. The remaining sessions will be queued. You can adjust the session limits by modifying the MAX_VC_BACKUP_SESSIONS and MAX_NBD_BACKUP_SESSIONS variables in the environment file, according to the recommendations. The Knowledge Base article 000020476 provides more information.
Table 29. Proxy session limits by proxy type
Component Total number of sessions (backup and recovery) maximum
Notes
Added (External) VM Direct Engine 25
Embedded VM Direct engine NOTE: The embedded VM Direct engine is pre-bundled with the PowerProtect Data Manager software.
4 The embedded VM Direct engine is only used as a fallback when all other proxies are disabled or in Failed state.
Transport mode considerations
Review the following information for recommendations and best practices when selecting a transport mode to use for virtual machine data protection operations and Tanzu Kubernetes guest cluster protection in PowerProtect Data Manager.
Hot Add transport mode recommended for large workloads
For workloads where full backups of large sized virtual machines or backups of virtual machines with a high data change rate are being performed, Hot Add transport mode provides improved performance over other modes. With Hot Add transport mode, a VM Direct Engine must be deployed on the same ESXi host or cluster that hosts the production virtual machines. During data protection operations, a VM Direct Engine capable of performing Hot Add backups is recommended. The following selection criteria is used during data protection operations:
If a VM Direct Engine is configured in Hot Add only mode, then this engine is used to perform Hot Add virtual machine backups. If one or more virtual machines are busy, then the backup is queued until the virtual machine is available.
If a virtual machine is in a cluster where the VM Direct Engine is not configured in Hot Add mode, or the VM Direct Engine with Hot Add mode configured is disabled or in a failed state, then PowerProtect Data Manager selects a VM Direct Engine within the cluster that can perform data protection operations in NBD mode. Any VM Direct Engine with Hot Add mode configured that is not in the cluster is not used.
Any VM Direct Engine that is configured in NBD only mode, or in Hot Add mode with failback to NBD, is used to perform NBD virtual machine backups. If every VM Direct Engine that is configured in NBD mode is busy, then the backup is queued until one of these engines is available.
If there is no VM Direct Engine that is configured in NBD mode, or the VM Direct Engine with NBD mode configured is disabled or in a failed state, then the PowerProtect Data Manager embedded VM Direct engine is used to perform the NBD backup.
Other transport mode recommendations
Review the following additional transport mode recommendations:
Use Hot Add mode for faster backups and restores and less exposure to network routing, firewall, and SSL certificate issues. To support Hot Add mode, deploy the VM Direct Engine on an ESXi host that has a path to the storage that holds the target virtual disks for backup.
NOTE: Hot Add mode requires VMware hardware version 7 or later. Ensure all virtual machines that you want to back
up are using Virtual Machine hardware version 7 or later.
In order for backup and recovery operations to use Hot Add mode on a VMware Virtual Volume (vVol) datastore, the VM Direct Engine should reside on the same vVol as the virtual machine.
If you have vFlash-enabled disks and are using Hot Add transport mode, ensure that you configure the vFlash resource for the VM Direct host with sufficient resources (greater than or equal to the virtual machine resources), or migrate the VM Direct Engine to a host with vFlash already configured. Otherwise, backup of any vFlash-enabled disks fails with the error
Virtual Machine Best Practices and Troubleshooting 141
VDDK Error: 13: You do not have access rights to this file and the error on the vCenter server The available virtual flash resource '0' MB ('0' bytes) is not sufficient for the requested operation.
For sites that contain many virtual machines that do not support Hot Add requirements, Network Block Device (NBD) transport mode is used. This mode can cause congestion on the ESXi host management network. Plan your backup network carefully for large scale NBD installs, for example, consider configuring one of the following options: Setting up management-network redundancy. Setting up backup network to ESXi for NBD. Setting up storage heartbeats.
See https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmw-vsphere-high-availability- whitepaper.pdf for more information.
If performing NBD backups, ensure that your network has a bandwidth of 10 Gbps or higher.
Change the limit of instant access sessions
For DDOS versions 6.2 and higher, PowerProtect Data Manager uses the limit that the DD storage appliance reports, and manages concurrent instant access sessions based on the reported limit.
You can change the limit by modifying a configuration file to override the default value. Note that sessions that exceed the maximum concurrent sessions that are supported are canceled and retried. To change the number of concurrent sessions manually to match the capability of the underlying storage appliance, perform the following steps.
1. Log in to the PowerProtect Data Manager UI as a user with the Administrator role. 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.
NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown
in the following step.
3. In the application.yml file, change the instant access session parameter value to override the default value. For example:
recovery: queue: ia_session_allowance: 32
4. Run vmdm stop and then vmdm start to restart the vmdm service.
NOTE: Ensure that no other virtual machine operations are running, such as protection and recovery.
Configuring a backup to support vSAN datastores
Backup and recovery functionality is supported for vSAN virtual machines.
When performing backups or restores of virtual machines residing on vSAN datastores, it is highly recommended to deploy the VM Direct appliance on a vSAN datastore. A VM Direct appliance deployed on any one vSAN datastore can be used for backing up virtual machines from other vSAN or non-vSAN datastores by using Hot Add or nbdssl transport modes, as applicable.
Configuration checklist for common issues
The following configuration checklist provides best practices and troubleshooting tips that might help resolve some common issues.
Basic configuration
Review the following basic configuration requirements:
Synchronize system time between all vCenter and ESXi servers. Assign IPs carefully do not reuse any IP addresses. Use Fully Qualified Domain Names (FQDNs) where possible. For any network related issue, confirm that forward and reverse DNS lookups work for each host in the datazone.
142 Virtual Machine Best Practices and Troubleshooting
Virtual machine configuration
Review the following virtual machine configuration requirements:
Ensure that the virtual machine has access to and name resolution for the protection storage. Ensure that the virtual machine firewall has port rules for the protection storage. For application-aware backups, ensure that Microsoft SQL Server instances are enabled for data protection using a SYSTEM
account, as described in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.
Disable vCenter SSL certificate validation
If the vCenter server's SSL certificate cannot be trusted automatically, a dialog box appears when adding the vCenter server as an asset source in the PowerProtect Data Manager user interface, requesting certificate approval. It is highly recommended that you do not disable certificate enforcement.
If disabling of the SSL certificate is required, you can perform the following procedure.
CAUTION: These steps should only be performed if you are very familiar with certificate handling and the issues
that can arise from disabling a certificate.
1. Create a file named cbs_vmware_connection.properties in the /home/admin directory on the PowerProtect Data Manager appliance, with the following contents:
cbs.vmware_connection.ignore_vcenter_certificate=true 2. If not already created, create an application.yml file in the /usr/local/brs/lib/vmdm/config/ directory.
NOTE: The structure of this file requires that you separate fields into individual categories and sub categories, as shown
in the following step.
3. In the application.yml file, add the following contents:
vmware_connection: ignore_vcenter_cert: true
discovery: ignore_vcenter_cert: true
4. Run cbs stop to stop the cbs service, and then cbs start to restart the service.
5. Run vmdm stop to stop the vmdm service, and then vmdm start to restart the service.
6. If the SSL certificate uses an FQDN, perform a test to determine if SSL certificate disabling was successful by adding a vCenter server using the vCenter server's IP address, and then verify that the asset source was added and virtual machine discovery was successful.
Uninstalling the VM Direct agent
If you no longer require the VM Direct agent on the target virtual machine, the agent must be properly uninstalled. If you manually delete VM Direct agent files instead of uninstalling the agent and at some point reinstall the agent, subsequent mount attempts to perform restores fail.
To uninstall the VM Direct agent on Linux:
1. Execute the following command: /opt/emc/vproxyra/bin/preremove.sh.
2. Uninstall the VM Direct agent package by running rpm -e emc-vProxy-FLRAgent.
3. If the uninstall fails due to a broken installation or other issue, you can force removal of the package by running rpm -e --force emc-vProxy-FLRAgent.
