2014/03/18

Get even more control over your Veeam schedules

Veeam has a pretty extensive scheduler for jobs. However sometimes customers really want strange schedules to run their backups. I always try to change the mindset. Sometimes they want to have alternating backups just because they don't know the backup copy job exists in v7. In this case, it's like your Santa bringing them a new Christmas present when you explain them that they can actually copy their backups really easily from repository to repository.

However sometimes they have exotic questions. For example we want to run an active full every 2 weeks. Not every week or every month, no every 2 weeks. So what can you do in this case? Well use the Windows task scheduler and some easy Powershell script that executes your logic.

If you want to use Veeam Powershells snapin, make sure you explicitly install it. It is provided as part of the Veeam Backup & Replication installer, but is not selected by default. To validate, just check if you can find the Powershell option in your main menu.


If you don't have it installed, you can fire up the main installer or just locate the corresponding MSI on the iso ":\Backup\BPS_x64.msi"



The most  simple script can be found here:
simplestartjob.ps1

Change the name of the job in the script to match your job you want to start. Then go to the windows task scheduler and make a new task:


Then create a new task. Personally I like to add my Veeam task in a custom folder so that they are all grouped together.


On the general page enable
  • "Run whether user is logged on or not"
  • "Run with highest privileges" : If you want to know why you need to enable this, find more info at the end of the blog article. If you don't care, go ahead and continue

On the action tab, add a new action


Fill the correct setting
  • Program : powershell
  • Arguments : "e:\scripts\simplestartjob.ps1"
 Use the quotes to be safe (for examples if you have spaces in your path


The result should be something like this:


Now create a trigger


You can schedule it daily, weekly or monthly



Finally click ok and enter the credentials.


When the script runs it should start your job



Also I created some scripts in the past for customers:
  • Activefull.ps1 : Active full which should be run on special time. With the windows task scheduler you can say for example first and third week of the month. Alternatively you can do the alternation in the script itself
    • alternate weeks: if( ([int]$(get-date -uformat "%V"))%2 -eq 1) { do_something }
    • alternate days: if( ([int]$(get-date -uformat "%j"))%2 -eq 1) { do_something }
  • Startjob.ps1 : Launcher script. Instead of making a different script for each job, you can reuse the script and give the job name via a parameter
    • Please not that the argument should be something like (single quotes around names). Correct quotes are important "c:\path\to\script\startjob.ps1 'my job name'"
  • Stoptapejob  : Stop tape job after a certain time. Customer has a single drive and tape job "hang" if there is no drive in the slots and he was canceling them manually every day.

Why I need to run with highest privileges
Actually if you just open a powershell prompt in non-admin mode and admin mode you will see why


When you run in non-admin mode you will get a SQL error. Actually it is not really about admin mode but more about the fact that the current user doesn't have access to the database. It is actually the same requirement, when you want to give users fine grained access to the GUI. So first of all make sure you setup the correct permissions in B&R itself (Main menu>Users and roles)



Next to that, users also need permissions to the database that is behind B&R

If you give the user db_owner on the Veeam db, it should work as well





2014/03/17

Test driving the new Veeam Explorer for Active Directory

If you are a Veeam fan, you certainly need to read the word of Gostev. Basically you enroll  on the forum and every week you will get a mail from the forum containing the word of Gostev. He is the product manager for Backup & Replication and if you want to be the first one to know all about the new stuff in IT (not only Veeam), you'll see that this weekly mail avoids you reading 25 blog articles a day (quote I borrowed from one of my colleagues ;)).

This week wasn't any different. Veeam launched the public beta for the Veeam Explorer for Active Directory. So what is the big difference between the AD AIR wizard and this one? Well you don't need to power on a virtual lab to extract a single user. Instead, Veeam will read the ntds.dit (ad database file) directly via a file level recovery. This reduces recovery time drastically. The coolest part? It's a public beta, so everybody can test it!

So how do you get started? Well you will need a Veeam Backup & Replication server v7 installed. Then you can download the beta via the forums:
http://forums.veeam.com/veeam-backup-replication-f2/veeam-explorer-for-active-directory-t21038.html

Basically, you will get a zip file and in it is an MSI installer you can just next-next-install.


After that you should find the VEAD in your start menu


Now how do you get started? Well like with all explorer beta versions (exchange, sharepoint), you will need to start a file level recovery and point to the database. So lets start with the easy part, the file level recovery. Go to the main menu and choose restore.


Then choose to do a windows guest file level recovery


Find your active directory server


And start the guest files recovery wizard


Remember when you click finish, the recovery wizard will start but not any files will be actively recovered to your original machine.


Now you should see the file browser. But actually Veeam mounts the file level recovery under:
C:\VeeamFLR\\Volume

In my case the c: drive is
C:\VeeamFLR\ad02\Volume1

Keep the FLR wizard open during the whole process, otherwise Veeam will dismount the disk.

Now start the VEAD and click add database


Now you should point to the the ntds.dit file


I first tried to do a search through "C:\VeeamFLR\ad02\Volume1". This gave me 2 results:


But when I tried to mount the one in system32 I got the following error:


Luckily somebody already posted the solution on the forum. To find the correct path, go to your production server and look into:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

However since my ad02 server is a core server, I created this small script you can invoke remotely to find the path
$server = "ad02"
Invoke-Command -computer $server { Get-ItemProperty -path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" }
This should show you the correct path under "DSA Database file"



So this says the file should be under C:\Windows\NTDS\ntds.dit. If we match this to the file level recovery path, we will get something like this:
C:\VeeamFLR\ad02\Volume1\Windows\NTDS\ntds.dit

Now again try to add the database file and point to the correct file:


After loading the db, the VEAD should show you your AD structure:


So lets try to restore a user. First of all you can easily see your attributes by right clicking the user:


Opening the attributes, I was wondering where they hid the recovery for individual attributes. Well it is actually part of the user recovery wizard. So lets follow the restore wizard:


First define the  AD to restore to and the credentials to use


Then specify where to restore the user


In the next step you can decide what to restore


This is the "twist" about the wizard, you can actually recover the user with the password. So if by accident you deleted a user during the night, you can recover him and next day, the end user won't even notice that he was deleted.


 Do you want to enable the account? :)


Final step is to click the restore button.

What is also cool is that not only can you restore an individual user, but also a whole OU if required:


Another great thing about it, is that it should be exchange aware. So if you restore a user, it should connect it to the correct mailbox as well.

So have fun playing with the beta! And remember kids, it's a beta, don't test it in production :)