Veeam Best Practices
My last post in 2019 was about Veeam Backup for Office 365 - I think it's only fair to continue the story. 🙂
If you haven't noticed this short post by Niels Engelen, you may be unaware that good people at Veeam put together a Best Practice Guide for Veeam Backup for Office 365!
Great thing about this guide is that it's really a "live document", which covers design, configuration and operations for VBO and it will be updated regularly, so make sure to bookmark it and check it from time to time!
Also, there is a Best Practice Guide for Veeam Backup & Replication, which should be bookmarked and checked regularly as well, in case you forgot about it! 🙂
Cheers!
Backing up Office 365 to S3 storage (Exoscale SOS) with Veeam
Are you backing up your Office 365? And... why not? 🙂
I'm not going into the lengthy and exhausting discussion of why you should take care of your data, even if it's stored in something unbreakable like "the cloud", at least not in this post. I would like to focus on one of the features of the new Veeam Backup for Office 365 v4, which was released just the other day. This feature is "object storage support", as you may have guessed it already from the title of this fine post!
So, this means that you can take Amazon S3, Microsoft Azure Blob Storage or even IBM Cloud Object Storage and use it for your Veeam Backup for Office 365. And even better - you can use any S3-compatible storage to do the same! How cool is that?!
To test this, I decided to use the Exoscale SOS (also S3-compatible) storage for backups of my personal Office 365 via Veeam Backup for Office 365.
I've created a small environment to support this test (and later production, if it works as it should) and basically done the following:
- created a standard Windows Server 2019 VM on top of Microsoft Azure, to hold my Veeam Backup for Office 365 installation
(good people at Microsoft provided me Azure credits, so... why not?!) - downloaded Veeam Backup for Office 365
(good people at Veeam provided me NFR license for it, so I've used it instead of Community Edition) - created an Exoscale SOS bucket for my backups
(good people at Exoscale/A1TAG/A1.digital/A1HR provided me credits, so... why not?!) - installed Veeam Backup for Office 365
(it's a "Next-Next-Finish" type of installation, hard to get it wrong) - configured Veeam Backup for Office 365 (not so hard, if you know what you are doing and you've read the official docs)
- added a new Object Storage Repository
- added a new Backup Repository which offloads the backup data to the previously created Object Storage Repository
- configured a custom AAD app (with the right permissions)
- added a new Office 365 organization with AAD app and Global Admin account credentials (docs)
- created a backup job for this Office 365 organization
- started backing it all up
Now, a few tips on the "configuration part":
- Microsoft Azure:
- no real prerequisites and tips here - simple Windows VM, on which I'm installing the downloaded software (there is a list of system requirements if want to make sure it's all "by the book")
- Exoscale:
- creating the Exoscale SOS bucket is relatively easy, once you have your account (you can request a trial here) - you choose the bucket name and zone in which data will be stored and... voilĂ :
-
- if you need to make adjustments to the ACL of the bucket, you can (quick ACL with private setting is just fine for this one):
-
- to access your bucket from Veeam, you'll need your API keys, which you can find in the Account - Profile - API keys section:
-
- one other thing you'll need from this section is the Storage API Endpoint, which depends on the zone you've created your bucket in (mine was created inside AT-VIE-1 zone, so my endpoint is https://sos-at-vie-1.exo.io):
- Office 365:
- note: I'm using the Modern authentication option because of MFA on my tenant and... it's the right way to do it!
- for this, I created a custom application in Azure Active Directory (AAD) (under App registrations - New registration) (take a note of the Application (client) ID, as you will need it when configuring Veeam):
-
- I've added a secret (which you should also take a note of, because you'll need it later) to this app:
-
- then, I've added the minimal required API permissions to this app (as per the official docs) - but note that the official docs have an error (at this time), which I reported to Veeam - you'll need the SharePoint Online API access permissions even if you don't use the certificate based authentication(!) - so, the permissions which work for me are:
-
- UPDATE: Got back the word from Veeam development - additional SharePoint permissions may not be necessary after all, maybe I needed to wait a bit longer... will retry next time without those permissions. 🙂
- after that, I've enabled the "legacy authentication protocols", which is still a requirement (you can do it in Office 365 admin center - SharePoint admin center - Access Control - Apps that don't use modern authentication - Allow access or via PowerShell command "Set-SPOTenant -LegacyAuthProtocolsEnabled $True"):
-
- lastly, I've created an app password for my (global admin) account (which will also be required for Veeam configuration):
- Veeam Backup for Office 365:
- add a new Object Storage Repository:
-
- add a new Backup Repository (connected to the created Object Storage Repository; this local repository will only store metadata - backup data will be offloaded to the object storage and can be encrypted, if needed):
-
- add a new Office 365 organization:
-
- create a backup job:
-
- start backing up your Office 365 data:
Any questions/difficulties with your setup?
Leave them in the comments section, I'll be happy to help (if I can).
Cheers!
The backup destination is not writable…
So… you decided to finally configure backup for your servers, and just when you’ve chosen the “backup solution”, troubles start. 