To uninstall the VM Direct agent on Windows:
1. Select Control Panel > Programs > Programs and Features. 2. Locate Dell vProxy Agent. 3. Right-click the program and select Uninstall.
Virtual Machine Best Practices and Troubleshooting 143
Updating the Microsoft Application Agent and VM Direct agent software
The Microsoft Application Agent and VM Direct agent software required to perform SQL application-aware data protection and file-level restore operations will be automatically updated on the target virtual machine by the VM Direct appliance during the file-level restore operation. The VM Direct appliance detects the available software on the client and updates the agent software with the new version of software from its repository. If the update does not occur automatically, contact Customer Support for a procedure to update the VM Direct software repository with the latest version of the agent software packages.
Supported file-level restore platforms and OS versions
File-level restore is supported for the following platforms and operating system versions only.
Platforms/operating systems are qualified for file-level restore support using the default file system for these platforms:
NOTE: The most up-to-date software compatibility information for PowerProtect Data Manager is provided by the E-Lab
Navigator.
CentOS 7.x Debian 9.x, 10.x, and 11.x RedHat Enterprise Linux versions 7.x, 8.x, and 9.x SuSE Linux Enterprise Server versions 11.x and 12.x Ubuntu version 17.10 Oracle Enterprise Linux version 7.2 and later Windows 7, 8, 10, Server 2008, 2012, 2016 (all 64-bit platforms and R2, where applicable), 2019 for FAT, and NTFS.
Ensure that the latest supported version of VMware Tools or open-vm-tools is installed on the guest operating system.
Support for Debian or Ubuntu operating system
VM Direct file-level restore is supported on the Debian and Ubuntu operating systems. To configure the Debian or Ubuntu guest operating system for file-level restore, perform the following steps.
Steps
1. Log in to the system console as a non-root user.
2. Run the sudo passwd root command.
Enter the new password twice to set a password for the root account.
3. Run the sudo passwd -u root command to unlock the root account.
4. Specify the root user credentials in the PowerProtect Data Manager file-level restore user interface, and complete the file-level restore operation at least once.
While performing the file-level restore operation for the first time, remember to select Keep FLR agent.
5. After performing the above steps at least once, you can revert the root account to the locked state and use non-root account for future file-level restore requests. Non-root user can lock the root account with the sudo passwd -l root command.
Operating system utilities required for file-level restore
On Linux and Windows, the installed operating system must include several standard utilities in order to use file-level restore. Depending on the target operating system for restore and the types of disks or file systems in use, some of these standard utilities, however, may not be included.
The following utilities and programs may be required for performing file-level restore.
On Windows:
msiexec.exe diskpart.exe cmd.exe
144 Virtual Machine Best Practices and Troubleshooting
On Linux:
blkid udevadm readlink rpm bash
NOTE: On Linux LVM, LVM2 rpm version 2.02.117 or later is required. To support the new features of LVM2.0,
LVM2 version 2.03.15 is required. Additional binaries that are also required on Linux LVM include dmsetup, lvm,
vgimportclone, lvmconfig and lvmdevices.
File-level restore and SQL restore requirements and limitations
This section provides a list of requirements and limitations that apply to virtual machine file-level restores and individual SQL database and instance restores.
All platforms
Review the following best practices and limitations that apply to all platforms:
You must install VMware Tools version 10 or later. For best results, ensure that all virtual machines run the latest available version of VMware Tools. Older versions are known to cause failures when you perform browse actions during file-level restore or SQL restore operations.
Before mounting file systems for virtual machine file level restores, ensure that the target virtual machine for the restore supports the file system type, version, and options used in the source backup. For example, the xfsprogs version of the target virtual machine must be compatible with the xfsprogs version of the source virtual machine.
File-level restore is supported only for non-system files or folders (for example, user-created files/folders). When restoring operating system files or folders, or system files or folders such as C:\Windows or C:\Program Files, perform an image-level restore.
You can only restore files and/or folders from a Windows backup to a Windows machine, or from a Linux backup to a Linux machine.
You can perform file-level restores across vCenter servers as long as the vCenters are configured in PowerProtect Data Manager, and the source and target virtual machine have the same guest operating system. For example, Linux to Linux, or Windows to Windows.
When a file-level restore or SQL-restore operation is in progress on a virtual machine, no other backup or recovery operation can be performed on this virtual machine. Wait until the file-level restore session completes before starting any other operation on the virtual machine.
Ensure that the virtual machine has enough free slots to accommodate the disks that will mounted as part of the restore. The total number of supported disks is 60 (4 scsi controllers with 15 disks each).
File-level restores do not support the following virtual disk configurations: LVM thin provisioning FAT16 file systems FAT32 file systems on LInux Extended partitions (Types: 05h, 0Fh, 85h, C5h, D5h) Two or more virtual disks mapped to single partition Encrypted partitions Compressed partitions
If the VM Direct agent service is not running on the target virtual machine, VMDKs fail to mount with the error "Cannot connect to vProxy Agent: Unable to connect to '[::1]:
Clean up from a suspended or cancelled mount operation requires a restart of the virtual machine before you can initiate a new mount for the file-level restore.
File-level restores do not restore or browse symbolic links.
Windows platforms
Review the following best practices and limitations that apply to Windows platforms:
Virtual Machine Best Practices and Troubleshooting 145
To browse all of the disk drives of a backup copy, the copy should be from a virtual machine that has the following Windows permission settings in the Advanced Security Settings for the Local Disk at each disk drive level for both the SYSTEM and
Ensure that the target virtual machine's SCSI Controller 0 is not empty by attaching the slot to a virtual disk. Otherwise, the file-level restore is unable to mount the disks from the backup copy.
Windows 2012 R2 and earlier versions do not support paths longer than 255 characters. To reduce the number of characters in the restore path, you might be required to remove the Windows drive letter, the colon, the slash, and the trailing null character. Since the Windows VM Direct agent mount point already uses around 90 characters, you might need to select a folder at a higher directory level for the restore.
For Windows 2016 and later, an option to enable support for longer file paths is available. See the following article.
File-level restores of Windows 8, Windows Server 2012 and Windows Server 2016 virtual machines are not supported on the following file systems: Deduplicated NTFS Resilient File System (ReFS) EFI bootloader
File-level restores of virtual machines with Windows dynamic disks are supported with the following limitations: The restore can only be performed when recovering to a virtual machine different from the original. Also, this virtual
machine cannot be a clone of the original. The restore can only be performed by virtual machine administrator users. If Windows virtual machines were created by cloning or deploying the same template, then all of these Windows virtual
machines may end up using the same GUID on their dynamic volumes. When you perform file-level restore on Windows 2012 R2 virtual machines, the volumes listed under the virtual machine
display as "unknown." File-restore operations are not impacted by this issue. When you enable Admin Approval Mode (AAM) on the operating system for a virtual machine (for example, by setting
Registry/FilterAdministratorToken to 1), the administrator user cannot perform a file-level restore to the end user's profile, and an error displays indicating "Unable to browse destination." For any user account control (UAC) interactions, the administrator must wait for the mount operation to complete, and then access the backup folders located at C:\Program Files (x86)\EMC\vProxy FLR Agent\flr\mountpoints by logging into the guest virtual machine using Windows Explorer or a command prompt.
Linux platforms
Review the following best practices and limitations that apply to Linux platforms:
On Linux virtual machines, Logical Volume (LV) names longer than 100 characters are not supported. When you perform file-level restore on Ubuntu/Debian platforms, you must enable the root account in the operating system.
By default, the root account will be in locked state.
Virtual disk types supported
When planning your protection policies, ensure that PowerProtect Data Manager supports the disk types that you use in the environment.
