Veeam – Automatic backup tests with SureBackup

SureBackup

A few days ago one of my co-workes asked me if, and if yes, how i test the backups of my customers. I answered him that i don’t do that personally, but let it test automatically. He asked me how i do that, and so i showed him one of the coolest features in Veeam Backup & Replication. It’s called SureBackup, and it makes your life as a sysadmin a lot easier. Believe me.

SureBackup in Veeam Backup & Replication (available in Enterprise and Enterprise Plus versions) is a great feature to test your Veeam backups automatically. So you can make sure that a VM is working if you really need to restore a whole VM and not only single files or folders. But it’s not only automatic backup tests. With Veeam SureBackup you can also easily create lab environments. Leverage your backups for patch testing, development and other stuff. You don’t have to deploy new virtual servers for patch testing. You don’t have to deploy new virtual servers only because of a new software release. Test all that stuff with your SureBackup lab to see if everything works as it should. The todays blog post is all about SureBackup. I’ll show you how you set it up and try to give you some hints about it.

The challange

Your daily backups are running fine. You receive the success mails after backup and / or replication and you know it’s all good. But how can you be sure if a restore of a whole virtual machine will work if you really need it? Most of the companies test their backups once a month. It is like an insurance. It’s good to have one, but it’s better you don’t need it. Your backup job checks the health of the backup file. And SureBackup checks if your VMs really can boot and all the necessary services come online. Veeam SureBackup is like your insurance.

The solution

With just three simple steps you can be assured that your backups really work when time comes to restore a complete VM or business critical applications.

Read more…

VMware – Configure vSphere Auto Deploy

Auto Deploy

The last few days and weeks i was preparing for my VCP6-DCV exam. Well, i’m still preparing for it, there is ahelluva stuff to learn and understand. One thing is vSphere Auto Deploy.

vSphere Auto Deploy is a cool feature for large infrastructures. Imagine, you just have to mount your ESXi hardware hosts in the racks, start them, and they are getting their software, setup and configuration via network. Without the need of any USB, CD or remote mounting of ISO files (like with HPE iLO or DELL iDRAC), and without any local storage if you boot your ESXi hosts from a shared datastore. Your host is online in just a few minutes and ready for use in your cluster, or whatever scenario you need it for.

Today i did some Auto Deploy stuff. And it is not that easy as i thought. You can’t do much via the vSphere Web Client (i’m absolutely the GUI type of sysadmin). You have to do some PowerCLI stuff, but not that much as i was afraid of. Let me show you how i did it. And please drop a comment if there is anything wrong, or if there is anything to make better. I’m pleased to update this post if necessary.

Stage 1 – Preparation for Auto Deploy

What do you need for using Auto Deploy? There is not much:

  • vCenter (on Windows Server or the Appliance)
  • PowerCLI
  • a TFTP server (i used Open TFTP Server which worked very fine)
  • ESXi Offline Bundle
  • Probalby some hosts you want to setup with Auto Deploy

Let me give you some tips about the configuration for vCenter and the Open TFTP Server. With this piece of software i had to try and fail a few times until i’ve got it up and running.

vCenter configuration – Enable Auto Deploy

  1. Login to your vCenter with the Web Client.
  2. Click on „Administration„.
  3. Click on „System Configuration“ and then „Services“ on the next page.
  4. Click on „Auto Deploy„.
  5. In the toolbar on top, click „Actions“ and then „Start„.
  6. Under „Actions“ and „Edit Startup Type“ you can configure Auto Deploy for a automatic or manual start.

vCenter configuration – download TFTP boot zip file

  1. Login to your vCenter with the Web Client.
  2. Click „vCenter Inventory Lists“ and then click „vCenter Servers„.
  3. In this overview click your vCenter Server.
  4. Click on „Manage“ then „Settings“ and then „Auto Deploy„.
  5. Click on the link „Download TFTP Boot Zip“ to download the file. You’ll need it later for the TFTP server.

