Free ebook supplement: Microsoft System Center DPM VMware Private Cloud Protection

Microsoft System Center Data Protection Manager has a new feature that provides protection for Virtual Machines running on the VMware platform. Learn about this feature in the following supplemental chapter for the free ebook Microsoft System Center Data Protection for the Hybrid Cloud.

Download the ebook here.

Chapter 6

VMware Private Cloud Protection

This chapter explains how Microsoft System Center Data Protection Manager (DPM) provides protection for Virtual Machines (VMs) running on the VMware platform. Most of the workflows are identical to how other data sources work within DPM, but there are some differences primarily afforded by richer capabilities provided in the VMware platform. This chapter will focus more on the differences and behaviors that are unique to VMware VMs and assume reader is familiar with general data protection workflows.

VMware VM Protection

DPM uses native vStorage APIs for Data Protection (VADP) provided by VMware and specifically designed to take host-level VM backups. In VMware backup terminology, this is referred to as agentless backup since the backup operations run from the VMware host server without the need for any agents deployed either on the host or in the VM.

DPM can back up VMs that are deployed on standalone ESXi hosts or in a Highly Available (HA) ESXi host cluster in a vCenter environment. DPM leverages vCenter integration to discover virtual machines in a VMware environment.

After the VMware VMs are discovered and added to the protection group, all the backup workflows are identical to other data sources. This provides a seamless experience in the DPM context for protecting VMware virtual machines.

Differences between Hyper-V and VMware VM backup

VMware as a hypervisor platform differs from Hyper-V, which impacts some of the VM protection workflows. The following list highlights these differences:

  • Agentless:  This is a key difference between the Hyper-V and VMware stack where no agents need to be deployed on the ESXi server to back up the VMs running on the host. With Hyper-V, the DPM server pushes agents on every Hyper-V host before it can discover and protect the VMs running on that host. With VMware, DPM integrates directly with VADP APIs provided by the VMware hypervisor to perform the backups, thereby obviating the need for installing any agents.
  • vCenter level discovery:  With Hyper-V VM protection, VMs must be selected from each Hyper-V host or a Hyper-V cluster. With VMware, however, all the VMs in the vCenter environment are discoverable, which makes VM protection simple since there is no need to browse through each host to discover and protect the VMs.
  • Folder-level discovery:  During the discovery step within the DPM protection workflow, either the entire folder or some of the VMs can be selected for protection. Additionally, if the entire folder is selected for protection, any new VMs that are added to the folder are automatically protected by DPM. This feature is available only with VMware VM backup; Hyper-V does not provide folder-level abstraction.

Configuring DPM Server

DPM server can be deployed on a physical machine or on a virtual machine. No additional steps are required during DPM installation to enable VMware VM backups. Furthermore, if DPM is deployed on Hyper-V 2012 R2, it can leverage Windows deduplication to optimize backup storage.

See also: For more information on de-duplicating DPM storage, see https://technet.microsoft.com/en-us/library/dn891438.aspx.

Since the DPM server can discover and protect VMs via vCenter or ESXi server, rest of the chapter refers to vCenter or ESXi host as VMware server. The DPM server needs to be configured to have appropriate credentials to execute the backup operations on the VMware server and a secure communication channel to communicate with the VMware server. Once these steps are performed, VMware servers need to be added to the DPM server to back the virtual machines running on them. The following sections describe this configuration process.

VMware Credentials

The remote authentication with the VMware servers, which is required during all the backup and recovery operations, is done using credentials that are created and stored securely on the DPM server. Every credential added to the DPM server needs to have a minimum set of privileges to perform the backup and restore operations as shown in Table 6-1.