What do we need for doing Windows Server backups?
Nothing too fancy – we can use the built-in Windows Server Backup (feature that needs to be installed through Server Manager, PowerShell, …) combined with some location (network share, disk, volume) with enough free space. (yes, we can also use some other backup software, but this is not the topic here)
Let’s say that we have installed Windows Server Backup feature and chosen a network share for our backup location. The one other thing we need on this share are the right permissions for our service account (an account under which the backups will be done – for example, BackupAccount).
So, we go to this share (\\BackupLocation\MyBackups\) and check if our service account has the required permissions:
Everything looks fine (our service account has permissions, folder is shared and accessible from the source server – yes, Windows Firewall is also configured properly ).
We go back to our source server where we configure our backup schedule as a Full Computer backup, once a day, to the backup location previously mentioned, using the service account previously specified for this backup job. Everything goes fine.
Then, just for fun, we try to run our backup schedule (just to see if everything works as it should). We click on the Backup Once option (with Using the previously scheduled… option), and just at the end of this wizard, we receive the following error, saying that our backup destination is not writable (yes, it’s the good old Windows Server 2008 R2, but it really doesn’t matter… the same happens on newer/older versions as well ):
What happened???
We’ve checked (and double-checked) everything – our share, permissions, Windows Firewall, and “who knows what”, and this wizard still says we cannot write to the backup destination! This must be an issue with the free, out-of-the-box backup solution.
Not really.
The issue here is that I’m running the Windows Server Backup console as “myself” (i.e. my user, for example, SERVER\tomica) and I don’t really have the required permissions on the backup share (I’m not a member of the local Administrators group on the backup destination and, as you may remember, only our BackupAccount has the required permissions set).
So, is this an issue?
No, not really because our scheduled backup will complete successfully (it will be running under the user account with correct permissions on a backup share).
And, if we really want to make this first backup right now, we can run it from the Task Scheduler console (by checking the “Allow task to be run on demand” checkbox first, for the backup task).
Hope this helps someone with similar problems (it’s kind of a dumb “issue”, but…).
Cheers!
Altaro Hyper-V Backup v5 just released
New version of my favorite Hyper-V backup tool just got officially released! 
Altaro released the long-awaited next version of their Hyper-V backup software, Altaro Hyper-V Backup v5 – it features a completely new look, centralized configuration and management of multiple hosts with greater flexibility and improved performance. Do I have to mention that it has a free version as well?
FREE version offers free backup of two virtual machines... forever! (there is also a 30-day trial available for more than two virtual machines)
I like it because it’s simple and not too expensive (in more than one aspect), fast, does the job, and does it pretty good! I’ve also installed the new version on one of my hosts, and it looks just great (can’t wait to run the first backup and restore of my virtual machines)!
 
You can find more info and official announcement here.
Download is available here.
Cheers!
UPDATE: Please, don't remove your own host from the console (until the next week's release goes public) - in the current public release (5.0.75.0), you won't be able to add it back!
Workaround:
1. stop all Altaro services
2. go to %ProgramData%\Altaro
3. rename the AltaroBackupProfile folder to AltaroBackupProfile.old
4. start all Altaro services
Microsoft Azure Backup (WinDays14)
Not so long ago (just before the WinDays14 conference in Croatia), I’ve written an article about Windows Azure Backup (now called Microsoft Azure Backup because of a renaming scheme that followed little after the article was sent to be published). This article was written for the special, conference edition of Mreža magazine.
Unfortunately (for some), this article is in Croatian.
You can find and read the article using the specialized Windows 8/8.1 app called Bug & Mreža (or direct link) – app created for reading the digital editions of two of our largest IT magazines, Bug and Mreža).
With weekend just around the corner, maybe now is the right time to try Microsoft Azure and, more specifically, the Microsoft Azure Backup feature? 
Have a great weekend!
UPDATE (June 14th, 2014): This article was re-published in MreĹľa magazine, "regular" (not WinDays) edition, July 2014. Makes me proud. Again.
Handy Backup
Kolega Ilija me upozorio na backup utility iz naslova – koliko sam shvatio iz njegovog posta, mislim da se radi o utilityu koji vrijedi isprobati. Iskreno, još ga nisam stigao probati, ali upravo krećem...
Uz informacije o samom programu, Ilija dijeli i 3 Pro licence pa navalite dok još ima… 🙂
Archives
- January 2020
- November 2019
- August 2019
- July 2019
- March 2019
- December 2018
- November 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- September 2017
- July 2017
- May 2017
- April 2017
- March 2017
- February 2017
- December 2016
- November 2016
- October 2016
- September 2016
- January 2016
- December 2015
- September 2015
- June 2015
- April 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- March 2014
- February 2014
- December 2013
- July 2013
- June 2013
- May 2013
- November 2012
- October 2012
- June 2012
- April 2012
- November 2011
- October 2011
- May 2011
- March 2011
- February 2011
- January 2011
- November 2010
- October 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- May 2009
- April 2009
- March 2009
- December 2007
- November 2007
- October 2007
- September 2007