Open TFPT Server – setup and configuration

  1. Download and install the Open TFTP Server (i’ll us this software in my configuration).
  2. Use the standard settings for installation.
  3. Navigate to the setup folder (e.g. C:\OpenTFTPServer) and open the „OpenTFTPServerMT.ini“ with a text editor.
  4. You’ll need to configure the [HOME] parameters. This is the folder where you have to save the TFTP Boot Zip from above.
  5. Locate the [HOME] parameter, ignore all the text there and add just „C:\TFTP-Root“ (or any other folder you’d like) after the last line of text in this part of the INI file. Add the path to the folder without quotation marks.
  6. Restart the Open TFTP Server service.
  7. Copy your „TFTP Boot Zip“ file from above to the folder you added in the INI file and unpack it directly there. You should have now about 11 files, including the zip file.
  8. Restart the Open TFTP Server service again.

Configure DHCP server with options

You need to configure your DHCP server with two options so that your ESXi hosts can boot via network / PXE, get an IP address and configuration file.

  • Add option 66, which is frequently called next-server. Add the IP address of your TFTP server as value.
  • Add option 67, which is frequently called boot-file. Add undionly.kpxe.vmw-hardwired as value.

Stage 2 – Create depot, profiles and rules, and deployment

  1. Download the ESXi Offline Bundle from VMware and save it in a folder on the machine where you’re doing this stuff.
  2. Open PowerCLI and connect to your vCenter (Connect-VIServer).
  3. Add-EsxSoftwareDepot c:\tmp\update-from-esxi6.0-6.0_update02.zip.zip
  4. Add-EsxSoftwareDepot http://<vcenter server>/vSphere-HA-depot
  5. Find out which profiles are in this offline bundle with „Get-ESXImageProfile | fl * | out-file C:\tmp\profiles.txt
  6. New-EsxImageProfile -CloneProfile „ESXi-6.0.0-20160302001-standard“ -name „ESXiStatelessImage“
  7. Add-EsxSoftwarePackage -ImageProfile „ESXiStatelessImage“ -SoftwarePackage vmware-fdm
  8. New-DeployRule -Name „FirstBoot“ -Item „ESXiStatelessImage“ -AllHosts
  9. Add-DeployRule -DeployRule „FirstBoot“
  10. Now boot one of your hosts. If everything is configured until this point you should see the ESXi image booting.
  11. Login to your vCenter with Web Client. You should probably see the new auto-deployed host in your inventory. In my lab this was the case.
  12. Configure this host (like networking, storage etc.) through web client.
  13. In the web client, create a new host profile based on this newly booted host named „ESXiAutoDeploy“.
  14. New-DeployRule -name „ProductionBoot“ -item „ESXiStatelessImage“, ESXiAutoDeploy, <target_cluster> -Pattern „vendor=<unique hw identifier>“
  15. Add-DeployRule -DeployRule „ProductionBoot“
  16. Remove-DeployRule -DeployRule FirstBoot -delete
  17. Boot all of your auto deploy hosts.
  18. Assign the created host profile to these hosts.
  19. Reboot these hosts => aaaand you’re done.
  20. If you want to save the newly created image profile as a software depot, to make changes to a later time if needed, just do this:
    1. Export-EsxImageProfile -ImageProfile „ESXiStatelessImage“ -ExportToBundle -FilePath c:\tmp\ESXiStatelessImage.zip

Conclusion

As i wrote above it is not that easy, but it was not so hard as i was afraid of. There are some things to consider, like ESXi configuration with correct networking, storage etc. to make later the suitable host profile which should fit all of your hosts. In this first try i didn’t create a big configuration, just some basic stuff to understand Auto Deploy and for the writing of this blog post.

I have to investigate the password policy, or better, how i can set a password policy. Because my test ESXi host did not have a root password after assigning the host profile. I know i configured the password in step 12 above beside the rest of the configuration. But the password didn’t come with the host profile. But anyway, the configuration of Auto Deploy worked. Now i’ve got some more tasks, for example to find out about this password issue.

Special thanks to Duncan Epping for his cheat sheet (no, i did not read his article, just his cheat sheet, but yes, i saw the link to his article). So i had the commands needed and a thin red line for orientation.

Also thanks to Vladan Seget for his article about some new features in vSphere 6.5 including Auto Deploy (which has now a GUI! How cool is that?)

VMware – Read before upgrade to vSphere 6.5

VMware

Yesterday VMware announced the general availability of the brand new vSphere 6.5. They announced the new version at this years VMworld in Barcelona. But now you can download and install the bits. But there is a catch. Please make sure you read and understand all the important information before upgrading to vSphere 6.5 because there might be some limitation at the moment. Let me bring some light into the darkness.

