Tag: Backup & Replication

Posted on

MySQL Backup and Veeam Backup & Replication – Part 1

This article will show you how to implement a data protection strategy in MySQL environments.

Let’s start with a consideration.

To create consistent backups from an application point of view, it is necessary that before the copy process is started, the application has written all the data in memory to disk ( flush ).

For example, Microsoft® applications use a technology called Shadow Copy which, through the coordination of VSS drivers , achieves application consistency.

A similar technology is not available on Linux and in addition MySQL does not support it in the Microsoft® environment.

How to remedy?

Through the creation of scripts that automate application consistency before starting the creation of the Snapshot .

Having understood this aspect, let’s return to the scope of the article, introducing the options available for MySQL .

Note 1 : Application consistency occurs before snapshot creation.

  • 1. Logical Backup : The script creates a file with the .sql extension which in case of restore allows the re-creation of the database and its data.

The file . sql is created through the native MySQL command ” mysqldump “ .

The advantages of logical backup can be summarized in:

  • There are no dependencies on third-party software.
  • Backups can be restored to other servers.
  • 2. Physical / Cold Backup : Cold copies of the DB files are created (for example: ibdata, .ibd, .frm, ib_logfile, my.cnf).

To be sure that the backups are made in ” application consistency ” mode, before taking the snapshot, it is essential to stop the MySQL services.

It is a backup strategy typically implemented in environments that do not require 24×7 operations.

Note 2 : The service is stopped only for the time necessary to create the snapshot and not for the entire duration of the backup.

  • 3. Physical / Hot Backup : If the InnoDB engine is running, the script allows the creation of consistent copies without stopping the services (using for example the command mysqlbackup component of the MySQL Enterprise suite ( MySQL Product) ).

Now that we know the scripting options available, let’s see how Veeam solutions can natively integrate with MySQL environments.

The first available option is the Veeam Agent for Linux ( VAL ) which automates the following four steps:

  1. Flush data from memory to disk (application consistency).
  2. Creation of the snasphot.
  3. Release of tables.
  4. Start the Backup process.

Note 3 : As indicated in the first part of the article, if the DB is of the MyISAM type, it is possible to backup with the blocking of all the tables.

The pre-requisites of the VAL are:

  • MySQL version is greater than or equal to 5.8.
  • The operating system is Linux.

Question: Is it possible to backup in Windows environments where the MySQL version is lower than version 5.8?

The answer is yes and the available scenarios are:

Logical Backup -> Hot-Backup Database Online Dump -> Mysqldump command.

Physical / Cold Backup –> Cold-Backup Database Shutdown -> Temporary stop of the Services.

Physical / Hot Backup –> Hot-Backup Database Freeze -> Native mysql commands.

Note4 : There is also the possibility of making Partial Backups . In this scenario, specific tables and databases are backed up. It is useful when different protection strategies have to be implemented on the same Server.

In the next article, we will find out how to create scripts and how to integrate them into Veeam Backup & Replication.

Posted on

Veeam Disaster Recovery Orchestrator v.5: Components verification

This article explains how to configure the Veeam Disaster Recovery Orchestrator (VDrO) administration menu.

Before proceeding to the administration phase, it is essential to have already labeled the resources that will have to be part of the Disaster Recovery plans.

The classification was illustrated in the previous article, available by clicking on the following link: VDrO – VOne – Tagging .

Note 1 : To access the administration menu, select the item called “Administration” (see image 1)

Picture 1

The configuration of the administration menu is divided into three main areas:

In the first, the following are set:

  • The name of the VDrO Server and the contact name (image 2).
  • connections to Veeam Backup & Replication Servers (VBR) (image 3)
  • connections to vCenters (image 4)
  • the optional connection to the storage (image 5) (refer to this article to find out the details)

picture 2

Picture 3

Picture 4

Picture 5

The second area identifies the resources to be added to the DR plans through tagging:

  • The recovery location (image 6)
  • In the recovery location the datastores where the VM filesystems will reside (image 7)
  • Network mapping (image 8)
  • IP address remapping (image 9)

Note 2: The operations described above are possible if and only if all necessary resources have been tagged.

Note 3: Automatic remapping of IP addresses when starting a DR plan is only available for Windows VMs.

Picture 6

Picture 7

Image 8

Image 9

In the third area are identified:

  • User profiling. In simple terms, the VDrO allows you to create users capable of administering only specific workloads which are called “scopes” (image 10).
  • The assignment of the DataLabs to the “scopes”. Remember that the DataLabs allow you to verify that the DR plan is usable (image 11).

Image 10

Image 11

The last configuration allows you to link the group of VMs replicated or saved via backup (called VM Groups) to the users’ scopes.

For example, image 12 shows that the VM Group “B&R Job – Replication VAO Win 10” is assigned (included) to both the Admin and Linux scopes.