PowerProtect Data Manager does not support the following disk types:
First Class Disks Independent (persistent and nonpersistent) RDM Independent - Virtual Compatibility Mode RDM Physical Compatibility Mode
Additionally, it is recommended to avoid deploying VMs with IDE virtual disks, which degrades backup performance. Use SCSI virtual disks instead whenever possible. Note that you cannot use Hot Add mode with IDE Virtual disks. Backup of IDE Virtual disks is performed using NBD mode.
146 Virtual Machine Best Practices and Troubleshooting
Virtual machine data change rate
The data change rate is the percentage of a virtual machine's data that changes between backups.
Data change rates directly impact the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window. A daily data change rate of 3-4% is typical in a vSphere environment. Higher data change rates will require either a longer window to complete the backup, additional VM Direct Engines, or both.
VM Direct Engine data ingestion rate
The VM Direct Engine data ingestion rate is another parameter that directly impacts the number of VM Direct Engines required to successfully complete the backup of all required virtual machines within the backup window.
By default, each VM Direct Engine processes approximately 500 GB to 1TB of data per hour, subject to the deduplication and read throughput on the primary stack. A number of additional factors, however, can impact the actual data ingestion rate, including the following:
The protection storage system being used for data protection operations. The type of storage media used for VM Direct Engine storage. Your network and/or SAN infrastructure and connectivity speed.
If data ingestion rates at your site are typically lower or higher than 500 GB per hour, you can add or delete VM Direct Engines as needed. You can also shorten or lengthen the backup window. By default, each VM Direct Engine is configured to handle the optimal number of concurrent VMDK backup jobs. Configuring each VM Direct Engine to allow fewer concurrent backup jobs would typically require deploying additional VM DirectEngines, but can result in more evenly distributed backup jobs among each VM Direct Engine.
Full (Level-0) backups typically take longer and consume more VM Direct Engine resources. Therefore, large new virtual machine deployments can impact the ability to complete all required backups within the time specified for the backup window. In order to allow the system to perform these full backups without interruption, where possible ensure that you implement a phased approach for large new virtual machine deployments. If a phased deployment is not possible, and the full backups do not complete before timeout of the backup window, you can also enable automatic retry of failed backups. For instructions, see the PowerProtect Data Manager Administration and User Guide. It is recommended that an administrator user monitor such workloads to ensure that the system can handle these workloads when the demand on resources begins to decrease, and that the virtual machine backups then complete successfully.
VM Direct Engine limitations and unsupported features
Review the following limitations and unsupported features related to the VM Direct Engine.
Backup of individual folders within a virtual machine is not supported
PowerProtect Data Manager only supports image-level backup and disk-level backup. You cannot perform backups of individual folders within the virtual machine.
Backups fail for resource pools recreated with the same name as deleted pool
When you delete a resource pool from a vCenter server and then create a resource pool with the same name, backups fail. Reconfigure the protection group with the newly created resource pool.
Datastore names cannot contain special characters
Using special characters in datastore names can cause problems with the VM Direct Engine, such as failed backups and restores. Special characters include the following: % & * $ # @ ! \ / : * ? " < > | ;, and so on.
DD Boost over fibre channel not supported
PowerProtect Data Manager does not support DD Boost over fibre channel (DFC).
Virtual Machine Best Practices and Troubleshooting 147
Error when changing configuration of many virtual machines at the same time
When configuring or unconfiguring many virtual machines (300 or more) in a protection policy, an error message might display indicating that the request is too large. You can click OK and proceed, but system performance will be impacted due to the size of the request. As a best practice, it is recommended to use protection rules to automatically determine which assets are assigned to protection policies when the assets are discovered.
Hot Add backups fail when datacenter names contain special characters
Virtual machine backups fail when the datacenter name contains special characters and the transport mode specified for VM Direct backups is Hot Add only. Avoid using special characters in the datacenter name, for example, "Datacenter_#2@3", or specify Hotadd with fallback to Network Block Device for the transport mode.
Hot Add backups fail when virtual machine protection policy configured with Virtual Flash Read Cache value
When using Hot Add transport mode for a virtual machine protection policy, the backup fails with the following error if configured with the Virtual Flash Read Cache (vFRC) value:
"Backup has FAILED. Failed to backup virtual disk \"Hard disk
I/O contention when all Virtual Machines on a single data store
I/O contention may occur during snapshot creation and backup read operations when all Virtual Machines reside on a single datastore.
Limitations to SQL Server application consistent data protection
Review the SQL Server application-consistent protection support limitations in the section "Microsoft application agent for SQL Server application-aware protection" of the PowerProtect Data Manager Microsoft SQL Server User Guide.
Network configuration settings are not restored with virtual machine after recovery of a vApp backup
Network configuration settings are not backed up with the virtual machine as part of a vApp backup. As a result, when you restore a vApp backup, you must manually reconfigure the network settings.
NFC log level settings
To assist with I/O performance analysis, set the NFC log level in the VM Direct Engine configuration file to its highest value, for example, vixDiskLib.nfc.LogLevel=4. Setting the log level in the server for NFC asynchronous I/O is not required. You can then run the VDDK sample code and evaluate I/O performance by examining the vddk.log and the vpxa log file.
NOTE: Virtual Machines with very high I/O might stall during consolidation due to the ESXi forced operation called
synchronous consolidate. Plan your backups of such Virtual Machines according to the amount of workload on the Virtual
Machine.
148 Virtual Machine Best Practices and Troubleshooting
Protection fails for virtual machine name containing { or }
A PowerProtect Data Manager virtual machine protection policy fails to back up virtual machines that contain the special characters { or } in the name. This limitation exists with vSphere versions previous to 6.7. If you do not have vSphere 6.7 or later deployed, avoid using these two characters in virtual machine names.
SAN transport mode not supported
PowerProtect Data Manager supports only the Hot Add and NBD transport modes. The Hot Add mode is the default transport mode. For a protection policy, you can specify to use only Hot Add mode, only NBD mode, or Hot Add mode with fallback to NBD of Hot Add is not available.
Specify NBD for datastores if VM Direct should use NBD mode only
For a VM Direct Engine that only uses NBD transport mode, specify datastores that only perform NBD backups.
Thin provisioning not preserved during NFS datastore recovery
When backing up thin-provisioned virtual machines or disks for virtual machines on NFS datastores, an NFS datastore recovery does not preserve thin provisioning. VMware knowledge base article 2137818 at https://kb.vmware.com/kb/2137818 provides more information.
Virtual machine alert "VM MAC conflict" might appear after successful recovery of virtual machine
After performing a successful recovery of a virtual machine through vCenter version 6, an alert might appear indicating a "VM MAC conflict" for the recovered virtual machine, even though the new virtual machine will have a different and unique MAC address. You must manually acknowledge the alert or clear the alert after resolving the MAC address conflict. Note that this alert can be triggered even when the MAC address conflict is resolved.
The VMware release notes at https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u2-release- notes.html provide more information.
VM Direct Engine configuration settings cannot be modified after adding the VM Direct Engine
After adding a VM Direct Engine, the only field you can modify is the Transport Mode. Any other configuration changes require you to delete and then re-add the VM Direct Engine. Additional VM Direct actions provides more information.
VM Direct Engine configured with both IPv4 and IPv6 is not supported
The VM Direct Engine does not support both IPv4 and IPv6 at the same time. If you want to run backups and restores using the VM Direct Engine, use either only IPv4 or only IPv6.
VMware Distributed Resource Scheduler cluster support limitations
The PowerProtect Data Manager server is supported in a VMware Distributed Resource Scheduler (DRS) cluster, with the following considerations:
During backup of a virtual machine, host-vmotion or storage-vmotion is not permitted on the virtual machine. The option to migrate will be disabled in the vSphere Client UI.
A storage-vmotion operation cannot be performed on a VM Direct Engine that is currently is in use for a backup or restore with Hot Add disks attached.