Compatibility considerations

You should not upgrade to vSphere 6.5 if you are running one (or some / all) of these software components in your environment:

  • VMware NSX
  • VMware Integrated OpenStack
  • vCloud Director for Service Providers
  • vRealize Infrastructure Navigator
  • App Volumes
  • Horizon Air Hybrid-Mode
  • Integrated OpenStack
  • vCloud Networking and Security
  • vRealize Business for Cloud
  • vRealize Configuration Manager
  • vRealize Hyperic
  • vRealize Networking Insight

These components are not yet compatible with vSphere 6.5. But as we know VMware, they are already working for updates. Please check the VMware Product Interoperability Matrix for further information about updates to the products above.

  • If you have to revert a migration, please check VMware KB2146453 for reverting a vCenter Server to Appliance migration.
  • To roll back a vCenter Server Instance on Windows, please check the vSphere Upgrade Guide.

Upgrade Considerations

Before upgrading your environment, review these critical KB articles to make sure the upgrade will be successful.

vCenter Server

vCenter Server to vCenter Server Appliance

PSC High Availability

ESXi

NSX

vRealize Operations

vSphere Web Client

Known Issues

vCenter Server

vRealize Operations Manager

Security Considerations

TLS protocols

Encryption considerations

  • Running a encrypted KMS virtual machine can cause a loss of data in the event of a host failure.

More details in the VMware Knowledgebase (KB2147548):

https://kb.vmware.com/kb/2147548

*** Update ***

Backup Considerations

There is one thing i missed to mention. If you are using Veeam Availability Suite v9.5 then you can’t do backups with vSphere 6.5 at the moment, because Veeam does not support this vSphere version yet. But also the guys at Veeam are working on an update, which will be (historically) release about two months after general availability of the new vSphere version.

So stay tuned!

Microsoft Active Directory – Desktop Shortcuts with Group Policy

2016-11-08_13h11_28

A really cool feature in Microsoft Active Directory is the  Group Policy (or Group Policies in general). With Group Policies you can install (small) software packages, set the Internet Explorer start page, set wallpapers, execute scripts on user or computer security context and many things more. You can also deploy specific desktop icons for a user or a user group. Hence this blog post will show you how you deploy simple desktop shortcuts to a users desktop.

The group policy

If you have some specific applications in your company (for example a simple timesheet application) which your users should use, then you can create a group policy or a group policy preference respectively to deploy this desktop shortcut.

  1. In Group Policy Management, create a new group policy object (GPO) in the „Group Policy Objects“ folder.
  2. Right click this newly created GPO and select „Edit…“.
  3. Navigate to „User Configuration => Preferences => Windows Settings => Desktop“
  4. Right click the „Desktop“ object and select „New => Shortcut“
    Group Policy - Shortcuts

  5. Now set all the configuration details of your application shortcut in the next dialog box.
    Group Policy - Shortcut Target Type

    Note: Please be aware of the „Target type“ setting. If the shortcut has to be an application shortcut, you have to choose „File System Object“. As default it’s set to „URL“ and thus creates only a shortcut for a website. Therefore if your user wants to open this shortcut, Internet Explorer (or the default browser) opens with a „cannot display this website“ message instead of the application.

  6. On the „Common“ tab check if this group policy preference should run in logged-on user’s security context or not.
    Group Policy - Shortcuts Security Context

    Note: If you set the „Location“ to „Desktop“ then you should make sure on the „Common“ tab the check box „run in logged-on user’s security context“ is set, because the shortcut will be published on the users own desktop. If you whish to deploy a shortcut to the „All Users“ profile then you have to set the target to „All Users Desktop“ and also uncheck the box to run this group policy preference in logged-on user’s security context. Usually a normal user doesn’t have access to all users profile, but the system account, which runs this group policy preference, has access to it.

  7. Now click Apply / OK and close this dialog box.

As the last step, back in GPO Management, link the created GPO with the Organizational Unit in which your users reside.

Now your users have only to restart the computer or do a single log-off log-on. So they will receive the newly created desktop shortcut.

VMware vSphere – How to script vMotion for your VMs

vMotion Script

VMware vMotion is a pretty good feature regarding the availability and load balancing in your vSphere environment. Today i created a vMotion script to help me create a backup with a backup software.