List of privileges needed for Backup user credential
privilege.Global.ManageCustomFields.label
privilege.VirtualMachine.Config.ChangeTracking.label
privilege.Network.Assign.label
privilege.Datastore.AllocateSpace.label
privilege.VirtualMachine.State.RemoveSnapshot.label
privilege.VirtualMachine.State.CreateSnapshot.label
privilege.VirtualMachine.Provisioning.DiskRandomRead.label
privilege.VirtualMachine.Interact.PowerOff.label
privilege.VirtualMachine.Inventory.Create.label
privilege.VirtualMachine.Config.AddNewDisk.label
privilege.VirtualMachine.Config.HostUSBDevice.label
privilege.VirtualMachine.Config.AdvancedConfig.label
privilege.VirtualMachine.Config.SwapPlacement.label

Table 6-1   Minimum privileges needed for the Backup User credential

Here are the steps to create a new user (for e.g. BackupAdmin) with the above privileges in the VMware Administrator console:

1. Create a new role called BackupAdminRole

  • Login into VMware server
  • Click on Administration and select Roles and click Add to create a new role called BackupAdminRole with the above specified privileges

2. Create new user called BackupAdmin

  • Click on Administration and select Users and Groups then click Add
  • Enter login name called BackupAdmin and password

3. Assign BackupAdminRole role to BackupAdmin

  • Click on Administration and select Global Permissions then click Add
  • Then click Add and select BackupAdmin user on the left pane
  • Then select BackupAdminRole and click OK

Once the user with the right privileges has been created, it can be added to the DPM server through Manage VMware credentials workflow as shown in Figure 6-1.

1. Go to the Management tab in the left hand pane

2. Click the Production Servers option on the left hand pane

3. Go to Manage VMware Credentials button on the top ribbon

4. Click on Add to add the credential to the DPM server

Figure 6-1 Adding a new Credential to DPM server

Figure 6-1 Adding a new Credential to DPM server

The Add Credential screen will then be displayed to enter a friendly name for the credential, a description, the user ID and password, as shown in Figure 6-2.

Figure 6-2 Adding a new Credential to DPM server

Figure 6-2 Adding a new Credential to DPM server

Credentials can also be added through the Production Server Addition Wizard as shown in Figure 6-3.

Figure 6-3 Alternate way of adding a Credential to DPM server

Figure 6-3 Alternate way of adding a Credential to DPM server

Most organizations need to update credentials on a regular basis for security reasons and/or personnel changes. As these changes are made on the VMware servers’ credentials, corresponding credentials that are used by DPM server also need to be updated. Figure 6-4 shows the steps required to update a previously created credential.

1. Go to the Management tab on the left hand pane

2. Click on Production Servers option

3. Click on Manage VMware Credentials option in the top ribbon to open the Manage Credentials screen

4. Click on the credential and click Update to modify the desired credential

Figure 6-4 Modifying a Credential stored on the DPM server

Figure 6-4 Modifying a Credential stored on the DPM server

Few additional aspects that need to be noted about the credential management process as it relates to VMware VM protection:

  • A single credential can be used for authenticating multiple VMware servers.
  • A credential cannot be deleted if it is currently being used by any VMware server’s authentication setting for backup. Before attempting to delete a credential, all VMware servers using that credential need to be updated to use a different credential.
  • Credentials are stored in a secure manner on the DPM server. The username, password and the credential name is encrypted and stored using the Windows Credential Manager.
  • If any operation between the DPM server and VMware servers requires transmitting the stored credential, it is done securely using the HTTPS protocol.

Secure communication between DPM and VMware servers

VCenter provides a process for secure communication between backup servers and VMware servers to perform backup operations of the virtual machines. This is very useful in a managed service provider environment for providing BaaS (Backup-as-a Service) for tenant’s virtual machines that are generally across trust boundaries. This is accomplished by installing a trusted SSL certificate on the DPM server and VMware server which enables a secure HTTPS communication channel between them.

See also: https://kb.vmware.com/kb/2111219 for details on how to configure this.

Add a VMware server to DPM server

A VMware server can be added to the DPM server by selecting Production Server tab and then selecting Add as shown in Figure 6-5.