Image 10

In the next and last article, we will find out how to create and verify a DR plan.

See you soon

Posted on

VBR – Mac Backup

Veeam Backup & Replication (VBR) version 11 has a new feature and Mac users will fall in love with it.

It is now available for the backup and restores of your MACOS files.

It supports the last Operating Systems starting from High-Sierra (Big Sur 11.X.X / Catalina 10.15.X / Mojave 10.14.X / High Sierra 10.13.6).

Note 1: The Veeam Agent for Mac (VAM) version 1 supports the M1 processor via Rosetta.

Note 2: The VAM supports consistent data backup with snapshots for the APFS file system.

In the other file systems, the backup is created via a snapshot-less approach.

Note 3: At the moment it’s possible to perform the backup of user data (with a custom scope too). The image of the entire machine and a Bare Metal Restore are not available yet.

The configuration steps are quite easy as shown in the official guide:

To recap, the procedure consists of:

  1. From the VBR console create a resource group using a flexible scope
  2. Copy the files generated from VBR to the MAC to protect
  3. Install the package to your machine and import the created configuration. (It allows the communication between VBR and the Mac)
  4. From the VBR console creating the backup policy and apply it

The following video shows how it works in a managed VBR architecture.

Take care and see you soon.

Posted on

Ransomware defense part 2: Hardening

There are many documents on the internet that describe how to address this common request.

In this article, I’ll give you a track to move easier around this topic pointing out the most interesting articles.

Before starting let me thank Edwin Weijdema who created an  exhaustive guide to answer the common question (please click here to get it)

Are you ready? Let’s start

1- The first magic point for starting is Wikipedia where I got a good definition:

In computinghardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

2- The second point is to understand the concept of Perimeter security:

It is natural barriers or artificially built fortifications that have the goal of keeping intruders out of the area . The strategies can be listed as:

  • Use rack-mount servers
  • Keep intruders from opening the case
  • Disable the drives
  • Lock up the server room
  • Set up surveillance

A complete article is available by clicking here

3- The third point is  Network segmentation:

It is the division of an organization network into smaller and, consequently, a more manageable grouping of interfaces called zones. These zones consist of IP ranges, subnets, or security groups designed typically to boost performance and security.

In the event of a cyberattack, effective network segmentation will confine the attack to a specific network zone and contain its impact by blocking lateral movement across the network via logical isolation through access controls.

Designating zones allows organizations to consistently track the location of sensitive data and assess the relevance of an access request based on the nature of that data.  Designating where sensitive data reside permits network and security operations to assign resources for more aggressive patch management and proactive system hardening.

A complete article is available by clicking here

4- Hardening your Backup Repositories

The next good rules involve your backup architecture and in specific the Backup Repositories:

Windows:

a. Use the built-in local administrator account

b. Set permissions on the repository directory

c. Modify the Firewall

d. Disable remote RDP services

Linux:

e. Create a Dedicated Repository Account

f. Set Permissions on the Repository Directory

g. Configure the Linux Repository in VeeamModify the Firewall

h. Use Veeam Encryption

Do you want to know more about security? If so the Veeam Best Practices are for sure the answer.

The next article will cover monitoring and automatic actions using Veeam-ONE.

5- Prevent injection of shady boot code​

Code injection, also called Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and execute malicious code.

To prevent the attack please follow the following rules:

a. Run with UEFI Native Mode​
b. Use UEFI with Secure Boot Standard Mode​
c. Combine Secure Boot with TPM
d. Equip critical servers with a TPM 2.0

Stay tuned and see you soon

Posted on

Veeam VBR DB Moving with SQL – Management Studio

In these last days, I had enough time to analyze my personal lab performances.

For testing purposes, I launched the backup of the whole architecture at the same time; the VM that suffered more was the backup server (VBR) and in particular the SQL Service.

This article will explain the steps I followed to move the VBR Database SQL Express from Backup & Replication to a SQL Server standard using SQL-Management Studio as a migration tool.

Before continuing reading the article, please watch at the following Veeam KBs and contact the Veeam Support

To make the description easier I’ll use the following acronyms :

  1. VBR = Backup Server
  2. SQLServer = Target Server where SQL Standard is installed
  3. SQLExpress = Source DB
  4. DB = VeeamBackup
  5. DBFile = VeeamBackup.mdf & VeeamBackup.ldf

The main steps to get the goal are:

  1. Stopping the Veeam service on VBR server
  2. Detaching DB from SQLExpress
  3. Copying DBFile from VBR to SQLServer
  4. Attaching DB to SQL Server
  5. Using the Veeam Migration tool
  6. Changing the service account name on VBR Service (optional)
  7. Checking up the register key
  8. Launching Backup and Restore tests

Let’s go!