Virtual Machine Best Practices and Troubleshooting 149
VMware limitations by vSphere version
VMware limitations for vSphere 6.0 and later versions are available at https://configmax.vmware.com/home. For vSphere 5.5, go to https://www.vmware.com/pdf/vsphere5/r55/vsphere-55-configuration-maximums.pdf.
VMware snapshot for backup is not supported for independent disks
When using independent disks you cannot perform VMware snapshot for backup.
VM Direct Engine selection with virtual networks (VLANs)
PowerProtect Data Manager typically selects a VM Direct Engine by accounting for availability, transport mode settings, and engine load. This selection optimizes data throughput.
When you configure virtual networks for PowerProtect Data Manager and VM Direct Engine to isolate backup traffic, you can define routes to the protection storage system interface for each virtual network. The routes that you configure can influence VM Direct Engine selection. PowerProtect Data Manager ensures that the selected engine has a network interface that can send traffic for a specific virtual network to the protection storage system.
The PowerProtect Data Manager Administration and User Guide provides more information about virtual networks, including prerequisites and supported topologies and traffic types that can influence selection.
Deploying VM Direct appliance to datastore cluster unsupported
VM Direct appliance deployment to a datastore cluster is not supported. The deployment fails with a ServerFaultCode error.
Best practices for vCenter server backup and restore Review the following recommendations and best practices when planning a vCenter server backup and restore.
NOTE: Backups will not save distributed switch configurations.
It is recommended to schedule the backup of the vCenter server when the load on the vCenter server is low, such as during off-hours, to minimize the impact of vCenter virtual machine snapshot creation and snapshot commit processing overhead.
Ensure that there are no underlying storage problems that might result in long stun times. Keep the vCenter virtual machine and all of its component virtual machines in one single isolated protection policy. The
protection policy should not be shared with any other virtual machines. This is to ensure that the backup times of all vCenter server component virtual machines are as close to each other as possible.
Ensure that the backup start time of the vCenter server does not overlap with any operations for other protected virtual machines being managed by this vCenter server so that there is no impact on other protected virtual machines during snapshot creation and snapshot commit of the vCenter virtual machine.
If the vCenter server and Platform Services Controller instances fail at the same time, you must first restore the Platform Services Controller and then the vCenter server instances.
Changing the vCenter server FQDN If you change the fully qualified domain name (FQDN) of the vCenter server, PowerProtect Data Manager must be reconfigured to accommodate this change without any issues.
When the FQDN of the vCenter server changes, so does its SSL certficate. In order to continue to administer the vCenter server and maintain uninterrupted protection of its assets, the new certificate must be imported into the PowerProtect Data Manager trust store.
150 Virtual Machine Best Practices and Troubleshooting
Change the vCenter server FQDN
When the FQDN of the vCenter server changes, its new SSL certificate must be imported into the PowerProtect Data Manager trust store.
About this task
This procedure uses REST API commands that are run on the PowerProtect Data Manager server.
NOTE: In the following steps, replace 192.168.1.204 with the IP address of the PowerProtect Data Manager server and
a022-renamed-ppdm.vmware.com with the new FQDN of the vCenter server.
Steps
1. Get the current information from the vCenter server, and make a note of the value of id, which corresponds to the new FQDN certificate:
GET https://192.168.1.204:8443/api/v2/certificates?host=a022- renamed.ppdm.vmware.com&port=443&type=Host For example, the output might look like this:
fingerprint: "43FF8FBA82D1DD68E630AE9DB8BA7DF21549CE39" host: " a022-renamed-ppdm.vmware.com" id: "dmNlbnRlci12bWRtLTA0LmFzbC5sYWIuZW1jLmNvbTo0NDM6aG9zdA==" issuerName: "OU=VMware Engineering, O= a022-renamed-ppdm.vmware.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA" notValidAfter: "Mon Mar 11 17:39:09 PDT 2030" notValidBefore: "Mon Mar 16 17:39:09 PDT 2020" port: "443" state: "UNKNOWN" subjectName: "C=US, CN=vcenter-vmdm-04.asl.lab.emc.com" type: "HOST"
2. Import the new certificate into the PowerProtect Data Manager trust store:
PUT https://192.168.1.204:8443/api/v2/certificates/{newCertID}
Replace {newCertID} with the value of id displayed in step 1. Only use the text that was displayed between the quotation marks.
3. Get the ID of the vCenter server:
GET https://192.168.1.204:8443/api/v2/inventory-sources/ All vCenter servers that are configured in PowerProtect Data Manager are displayed.
For example, the output might look like this:
"id": "6ffdb6e9-b864-56f4-8ec8-fe1c214c6fef",
"name": "VC",
"version": "7.0.2",
"type": "VCENTER",
"lastDiscovered": "2021-08-10T07:03:41.624Z",
"lastDiscoveryResult": {
"status": "OK",
4. Record the new FQDN of the vCenter server in PowerProtect Data Manager:
PUT https://192.168.1.204:8443/api/v2/inventory-sources/{vCenter-id}
Replace {vCenter-id} with the value of id displayed for the vCenter server in step 3. Only use the text that was displayed between the quotation marks.
5. Get the current list of certificates:
Virtual Machine Best Practices and Troubleshooting 151
GET https://192.168.1.204:8443/api/v2/certificates Both the old and new FQDN certificates are displayed. There might also be additional certificates displayed.
6. Search the certificate entries displayed in step 5, and locate the entry where the value of host matches the old FQDN of the vCenter server. Make a note of the corresponding id value.
7. Delete the old certificate from the PowerProtect Data Manager :
DELETE https://192.168.1.204:8443/api/v2/certificates/{oldCertID}
Replace {oldCertID} with the value of id noted in step 6. Only use the text that was displayed between the quotation marks.
Next steps
If the SPBM storage provider configured on the vCenter server is displayed as offline after following these steps, remove the storage provider and add it back.
Replacing security certificates You can replace the default self-signed security certificates for the PowerProtect Data Manager user interface, or replace changed or expired security certificates on an external server.
The PowerProtect Data Manager Security Configuration Guide provides more information.
Replacing the self-signed security certificates
If you want to use certificates for the PowerProtect Data Manager user interface that are signed by a certificate authority (CA) of your choice, you can replace them.
The PowerProtect Data Manager Security Configuration Guide provides more information.
Replace expired or changed certificates on an external server
Use this procedure to replace expired or change certificates on an external server. Only the Administrator role can replace certificates.
About this task
If a certificate on an external server has expired or been changed, connection to the server fails with the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX Perform the following steps using cURL or any REST API client, such as Postman.
Steps
1. Log in to the external server as an administrator:
POST https://server hostname:REST port number/api/v2/login Provide the following request payload in JSON format:
{ "username": "username", "password": "password" }
where username is a user with the Administrator role and password is the password for this user.
NOTE: Add the following header key with your REST call request:
'Content-type: application/json'
The response returns the following information:
152 Virtual Machine Best Practices and Troubleshooting
{ "access_token": "token_type": "expires_in": "jti": "scope": "refresh_token": }
Copy the access_token value from the response above. This value will be required in the header key Authorization for all the REST calls in subsequent steps.
2. On the REST API client, run the following to obtain the old or expired external server certificate:
GET https://server hostname:REST port number/api/v2/certificates NOTE: Add the following header key with your REST call request:
'Authorization: access_token_value'
The response returns a list of certificate entries, each containing the following information:
[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "type": }]
NOTE: Make note of the host, port and type of each certificate, as this information will be required in Step 4. If you
supply incorrect information in Step 4, requests that use these external hosts might fail.
3. On the REST API client, delete the old or expired external server certificate from the PowerProtect Data Manager datastore, using the ID obtained from the response in step 2:
DELETE https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:
'Authorization: access_token_value' Ensure that you delete only the external server certificate that you want to remove.