Figure 6-5 Adding a VMware server to DPM server

Figure 6-5 Adding a VMware server to DPM server

A Fully Qualified Domain Name (FQDN) or IP address, SSL port for communication (by default this is configured as 443) and the credential for communicating with this DPM server needs to be specified as shown in Figure 6-6.

Figure 6-6 Specify VMware server configuration

Figure 6-6 Specify VMware server configuration

Configuring Virtual Machine protection

Virtual machines can be protected by selecting the protection tab and expanding the VMware server hierarchy as shown in Figure 6-7. The DPM server displays the VMware Server and discovers all the virtual machines that are available for backup. The protection group creation and all the protection workflow such as backup policy creation, configuring tape, disk and cloud targets are identical to how it works with Hyper-V virtual machines. Additionally, similar to Hyper-V virtual machines, the DPM server supports vMotion where it continues to protect VMs even if they migrate to other hosts within a data center without any needing any manual intervention.

Figure 6-7 Adding a VM for DPM protection

Figure 6-7 Adding a VM for DPM protection

Folder level Protection

VMware servers provide a folder level structure where individual virtual machines can be organized like files in a file folder. Customers use this feature to organize virtual machines based on applications they host or to group them by departments they belong to.

During the discovery step within the DPM protection workflow, either the entire folder or some of the virtual machines in the folder can be selected for protection. Additionally, if the entire folder is selected for protection, any new virtual machines that are added to the folder are automatically protected by DPM using the backup policy associated with that folder. Folder level protection can be configured as shown in the Figure 6-8. In this example, all VMs under the folder (and any subfolders) called vm will automatically be protected with the backup policy associated with the folder.

Figure 6-8 Folder level protection for VMware VMs

Figure 6-8 Folder level protection for VMware VMs

Protecting large VMware deployments

A single instance of VCenter can manage thousands of virtual machines across the data center. Since a single DPM server can protect up to 800 virtual machines, multiple DPM servers need to be configured to protect all the virtual machines in such deployments. In such a scaled out deployment, it is important to have a way to associate which virtual machine is protected by which DPM server. The DPM server that is protecting a given VM or folder can be discovered by hovering the mouse over the virtual machine or folder and the FQDN of the DPM server is displayed. In addition, DPM servers have built-in checks to avoid duplicate protection of a virtual machine or folder by multiple DPM servers.

Recovering VMware VMs

DPM server can recover a VM to its original location or an alternate location. In addition, for Windows VMs, DPM server can also restore individual files and folders (Item Level Recovery). Here are the steps involved to recover an entire virtual machine or an individual file:

1. Select the recovery point by selecting the date and time of available backup recovery points.

2. Select the Recover to original location option to perform an in place recovery. This is a destructive operation where a production virtual machine is replaced by the backed up virtual machine and therefore needs to be deployed with caution.

3 Select the Recovery to alternate location option to restore the virtual machine to an alternate VMware server whose IP address or FQDN needs to be provided as shown in Figure 6-9.

4. If the backed up VMware virtual machine is running a Windows guest operating system, user can select and explore each VMDK file and select required files or folders to be recovered as shown in Figure 6-10. In this case, DPM server will only restore the selected files or folders instead of recovering the entire virtual machine.

Figure 6-9 Original and alternate location recovery

Figure 6-9 Original and alternate location recovery Figure 6-10 Item Level Restore (ILR) for a Windows Virtual Machine

Figure 6-10 Item Level Restore (ILR) for a Windows Virtual Machine

Managing and Monitoring VMware VM protection

VMware backup operations are seamlessly incorporated in all the management views. Backup jobs can be monitored on the DPM server jobs view or in the case of multiple DPM servers by going to the DPM central console as shown in Figure 6-11. All VMware VM protection reports can be generated by leveraging DPM Central Reporting feature.

Figure 6-11 Monitoring VMware VM Protection

Figure 6-11 Monitoring VMware VM Protection