  1. The first step is quite easy. Just connect to VBR, click on service and stop the SQL instance (Picture 1).

Picture 1

2. The second step is detaching the DB from SQL Express using SQL Management Studio (Picture 2).

Picture 2

If you need a good and short video guide to install SQL Management Studio please refer to the following link:

Another interesting video guide to understand how to enable the remote connection with SQL server is available here

Remember:  for enabling SQL Server to talk via Network (1433 is default port) you also have to set-up the firewall correctly.

3. Now it’s time to copy DBFiles from VBR to SQLServer

Pay attention to the default path where the files have to be copied and pasted.

Generally, it is in C:\Program Files\Microsoft SQLServer\ MSSQL.xx.INSTANCENAME\MSSQL\DATA (Picture 3).

Picture 3

4. Next step is attaching the DB to the new SQL server following the easy SQL Management studio menu ((Picture 4).

Picture 4

5. Now from the programs menu of VBR server, just select the voice Veeam and then “Configuration DataBase Connection Settings“.

Now choose which DBs you want to move to the new architecture. It can be Backup & Replication or the Enterprise Manager or both (Picture 5)

 

(Picture 5)

Now fill in the Database Name and Server/Instance and proceeding with the final step migration (Picture 6).

Picture 6

If everything is correctly configurated you have finally migrated your DBs.

Troubleshooting:

TS-1

If you see that the process runs out of time (600 seconds), it means that the VBR service account can’t access the database

How to solve it?

Please contact your DB experts before doing any tasks!!!

6. The first thing is creating a user able to manage the SQL services.

The procedure is quite easy using a Domain Controller (Picture 7-9)

Picture 7

Picture 8

Picture 9

Now you have to add the new user to Domain Users and Domain Admin groups (Picture 10-12).

Picture 10

Picture 11

Picture 12

From the Veeam Services window, select the Logon Service tab and set up the right user (and for all services that need it) (Picture 13 & 14)

Picture 13

Picture 14

Re-apply the procedure shown at point 5.

In my case, I’ve had another issue.

TS-2

The issue I unlucky met during my setup was the following:

When I tried to connect to remote DB with the “Configuration DataBase Connection Settings” command appeared the following error (Picture 15).

Picture 15

This issue happens when the SQL Server driver on a client computer that uses integrated security and the Windows security token, can’t connect to the SQL Server

If you want to have all details please refer to the following Microsoft article:

Cannot generate SSPI context

Please contact your DB experts before doing any tasks!!!

After some google research and test, I found a solution that addressed my issue always working with Domain Controller.

The AD console needs to be switched to advanced (Picture 16).

Picture 16

Now left-click on the SQL server and  select “attribute editor”

From this menu, you have to delete all the entries with the writing MSSQL.svc (Picture 17)

It also needs a server reboot.

Please contact your DB experts before doing any tasks!!!

Picture 17

For the last two points (7 and 8),  check-up, if the procedure followed, has solved the request.

TS-3

If you are not able to discover the SQL server, please check on the target Server if the SQL Server browser is up and running

Picture 18

 

From VBR Server open the register key (HKEY_LOCAL_MACHINE\ Software\Veeam\Veeam Backup and Replication) and check up if the items SqlDatabaseName, SQLinstanceName e SqlServerName are correctly filled in (Picture 19).

Do the same check-up for HKEY_LOCAL_MACHINE\Software\Veeam\Veeam Backup Catalog)  (Picture 20).

Picture 19

Picture 20

Now start backup Jobs and do some restore tasks to be sure that your Backup architecture is up and running.

In my case, the Backup Server can manage more tasks without any issue.

One more recommendation before ending the article:

Before doing any activities please read the official documentation and ask Veeam support

Posted on

XFS – Performace

In the previous two articles, I explained how to configure and set up an XFS Repository with Veeam Backup & Replication v.10 (VBR)

In this new article, I’m going to cover why this is a very useful technology and should be adopted as soon as possible.

The main reason is:

“XFS linked-clone technology helps VBR to transform the backup chain” 

Let’s see what happens with Synthetic Full.

What is Synthetic full?

It’s a smart way to help VBR to create a Full Restore point downloading just an incremental backup from production.

The process is composed of two phases.

Firstly it creates a normal incremental backup.

Then it creates a full backup file stacking all previous backups (full and incremental).

This process normally needs a lot of work because VBR commands the repository to copy, paste and delete the data blocks.

The XFS integration, allows the system to do not move any block. In fact, the filesystem is able to re-point his metadata creating a Full Backup in One-Shot.

The result is super fast Full Backup creation.

Let’s see with an example:

A classic Full Backup has lasted 7 mins (Picture 1).

Picture 1

An Incremental Backup has lasted 2 mins and 30 sec (Picture 2).

Picture 2

What about a Synthetic Full

Picture 3 shows that it needs less than 30 seconds (plus the time needs to download the incremental data).

So Amazing technology and Veeamzing integration!!!

Picture 3

That’s all, for now, guys, see you soon and take care.