4. On the REST API client, obtain the new certificate from the external server, using the host, port, and type obtained from the response in step 2:
GET https://server hostname:REST port number/api/v2/certificates? host=host&port=port&type=type
NOTE: Add the following header key with your REST call request:
'Authorization: access_token_value'
The response returns the following information:
[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "UNKNOWN", "type": }]
5. On the REST API client, accept the new certificate, using the ID obtained in the response from step 4:
Virtual Machine Best Practices and Troubleshooting 153
PUT https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:
'Authorization: access_token_value' Also, copy the response payload from step 4 in JSON format and change the state from "UNKNOWN" to "ACCEPTED".
6. On the REST API client, verify that the new certificate has been accepted, using the ID obtained in the response from step 4:
GET https://server hostname:REST port number/api/v2/certificates/id NOTE: Add the following header key with your REST call request:
'Authorization: access_token_value'
If the certificate was accepted, the response returns the following information:
[{ "id": "host": "port": "notValidBefore": "notValidAfter": "fingerprint": "subjectName": "issuerName": "state": "ACCEPTED", "type": }]
Restart the virtual machine protection services
As part of PowerProtect Data Manager maintenance, perform the following steps when directed.
Prerequisites
Verify that there are no active backup and restore operations. The PowerProtect Data Manager Administration and User Guide provides instructions for canceling jobs and disabling protection policies.
Steps
1. Connect to the PowerProtect Data Manager console and change to the root user.
2. Restart the virtual machine data mover service:
/usr/local/brs/lib/vmdm/bin/vmdm restart 3. Restart the protection engine service:
systemctl restart vproxyd 4. If required, re-enable protection policies. The PowerProtect Data Manager Administration and User Guide provides
instructions.
Support for backup and restore of encrypted virtual machines Backup and restore of encrypted virtual machines is supported in PowerProtect Data Manager, with the following limitations:
Restoring encrypted virtual machines to a different vCenter server where encryption is not configured is not supported. You must perform the restore to a new virtual machine on the same vCenter server, or to a different vCenter server where encryption is configured using same or different KMS server as source vCenter.
Restoring an encrypted virtual machine backup to a new virtual machine on the original vCenter server will restore the virtual machine disks (VMDKs) in unencrypted format. For more information about manually changing the virtual machine policy to enable encryption of VMDKs, see the article Virtual Machine Encryption.
VMware recommends powering off the virtual machine before encryption is applied. When restoring an encrypted virtual machine as a new virtual machine or by using an Instant Access restore, disable the Power on the virtual machine when
154 Virtual Machine Best Practices and Troubleshooting
the restore completes option to ensure that the virtual machine can be encrypted by the vCenter server after the restore completes. For more information, see the artcle Encrypt an Existing Virtual Machine or Virtual Disk.
In order to use Hot Add transport mode, all VM proxies with access to the encrypted virtual machines datastore must be encrypted as well. For example, if encrypted virtual machines reside in an ESXi cluster, all VM proxies deployed on the cluster must also be encrypted.
In order to backup and restore encrypted virtualization-based security (VBS) and virtual Trusted Platform Module 2.0 (vTPM) virtual machines, vCenter 7.0 U1 or later is required.
For Restore to Original VM recovery operations, ensure that production VMs have the same encryption status as their backup copies. If a production VM has a different encryption status than its backup copy, Restore to Original VM recovery attempts fail with the message Encryption status of production VM and backup copy is different. To resolve this issue, change the encryption status of the production VM to match its backup copy, or perform a Create and Restore to New VM recovery instead.
If a virtual machine is encrypted and vCenter 7.0 or later is used, an Instant Access virtual machine restore job can fail to automatically migrate the virtual machine from the DD NFS datastore to local storage. When this occurs, the restore job has a Completed with Exceptions status. To resolve the issue, perform the following steps from the vCenter user interface: 1. Manually migrate the virtual machine from the DD NFS datastore to local storage. 2. Unmount the DD NFS datastore from the ESXi host.
Troubleshooting network setup issues vCenter registration and VM Direct Engine deployment fails if the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network.
PowerProtect Data Manager uses an internal private Docker network. If the PowerProtect Data Manager server is deployed in the same private network as the internal Docker network, or if some data sources have already been deployed within the private network, PowerProtect Data Manager fails to protect the data sources.
To resolve this issue, deploy the PowerProtect Data Manager server and other data sources in a different network. If you cannot modify the deployed network, run a script tool within PowerProtect Data Manager to switch the private Docker network to a different network.
To switch the private Docker network to a different network:
1. Connect to the PowerProtect Data Manager console and change to the root user. 2. Modify the Docker network by running the following command:
/usr/local/brs/puppet/scripts/docker_network_switch.sh subnet gateway Where:
subnet describes the new network in the format 172.25.0.0/24 gateway is the gateway for the private network. For example: 172.25.0.1
Ensure that you specify a subnet and gateway that is not in use.
Troubleshooting virtual machine backup issues This section provides information about issues related to virtual machine backup operations with the VM Direct protection engine.
Backup completes with a non-quiesced snapshot warning
A virtual machine backup completes, but with a warning that a non-quiesced snapshot was used. Although most data will be protected, using a non-quiesced snapshot can result in some data being out of date or missing altogether.
The following warning is seen after a backup completes:
Warnings occurred during snapshot creation. Non-quiesced snapshot was used, quiesced snapshot was unsuccessful. Unable to create quiesced snapshot: An error occurred while quiescing the virtual machine. See the virtual machine's event log for details.
Virtual Machine Best Practices and Troubleshooting 155
This can happen with backups of both Windows and Linux virtual machines. Refer to the following procedures for common methods of resolving the issue.
Troubleshooting non-quiesced Windows snapshots
There is a common method of resolving this issue on Windows.
Steps
1. Confirm that the virtual machine has VMware Tools 10.1.0 or higher installed. If the virtual machine does not have VMware Tools 10.1.0 or higher installed, then install it.
2. Confirm that the VMware Snapshot Provider service is installed on the virtual machine. If the VMware Snapshot Provider service is not installed, then install it by reinstalling VMware Tools.
NOTE: Antivirus software might interfere with the installation of this service. If it is still not installed after reinstalling
VMware Tools, then temporarily disable any antivirus software and reinstall VMware Tools again.
Troubleshooting non-quiesced Linux snapshots
There is a common method of resolving this issue on Linux.
Steps
1. At a shell prompt of the virtual machine, run the command cat /etc/vmware-tools/tools.conf, and look for the value of enableSyncDriver:
[root]# cat /etc/vmware-tools/tools.conf [vmbackup] enableSyncDriver = false
2. If the value of enableSyncDriver is false, perform the following steps:
a. Edit /etc/vmware-tools/tools.conf, and change enableSyncDriver = false to enableSyncDriver = true.
b. At the shell prompt, run the command systemctl restart vmtoolsd.service.
Troubleshooting non-quiesced FreeBSD snapshots
There is a common method of resolving this issue on FreeBSD with Open VM Tools.
To resolve the issue, run the following command at a shell prompt of the virtual machine:
vmware-toolbox-cmd config set vmbackup forceQuiesce false
Backup fails when names include special characters
When spaces or special characters are included in the virtual machine name, datastore, folder, or datacenter names, the .vmx file is not included in the backup.
The VM Direct appliance does not back up objects that include the following special characters (format: character/escape sequence): & %26 + %2B / %2F = %3D ? %3F % %25 \ %5C ~ %7E ] %5D
156 Virtual Machine Best Practices and Troubleshooting
Deleting vCenter asset sources or moving ESXi to another vCenter server
When you delete a vCenter asset source from PowerProtect Data Manager without removing any VM Direct or Search nodes the vCenter servers are hosting, the nodes become non-operational and move into a Failed status after the next health check. As a result, PowerProtect Data Manager updates will fail. This issue also occurs when you move the ESXi server hosting the VM Direct and Search nodes between vCenter servers.
To correct this issue, you can perform one of the following actions:
Manually delete the VM Direct and Search nodes. The section Delete VM Direct or Search nodes when a vCenter server asset source is no longer required provides the required steps.
