In my previous article, I explained how to install and configure Azure Backup Server. This article explains how to configure Azure Backup Server to help protect VMware Server workloads. I am assuming that you already have Azure Backup Server installed. Azure Backup Server can back up, or help protect, VMware vCenter Server version 5.5 and later version.
Step1: Create a secure connection to the vCenter Server
By default, Azure Backup Server communicates with each vCenter Server via an HTTPS channel. To turn on the secure communication, we recommend that you install the VMware Certificate Authority (CA) certificate on Azure Backup Server.
To fix this issue, and create a secure connection, download the trusted root CA certificates.
- In the browser on Azure Backup Server, enter the URL to the vSphere Web Client. The vSphere Web Client login page appears. Example, https://vcenter.domain.com
At the bottom of the information for administrators and developers, locate the Download trusted root CA certificates link.
- Click Download trusted root CA certificates.
The vCenter Server downloads a file to your local computer. The file’s name is named download. Depending on your browser, you receive a message that asks whether to open or save the file.
- Save the file to a location on Azure Backup Server. When you save the file, add the .zip file name extension. The file is a .zip file that contains the information about the certificates. With the .zip extension, you can use the extraction tools.
- Right-click zip, and then select Extract Allto extract the contents. The CRL file has an extension that begins with a sequence like .r0 or .r1. The CRL file is associated with a certificate.
- In the certsfolder, right-click the root certificate file, and then click Rename. Change the root certificate’s extension to .crt. When you’re asked if you’re sure you want to change the extension, click Yes or OK. Right-click the root certificate and from the pop-up menu, select Install Certificate. The Certificate Import Wizard dialog box appears.
- In the Certificate Import Wizarddialog box, select Local Machine as the destination for the certificate, and then click Next to continue.
If you’re asked if you want to allow changes to the computer, click Yes or OK, to all the changes.
- On the Certificate Storepage, select Place all certificates in the following store, and then click Browse to choose the certificate store.
The Select Certificate Store dialog box appears.
- Select Trusted Root Certification Authoritiesas the destination folder for the certificates, and then click OK. The Trusted Root Certification Authorities folder is confirmed as the certificate store. Click Next.
- On the Completing the Certificate Import Wizardpage, verify that the certificate is in the desired folder, and then click Finish.
- Sign in to the vCenter Server to confirm that your connection is secure.
If you have secure boundaries within your organization, and don’t want to turn on the HTTPS protocol, use the following procedure to disable the secure communications.
Step2: Disable secure communication protocol
If your organization doesn’t require the HTTPS protocol, use the following steps to disable HTTPS. To disable the default behavior, create a registry key that ignores the default behavior.
- Copy and paste the following text into a .txt file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
- Save the file to your Azure Backup Server computer. For the file name, use DisableSecureAuthentication.reg.
- Double-click the file to activate the registry entry.
Step3: Create a role and user account on the vCenter Server
To establish the necessary user credentials to back up the vCenter Server workloads, create a role with specific privileges, and then associate the user account with the role.
Azure Backup Server uses a username and password to authenticate with the vCenter Server. Azure Backup Server uses these credentials as authentication for all backup operations.
To add a vCenter Server role and its privileges for a backup administrator:
- Sign in to the vCenter Server, and then in the vCenter Server Navigatorpanel, click Administration.
- In Administrationselect Roles, and then in the Roles panel click the add role icon (the + symbol). The Create Role dialog box appears.
- In the Create Roledialog box, in the Role name box, enter BackupAdminRole. The role name can be whatever you like, but it should be recognizable for the role’s purpose.
- Select the privileges for the appropriate version of vCenter, and then click OK. The following table identifies the required privileges for vCenter 6.0 and vCenter 5.5.
When you select the privileges, click the icon next to the parent label to expand the parent and view the child privileges. To select the VirtualMachine privileges, you need to go several levels into the parent child hierarchy. You don’t need to select all child privileges within a parent privilege. After you click OK, the new role appears in the list on the Roles panel.
|Privileges for vCenter 6.0
||Privileges for vCenter 5.5
Step4: Create a vCenter Server user account and permissions
After the role with privileges is set up, create a user account. The user account has a name and password, which provides the credentials that are used for authentication.
- To create a user account, in the vCenter Server Navigatorpanel, click Users and Groups. The vCenter Users and Groups panel appears.
- In the vCenter Users and Groupspanel, select the Users tab, and then click the add users icon (the + symbol). The New User dialog box appears.
- In the New Userdialog box, add the user’s information and then click OK. In this procedure, the username is BackupAdmin. The new user account appears in the list.
- To associate the user account with the role, in the Navigatorpanel, click Global Permissions. In the Global Permissions panel, select the Manage tab, and then click the add icon (the + symbol). The Global Permissions Root – Add Permission dialog box appears.
- In the Global Permission Root – Add Permissiondialog box, click Add to choose the user or group. The Select Users/Groups dialog box appears.
- In the Select Users/Groupsdialog box, choose BackupAdmin and then click Add. In Users, the domain\username format is used for the user account. If you want to use a different domain, choose it from the Domain Click OK to add the selected users to the Add Permission dialog box.
- Now that you’ve identified the user, assign the user to the role. In Assigned Role, from the drop-down list, select BackupAdminRole, and then click OK. On the Managetab in the Global Permissions panel, the new user account and the associated role appear in the list.
Step6: Establish vCenter Server credentials on Azure Backup Server
- To open Azure Backup Server, double-click the icon on the Azure Backup Server desktop.