As so many times my blog posts are the result of a problem i had and for which i needed a solution. It shouldn’t be different today. I worked in my vSphere homelab. I created some virtual machines and installed my backup software of choice. My idea was to have a backup before doing any work with the VMs, just in case i screw it up. So i can easily go back to a known good state of the VM and try again. But this task wasn’t so easy.

As a vExpert, VMCE, MVP, Trainer or many other different tech people you can request a NFR license key for Veeam Availability Suite. So did i. The NFR key was delivered quickly to my mailbox, and was even faster installed in Veeam. But there was a catch. At least my NFR license is limited to two sockets, but with no limits for protected VMs, and it comes with a full 1-year retention period, instead of just 30 days as the regular trial.

So i had to deal with the fact that only one host (i’ve got three hosts in my lab with two sockets each) is protected by Veeam. This limitation woke the hunter in me because i had to find a solution. My goal was to backup all my VMs but with only two licensed sockets. The approach I chose was to set vSphere DRS to manual, then do a vMotion of all VMs to the host which helds the Veeam license, doing a backup and set DRS back to fully automated after backup. If you are working with ressource pools you shouldn’t disable DRS, because that results in removing the ressource pools. But there is a workaround for that too. Instead of creating a new problem i did the easy way and just set DRS to manual.

How to get the vMotion script

If you’re familiar with GitHub you can download my script from there:

For any other user i’ll provide the script directly here:

# .SYNOPSIS
# This script will start a vMotion of all virtual machines on a specified datastore to a specified ESXi host.
# If you are working with a backup software which is licensed to a specific host, # this will probably help you.
# Only recommended in smaller environments or if you have enough ressources on this host.

# .DESCRIPTION
# The script loads a PSSnapin; it sets some PowerCLI options; it connects to your vCenter Server with the given credentials;
# it gets all your VMs in an array; it starts then a Host vMotion of all the VMs in the array to a specified ESXi host.

# .NOTES
#    File Name      : pre-backup.ps1
#    Version:       : 1.0
#    Author         : Karl Widmer ([email protected])
#    Prerequisite   : PowerShell V2 over Vista and upper / VMware PowerCLI 6
#    Tested on:     : Windows Server 2012 R2
#    with PowerCLI  : PowerCLI 6.3 Release 1 build 3737840
#    with PowerShell: 4.0
#    Copyright 2016 - Karl Widmer / driftar's Blog (www.driftar.ch)

# .LINK
# Script posted over: https://www.driftar.ch

# Load PowerCLI cmdlets  
Add-PSSnapin VMware.VimAutomation.Core -ErrorAction "SilentlyContinue" 

# Set PowerCLI behaviour regarding invalid certificates and deprecation warnings 
Set-PowerCLIConfiguration -InvalidCertificateAction ignore -DisplayDeprecationWarnings:$false -confirm:$false

# Define vCenter User and target Datastore  
$vcHost = 'vcenter.domain.com'  
$vcUser = [email protected]'  
$vcPass = 'password'  
$datastore = 'your_datastore'  
$cluster = 'your_cluster'
$targetHost = Get-VMHost -Name yourhost.domain.com
 
 
# Connect to vCenter  
Connect-VIServer $vcHost -User $vcUser -Password $vcPass  
 
 
# Get VMs (pass array of VMs to $VMs, for example 'get-datastore test | get-vm')  
$VMs = Get-Datastore $datastore | get-vm
 
# Get Cluster information to set DRS to Manual for backup window
Set-Cluster $cluster -DrsAutomationLevel Manual -Confirm:$false

Foreach($vm in $vms) {
    Write-Host ("Start Host vMotion for VM '" + $VM.Name + "'")

    Move-VM -VM (Get-VM -Name $vm) -Destination (Get-Vmhost $targethost) -RunAsync

    Write-Host ("Waiting...")

    Write-Host ("Host vMotion for VM '" + $VM.Name + "' finished")  
}

# This last script step should probably be executed in a post-backup script step.
# It sets the DRS automation level back to fully automated. Your VMs will then probably load-balance on your hosts.

# Set DRS on cluster back to FullyAutomated after backup window
Set-Cluster $cluster -DrsAutomationLevel FullyAutomated -Confirm:$false

Update 07.11.2016

After updating my ESXi hosts to 6.0.0 Build 4510822 my script stopped working. So i simplified the script and released version 2.0.