Return the VM Direct and Search nodes to an Operational or Ready state using the vproxymgmt and infranodemgmt tools. Choose this action if you want to add the vCenter server again, or you want to add the vCenter server that the ESXi has been moved to. The section Return VM Direct or Search nodes to an operational state when re-adding a vCenter server provides the required steps.
Delete VM Direct or Search nodes when a vCenter server asset source is no longer required
Perform the following procedure when you delete a vCenter server as an asset source in PowerProtect Data Manager and you will not be re-adding the vCenter server:
About this task
NOTE: Manual cleanup of the virtual machine for the VM Direct or Search node has to be performed from the vCenter
server.
Steps
1. Run the following command to source the environment file.
source /opt/emc/vmdirect/unit/vmdirect.env 2. For VM Direct removal:
a. Obtain the list of VM Direct Engines that require removal by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any VM Direct Engine that needs to be deleted. c. Use the vproxymgmt tool to delete VM Direct Engines by running /opt/emc/vmdirect/bin/vproxymgmt
delete -vproxy_id ProxyID 3. For Search Node removal:
a. Obtain the list of Search nodes that require removal by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be deleted. c. Use the infranodemgmt tool to delete Search nodes by running /opt/emc/vmdirect/bin/infranodemgmt
delete -node_id NodeID 4. In the PowerProtect Data Manager user interface, ensure that any sessions have been removed for both the VM Direct or
Search nodes.
Return VM Direct or Search nodes to an operational state when re-adding a vCenter server
When you want to re-add a vCenter server that you deleted from PowerProtect Data Manager, or you want to add a vCenter server that an ESXi server has been moved to, perform the following procedure in order to return the VM Direct or Search nodes to an Operational or Ready state.
Steps
1. Re-add the deleted vCenter server as an asset source in the PowerProtect Data Manager user interface, or note the name of the new vCenter server to where the ESXi server has been moved.
2. Run the following command to source the environment file.
Virtual Machine Best Practices and Troubleshooting 157
source /opt/emc/vmdirect/unit/vmdirect.env 3. For VM Direct updates:
a. Obtain the list of VM Direct Engines that require updating by running /opt/emc/vmdirect/bin/vproxymgmt get b. Make note of the ID of any VM Direct Engine that needs to be updated. c. Use the vproxymgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/vproxymgmt
modify -vcenter_hostname vCenter-FQDN -vproxy_id ProxyID 4. For Search node updates:
a. Obtain the list of Search nodes that require updating by running /opt/emc/vmdirect/bin/infranodemgmt get b. Make note of the ID of any Search node that needs to be updated. c. Use the infranodemgmt tool to update the vCenter name by running /opt/emc/vmdirect/bin/infranodemgmt
modify -vcenter_hostname vCenter-FQDN -node_id NodeID 5. In the PowerProtect Data Manager user interface, ensure that any sessions for the VM Direct or Search node and cluster
have changed to an Operational or Ready state.
Failed to lock virtual machine for backup: Another vProxy operation 'Backup' is active on VM
This error message appears when a backup fails for a virtual machine or when a previous backup of the virtual machine was abruptly ended and the VM annotation string was not cleared.
To resolve this issue, clear the annotation string value for the virtual machine.
1. Connect to the vCenter server, and then select Home > Inventory > Hosts and Clusters. 2. Select the virtual machine, and then select the Summary tab. 3. Clear the value that appears in the Dell VM Direct Engine Session field.
Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails
During VM Direct backup and recovery operations, a lock is placed on the virtual machine. If a VM Direct appliance failure occurs during one of these sessions, the lock is extended to a period of 24 hours, during which full backups and transaction log backups will fail with the following error until the lock is manually released:
Cannot lock VM 'W2K8R2-SQL-2014' (vm-522): Another vProxy operation 'Backup' is active on VM vm-522.
Workaround
To manually release the lock on the virtual machine:
1. Open the vSphere Web Client. 2. Select the virtual machine and select Summary. 3. Select Custom attribute and click Edit. 4. Remove the attribute Dell VM Direct Engine Session.
Managing command execution for VM Direct agent operations on Linux
The VM Direct agent automatically creates a PAM service file named vproxyra in the /etc/pam.d system directory, if the file does not already exist.
This file, which enables you to manage command execution through the VM Direct agent, is modeled on the corresponding vmtoolsd file. The settings in this file permit command execution by any user who is able to perform VM Direct operations on the guest virtual machine. A system administrator can further modify this file to specify which users can perform VM Direct
158 Virtual Machine Best Practices and Troubleshooting
operations, for example, file-level restore and SQL application-aware protection. For more information on the configuration of PAM service files, see the system documentation for your specific guest virtual machine operating system.
PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates
After you replace the default self-signed security certificates, you may see errors in the vSphere client PowerProtect portlet when you select virtual machines:
Service Unavailable: Please contact your administrator. No healthy upstream. Reinstall the PowerProtect plug-in to apply the new certificates. The PowerProtect Data Manager Security Configuration Guide provides more information.
SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"
SQL Server application-consistent virtual machine backups might fail with the following error when the disk.EnableUUID variable for the virtual machine is set to False.
Unable to find VSS metadata files in directory C:\Program Files\DPSAPPS\MSVMAPPAGENT\tmp\VSSMetadata.xxxx. To resolve this issue, ensure that the disk.EnableUUID variable for the virtual machines included in a SQL Server application- consistent backup is set to True.
Troubleshooting virtual machine restore issues The following topics provide information on troubleshooting virtual machine restore failures and virtual machine restore limitations.
Removal of pre-existing snapshots required before running virtual machine restore
A virtual machine restore cannot be completed when a pre-existing VMware snapshot is present on the virtual machine. An error similar to the following appears:
Session 'session ID' is unsuccessful: There are 1 pre-existing snapshot present on this VM. Recover is not possible. Remove snapshot(s) and try again. Verify that no pre-existing snapshots exist on the virtual machine, and then retry the restore operation from the System Jobs window of the PowerProtect Data Manager UI.
Some operations fail for vTPM virtual machine in a DRS-enabled cluster with dedicated vCenter user account
The following operations fail for virtual Machines with a Virtual Trusted Platform Module (vTPM) when the virtual machines are in a DRS-enabled cluster and using a dedicated vCenter user account:
The vTPM virtual machines cannot be powered on after a restore to the original virtual machine or restore to a new virtual machine , with the error Permission to perform this operation was denied displaying.
For an instant access restore, migration is unsuccessful, with the error Unable to complete vMotion task Task:task-3785. Permission to perform this operation was denied displaying.
To avoid these issues, ensure that the privilege Cryptographic operations > Migrate is included as part of the dedicated vCenter user role. Specify the required privileges for a dedicated vCenter user account provides more information.
Virtual Machine Best Practices and Troubleshooting 159
Virtual machine restores fail when vProxyd or vrecoverd disruption occurs
A virtual machine restore hangs and VPOD will not be able to reconnect to the restore session when the following scenarios occur:
A disruption to the vrecoverd process on any external VM Direct Engine.
A disruption to the vProxyd process during a Restore to Original Folder and Overwrite Original Files or Create and Restore to New VM operation that uses Transparent Snapshot Data Mover (TSDM) as the protection mechanism.
After several retry attempts, VPOD marks the restore session as "Failed" and releases theVM Direct Engine associated with the restore.
If this failure occurs during a Create and Restore to New VM, you can delete the new virtual machine and restart the restore operation.
If this failure occurs during a Restore to Original Folder and Overwrite Original Files, you must remove the VM Direct Engine lock on the virtual machine from the vCenter server, and then retry the restore operation. In the vSphere Client, the VM Direct Engine lock appears as a custom attribute with the name Dell VM Direct Engine Session.