- In the Azure Backup Server console, click Management, click Production Servers, and then on the tool ribbon, click Manage VMware. The Manage Credentialsdialog box appears.
- In the Manage Credentialsdialog box, click Add to open the Add Credential dialog box.
- In the Add Credentialdialog box, enter a name and a description for the new credential. Then specify the username and password. The name, Contoso Vcenter credential is used to identify the credential in the next procedure. Use the same username and password that is used for the vCenter Server. If the vCenter Server and Azure Backup Server are not in the same domain, in User name, specify the domain.
Click Add to add the new credential to Azure Backup Server. The new credential appears in the list in the Manage Credentials dialog box.
- To close the Manage Credentialsdialog box, click the X in the upper-right corner.
Step7: Add the vCenter Server to Azure Backup Server
Production Server Addition Wizard is used to add the vCenter Server to Azure Backup Server. To open Production Server Addition Wizard, complete the following procedure:
- In the Azure Backup Server console, click Management, click Production Servers, and then click Add. The Production Server Addition Wizarddialog box appears.
- On the Select Production Server typepage, select VMware Servers, and then click Next.
- In Server Name/IP Address, specify the fully qualified domain name (FQDN) or IP address of the VMware server. If all the ESXi servers are managed by the same vCenter, you can use the vCenter name.
- In SSL Port, enter the port that is used to communicate with the VMware server. Use port 443, which is the default port, unless you know that a different port is required.
- In Specify Credential, select the credential that you created earlier.
- Click Addto add the VMware server to the list of Added VMware Servers, and then click Next to move to the next page in the wizard.
- In the Summarypage, click Add to add the specified VMware server to Azure Backup Server. The VMware server backup is an agentless backup, and the new server is added immediately. The Finishpage shows you the results.
After you add the vCenter Server to Azure Backup Server, the next step is to create a protection group. The protection group specifies the various details for short or long-term retention, and it is where you define and apply the backup policy. The backup policy is the schedule for when backups occur, and what is backed up.
Step8: Configure a protection group
After you check that you have proper storage, use the Create New Protection Group wizard to add VMware virtual machines.
- In the Azure Backup Server console, click Protection, and in the tool ribbon, click Newto open the Create New Protection Group wizard.
The Create New Protection Group wizard dialog box appears. Click Next to advance to the Select protection group type page.
- On the Select Protection group typepage, select Servers and then click Next. The Select group memberspage appears.
- On the Select group memberspage, the available members and the selected members appear. Select the members that you want to protect, and then click Next.
When you select a member, if you select a folder that contains other folders or VMs, those folders and VMs are also selected. The inclusion of the folders and VMs in the parent folder is called folder-level protection. To remove a folder or VM, clear the check box.
- On the Select Data Protection Methodpage, enter a name for the protection group. Short-term protection (to disk) and online protection are selected. If you want to use online protection (to Azure), you must use short-term protection to disk. Click Next to proceed to the short-term protection range.
- On the Specify Short-Term Goalspage, for Retention Range, specify the number of days that you want to retain recovery points that are stored to disk. If you want to change the time and days when recovery points are taken, click Modify. The short-term recovery points are full backups. They are not incremental backups. When you are satisfied with the short-term goals, click Next.
- On the Review Disk Allocationpage, review and if necessary, modify the disk space for the VMs. The recommended disk allocations are based on the retention range that is specified in the Specify Short-Term Goals page, the type of workload, and the size of the protected data (identified in step 3).
- Data size:Size of the data in the protection group.
- Disk space:The recommended amount of disk space for the protection group. If you want to modify this setting, you should allocate total space that is slightly larger than the amount that you estimate each data source grows.
- Colocate data:If you turn on colocation, multiple data sources in the protection can map to a single replica and recovery point volume. Colocation isn’t supported for all workloads.
- Automatically grow:If you turn on this setting, if data in the protected group outgrows the initial allocation, System Center Data Protection Manager tries to increase the disk size by 25 percent.
- Storage pool details:Shows the status of the storage pool, including total and remaining disk size.
When you are satisfied with the space allocation, click Next.
- On the Choose Replica Creation Methodpage, specify how you want to generate the initial copy, or replica, of the protected data on Azure Backup Server.
The default is Automatically over the network and Now. If you use the default, we recommend that you specify an off-peak time. Choose Later and specify a day and time. For large amounts of data or less-than-optimal network conditions, consider replicating the data offline by using removable media. After you have made your choices, click Next.
- On the Consistency Check Optionspage, select how and when to automate the consistency checks. You can run consistency checks when replica data becomes inconsistent, or on a set schedule. If you don’t want to configure automatic consistency checks, you can run a manual check. In the protection area of the Azure Backup Server console, right-click the protection group and then select Perform Consistency Check. Click Next to move to the next page.
- On the Specify Online Protection Datapage, select one or more data sources that you want to protect. You can select the members individually, or click Select All to choose all members. After you choose the members, click Next.
- On the Specify Online Backup Schedulepage, specify the schedule to generate recovery points from the disk backup. After the recovery point is generated, it is transferred to the Recovery Services vault in Azure. When you are satisfied with the online backup schedule, click Next.
- On the Specify Online Retention Policypage, indicate how long you want to retain the backup data in Azure. After the policy is defined, click Next.
- On the Summarypage, review the details for your protection group members and settings, and then click Create Group.
Now you are ready to backup VMware VM using Backup Server v2.