NOTE: If this attribute contains any value after a vProxyd process failure, backup and restore operations on this virtual
machine cannot be performed. Clean up of this attribute and then running a successful restore operation is a requirement in
order to avoid any potential data loss or corruption of the virtual machine, otherwise subsequent backups might also contain
corrupted data.
DD NFS share not removed after instant access restore
The NFS share might not be removed after a successful virtual machine instant access restore. When this occurs, the restore hangs and the following NFS clients appear enabled in the DD system.
Figure 9. DD NFS clients still enabled after restore
If you encounter this issue, you can wait 24 hours for PowerProtect Data Manager to clean up the DD NFS shares, or you can stop the restore and clean up the DD NFS clients manually by performing the following steps:
1. Restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.
2. Clean up DD NFS clients by typing nfs del
3. In the vSphere Client's Configuration tab, manually unmount the EMC-vProxy-vm-qa-xxxxx DDNFS datastore that is mounted on the ESXi host.
IP address change required after successful image-level restore to a new virtual machine
After performing a successful image-level restore to a new virtual machine, ensure that you change the IP address immediately in order to avoid IP conflicts with the original virtual machine. If you do not change the IP to a unique value, subsequent data protection operations might fail on the restored virtual machine, even if that virtual machine's network interfaces are disconnected.
Virtual machine protection copy does not display under available copies
If a virtual machine protection copy does not display under the available copies in PowerProtect Data Manager, verify the following:
Ensure that protection of the virtual machine completed successfully. Check that the desired copy has not expired according to the PowerProtect Data Manager protection policy.
160 Virtual Machine Best Practices and Troubleshooting
Virtual machine restore fails with name resolution error
A virtual machine restore might fail with the following error due to network issues between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server:
com.emc.brs.vmdm.http.HttpsConnector - null: Temporary failure in name resolution java.net.UnknownHostException : null: Temporary failure in name resolution
Ensure that you have proper name resolution between protection storage and either PowerProtect Data Manager or the vCenter or ESXi server.
Virtual machine restore fails when the previous restore of this virtual machine is in progress or did not complete
A virtual machine restore fails with the following error if the previous restore operation for the same virtual machine is still in progress or did not complete successfully:
Error : There is another running restore operation that conflicts with this request.
If the previous restore operation for this virtual machine is still in progress, monitor the progress in PowerProtect Data Manager until the restore completes. If the virtual machine restore is complete but the task stops responding, then you must manually cancel the restore in PowerProtect Data Manager by restarting the VMDM service. You can restart the VMDM service by typing /usr/local/brs/lib/vmdm/bin/vmdm restart.
Virtual machine restore fails with error due to VM Direct corruption
A virtual machine restore might fail with the following error due to corruption of the VM Direct Engine that is running in PowerProtect Data Manager:
com.emc.dpsg.vproxy.client.VProxyManager - Error(createSession): javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection
Ensure that the vproxyd service is running in PowerProtect Data Manager by typing the following command.
ps xa | grep vproxy Ensure that the vproxy rpm is installed as expected in PowerProtect Data Manager by typing the following command.
rpm -qa | grep vProxy When logged in as the root user, restart the vproxyd service on PowerProtect Data Manager by typing the following command.
systemctl restart vproxyd
Virtual machine restore fails with error "User UserEARA does not have proper privileges"
A virtual machine restore fails with the error "User UserEARA does not have proper privileges" when the user does not have adequate privileges to perform the restore operation.
Ensure that the PowerProtect Data Manager user performing the restore belongs to System Tenant and has the Administrator or Restore Administrator role.
Filtering virtual machine copies by File Indexing column is not available
When you select a virtual machine for restore in the PowerProtect Data Manager UI and then click View Copies to select from one of the available copies, using the filter in the File Indexing column does not return any results. Use the filters from other columns to locate the virtual machine asset copies that you want to restore.
Virtual Machine Best Practices and Troubleshooting 161
Network connection issues with cloud-based deployments after restore of virtual machine with NSX-T VDS port groups
A network connection cannot be established with VMC, AVS, GCVE, or VMware Cloud on Dell deployments after performing a restore of virtual machines with NSX-T VDS port groups. This issue occurs even when the Connect at Power On option is selected in the Networks page of the PowerProtect Data Manager UI Restore wizard.
This issue is only applicable when the source virtual machine is already running in the VMC vCenter. VMware is investigating the issue, and a fix might be provided in the future. Until a fix is made available, perform the following as a workaround to reconnect the restored virtual machines to the NSX-T VDS port group:
1. In the vSphere Client, right-click the restored virtual machine and select Edit Settings. 2. Change the network of the vNIC to a different NSX-T VDS port group, and then click OK to save the changes to exit the
window. 3. Right-click the restored virtual machine and select Edit Settings again. 4. Change the network of the vNIC back to the original NSX-T VDS port group. 5. Select Connected and Connect at power on, and then click OK.
Troubleshooting instant access restore failures
An instant access restore consists of two stages. First, a virtual machine is made available in the UI as an instant access virtual machine without moving the virtual machine to permanent storage. Second, storage vMotion is initiated to migrate the virtual machine to permanent storage.
If at any point during the migration a restore failure occurs, the instant access session is not automatically removed until after the expiration period for an instant access virtual machine restore, which is 7 days by default. This behavior is intentional for the following reasons:
To avoid data loss, since changes might have been made to the virtual machine during that time To provide you with the opportunity to fix the issue (for example, to free up space on the restore destination or choose a
different datastore) and then take the appropriate action
When the cause of the failure is determined and/or fixed, you can use the Instant Access Sessions window of the UI to retry the migration, or save the data and delete the instant access virtual machine, as required. The section Manage and monitor Instant Access Sessions provides detailed information about these actions.
Troubleshoot virtual machine SQL application consistent policy issues Review the following topics related to troubleshooting virtual machine SQL application-consistent protection policies.
Troubleshooting Microsoft SQL Server databases skipped during virtual machine transaction log backup
If a transaction log backup is not appropriate for a database, the database is automatically skipped. Databases are skipped for the reasons outlined in the following table.
Table 30. Microsoft SQL Server skipped database cases and descriptions
Case Description
Database has been restored
When a database has been restored, this database is skipped during a transaction log backup because there is no backup promotion.
System database System databases are automatically skipped during a transaction log backup.
Database state The database is not in a state that allows a backup. For example, the database is in the NORECOVERY state.
Recovery model The database is in the SIMPLE recovery model, which does not support a transaction log backup.
162 Virtual Machine Best Practices and Troubleshooting
Table 30. Microsoft SQL Server skipped database cases and descriptions (continued)
Case Description
Other backup product
The most recent backup for the database was performed by a different backup product.
New database The database was created after the most recent full backup.
Backup failure The database was in a state that allows a backup, and a backup was tried, but the backup failed.
All skipped databases are backed up as part of the next full backup. Also, a skipped database does not result in a failure.
The only instance in which a transaction log backup job would potentially fail is if all Microsoft SQL Server instance databases failed to be backed up or were skipped.
Troubleshooting Microsoft SQL Server application-aware backup error about disk.EnableUUID variable
A Microsoft SQL Server application-aware virtual machine backup succeeds but displays the following error when the disk.EnableUUID variable for the virtual machine is set to TRUE:
VM '
Troubleshooting an issue with trailing spaces in Microsoft SQL Server database names
Due to a VSS limitation, you cannot use trailing spaces within the names of Microsoft SQL Server databases protected by an application-consistent data protection policy.
Troubleshooting vSphere Plugin deployments When investigating issues with the vSphere Plugin deployments, you might need to troubleshoot its deployment.
Troubleshoot vSphere Plugin deployments
In some circumstances, issues can occur during the deployment of the PowerProtect Data Manager vSphere Plugin.
About this task
If deployment of the vSphere Plugin fails, the plugin displays SSL errors or other errors such as 503 Service Not Available or No Healthy Upstream, or you need to force the removal and re-installation of the plugin, perform the following steps:
Steps
1. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources.
2. Select the vCenter asset source, and then click Edit.
3. Unselect vSphere Plugin, and then click Save.
4. Log in to the vCenter MOB, for example, http://vcenter.example.com/mob.
5. Navigate to a new window to unregister the extension, for example, http://vcenter.example.com/mob/? moid=ExtensionManager&method=unregisterExtension
6. On this window, type 'com.emc.dpsg.ppdm.plugin', and then click Invoke Method.
7. In the PowerProtect Data Manager UI, go to Infrastructure > Asset Sources, select the vCenter server, and then click Edit.
Virtual Machine Best Practices and Troubleshooting 163
8. Select vSphere Plugin, and then click Save.
9. Log out of the vCenter server, and then log back in again.
NOTE: If Refresh is displayed, click it.
Next steps
If the PowerProtect Data Manager vSphere Plugin is not deployed in vCenter after performing these steps, you might be required to restart the vSphere Web Client service.
To restart the vSphere Web Client service on a vCenter Server Appliance (VCSA), perform the following steps:
1. Run the following commands:
service-control --stop vsphere-ui service-control --start vsphere-ui
2. Log out of the vSphere Client, and then log back in to force deployment of the vSphere Plugin.
VMware knowledge base articles and product documentation Additional VMware troubleshooting information is available at the VMware Knowledge Base and VMware Documentation websites.
164 Virtual Machine Best Practices and Troubleshooting
This glossary provides definitions of acronyms used in the PowerProtect Data Manager documentation.
A
AAG: Always On availability group
ACL: access control list
AD: Active Directory
AKS: Azure Kubernetes Service
API: application programming interface
ARM: Azure Resource Manager
AVS: Azure VMware Solution
AWS: Amazon Web Services
AZ: availability zone
B
BBB: block-based backup
C
CA: certificate authority
CBT: Changed Block Tracking
CDC: change data capture
CIFS: Common Internet File System
CLI: command-line interface
CLR: Common Language Runtime
CN: common name
CPU: central processing unit
CR: custom resource
CRD: custom resource definition
CSI: container storage interface
CSV: Cluster Shared Volume
D
DA: database administrator
DAG: database availability group
Glossary
Glossary 165
DBID: database identifier
DDMC: DD Management Center
DDOS: DD Operating System
DDVE: DD Virtual Edition
DFC: DD Boost over Fibre Channel
DNS: Domain Name System
DPC: Data Protection Central
DR: disaster recovery
DRS: Distributed Resource Scheduler
DSA: Dell security advisory
E
EBS: Elastic Block Store
EC2: Elastic Compute Cloud
eCDM: Enterprise Copy Data Management
ECS: Elastic Cloud Storage
EFI: Extensible Firmware Interface
EKS: Elastic Kubernetes Service
ENI: Elastic Network Interface
EULA: end-user license agreement
F
FC: Fibre Channel
FCD: first class disk
FCI: failover cluster instance
FETB: front-end protected capacity by terabyte
FLR: file-level restore
FQDN: fully qualified domain name
FTP: File Transfer Protocol
G
GB: gigabyte At Dell, this is 230 bytes.
Gb/s: gigabits per second At Dell, this is 230 bits per second.
166 Glossary
GCP: Google Cloud Platform
GCVE: Google Cloud Virtual Edition
GID: group identifier
GLR: granular-level restore
GUI: graphical user interface
GUID: globally unique identifier
H
HA: High Availability
HANA: high-performance analytic appliance
HTML: Hypertext Markup Language
HTTP: Hypertext Transfer Protocol
HTTPS: Hypertext Transfer Protocol Secure
I
IAM: identity and access management
IDE: Integrated Device Electronics
IP: Internet Protocol
IPv4: Internet Protocol version 4
IPv6: Internet Protocol version 6
K
KB: kilobyte At Dell, this is 210 bytes.
L
LAC: License Authorization Code
LAN: local area network
M
MB: megabyte At Dell, this is 220 bytes.
ms: millisecond
MTU: maximum transmission unit
Glossary 167
N
NAS: network-attached storage
NBD: network block device
NBDSSL: network block device over SSL
NDMP: Network Data Management Protocol
NFC: Network File Copy
NFS: Network File System
NIC: network interface card
NTFS: New Technology File System
NTP: Network Time Protocol
O
OS: operating system
OSS: open-source software
OVA: Open Virtualization Appliance
P
PCS: Protection Copy Set
PDF: Portable Document Format
PEM: Privacy-enhanced Electronic Mail
PIN: personal identification number
PIT: point in time
PKCS: Public Key Cryptography Standards
PSC: Platform Service Controller
PVC (cloud computing): private virtual cloud
PVC (Kubernetes): Persistent Volume Claim
R
RAC: Real Application Clusters
RAM: random-access memory
RBAC: role-based access control
ReFS: Resilient File System
REST API: representational-state transfer API
RHEL: RedHat Enterprise Linux
168 Glossary
RMAN: Recovery Manager
RPO: recovery-point objective
RSA: Rivest-Shamir-Adleman
S
S3: Simple Storage Services
SaaS: software as a service
SAP: System Analysis Program Development From the SAP website (2022), "the name is an initialism of the company's original German name: Systemanalyse Programmentwicklung, which translates to System Analysis Program Development. Today the company's legal corporate name is SAP SE - SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.
SCSI: Small Computer System Interface
SDDC: software-defined data center
SELinux: Security-Enhanced Linux
SFTP: Secure File Transfer Protocol
SLA: service-level agreement
SLES: SuSE Linux Enterprise Server
SLO: service-level objective
SPBM: Storage Policy Based Management
SQL: Structured Query Language
SRS: Secure Remote Services
SSD: solid-state drive
SSH: Secure Shell
SSL: Secure Sockets Layer
SSMS: SQL Server Management Studio
SSVs: System Stable Values
T
TB: terabyte At Dell, this is 240 bytes.
TCP: Transmission Control Protocol
TDE: Transparent Data Encryption
TLS: Transport Layer Security
TPM: Trusted Platform Module
TSDM: Transparent Snapshot Data Mover
T-SQL: Transact-SQL
Glossary 169
U
UAC: user account control
UDP: User Datagram Protocol
UI: user interface
UID: user identifier
UTC: Coordinated Universal Time From Wikipedia (2022), "this abbreviation comes as a result of the International Telecommunication Union and the International Astronomical Union wanting to use the same abbreviation in all languages. English speakers originally proposed CUT (for 'coordinated universal time'), while French speakers proposed TUC (for 'temps universel coordonn')."
V
VADP: VMware vStorage APIs for Storage Awareness
VBS: virtualization-based security
VCF: VMware Cloud Foundation
vCLS: vSphere Cluster Service
vCSA: vCenter Server Appliance
VCSA: vCenter Server Appliance
VDI: Virtual Device Interface
vDisk: virtual disk
vDS: virtual distributed switch
vFRC: Virtual Flash Read Cache
VGT: Virtual Guest Tagging
VIB: vSphere Installation Bundle
VLAN: virtual LAN
VM: virtual machine
VMC: VMware Cloud
VMDK: virtual machine disk
VNet: virtual network
VPC: virtual private cloud
vRSLCM: vRealize Suite Lifecycle Manager
VST: Virtual Switch Tagging
vTPM: Virtual Trusted Platform Module
VVD: VMware Validated Design
vVol: virtual volume
170 Glossary
W
WAN: wide area network
Glossary
Related manuals for Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide
Manualsnet FAQs
If you want to find out how the PowerProtect Dell works, you can view and download the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide on the Manualsnet website.
Yes, we have the Virtual Machine User Guide for Dell PowerProtect as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.
The Virtual Machine User Guide should include all the details that are needed to use a Dell PowerProtect. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.
The best way to navigate the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.
This Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.
You can download Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.
To be able to print Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.12 Data Manager Virtual Machine User Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.