Backing up VMware data

Use a backup job to back up VMware resources such as virtual machines (VMs), datastores, folders, vApps, and datacenters with snapshots.

To define a VMware backup job, complete the following steps:

1. In the navigation panel, click Manage Protection > Virtualized Systems > VMware.
2. Select resources to back up.
   Use the search function to search for available resources and toggle the displayed resources by using the View filter. Available options are VMs and Templates, VMs, Datastore, Tags and Categories, and Hosts and Clusters. Tags are applied in vSphere, and allow a user to assign metadata to VMs.
3. Click Select SLA Policy to add one or more SLA policies that meet your backup criteria to the job definition.
4. To create the job definition by using default options, click Save.

   The job will run as defined by the SLA policies that you selected. To run the job immediately, click Jobs and Operations > Schedule. Select the job and click Actions > Start.

   Tip: When the job for the selected SLA policy runs, all resources that are associated with that SLA policy are included in the backup operation. To back up only selected resources, you can run an on-demand job. An on-demand job runs the backup operation immediately.

   • To run an on-demand backup job for a single resource, select the resource and click Run. If the resource is not associated with an SLA policy, the Run button is not available.
   • To run an on-demand backup job for one or more resources, click Create job, select Ad hoc backup, and follow the instructions in Running an ad hoc backup job.

   When the job definition is saved, available virtual machine disks (VMDKs) in a VM are discovered and are shown when VMs and Templates is selected in the View filter. By default, these VMDKs are assigned to the same SLA policy as the VM. If you want a more granular backup operation, you can exclude individual VMDKs from the SLA policy. For instructions, see Excluding VMDKs from the SLA policy for a job.

5. To edit options before you create the job definition, click Select Options.
   Tips for configuring options:

   Review the following tips to help you configure options for the backup job:

   • To set the options for child resources to the same values as the parent, click Set all options to inherit.
   • If multiple resources were selected for the backup job, the options are indeterminate. If you change the value for an option, that value is used for all selected resources after you click Save.
   • Options that are shown in yellow indicate that the option value has changed from the previously saved value.
   • To close the Options pane without saving changes, click Select Options.
   In the Backup Options section, set the following job definition options:

   Skip Read-only datastores

   Skip datastores that are mounted as read-only.

   Skip temporary datastores mounted for Instant Access

   Exclude temporary Instant Access datastores from the backup job definition.

   VADP Proxy

   Select a VADP proxy to balance the load.

   Priority

   Set the backup priority of the selected resource. Resources with a higher priority setting are backed up first in the job. Click the resource that you want to prioritize in the VMware Backup section, and then set the backup priority in the Priority field. Set 1 for the highest priority resource or 10 for the lowest. If a priority value is not set, a priority of 5 is set by default.

   In the Snapshot Options section, set the following job definition options:

   Make VM snapshot application/file system consistent

   Enable this option to turn on application or file system consistency for the VM snapshot. All VSS-compliant applications such as Microsoft Active Directory, Microsoft Exchange, Microsoft SharePoint, Microsoft SQL, and the system state are quiesced. VMDKs and VMs can be instantly mounted to restore data that is related to quiesced applications.

   VM Snapshot retry attempts

   Set the number of times that IBM Spectrum Protect Plus attempts to capture an application or file-consistent snapshot of a VM before the job is canceled. If the Fall back to unquiesced snapshot if quiesced snapshot fails option is enabled, an unquiesced snapshot will be taken after the retry attempts.

   Fall back to unquiesced snapshot if quiesced snapshot fails

   Enable to fall back to a non-application or non-file-system consistent snapshot if the application consistent snapshot fails. Selecting this option ensures that an unquiesced snapshot is taken if environmental issues prohibit the capture of an application or file-system consistent snapshot.

   In the Agent Options section, set the following job definition options:

   Truncate SQL logs

   To truncate application logs for SQL Server databases that are on the VM during the backup job, enable the Truncate SQL logs option.

   Restriction: It is possible that the same databases that are on a VM might be backed up as part of a VM backup job and a SQL Server backup job. Do not select this option if you want to back up the database transaction logs during the SQL Server backup operation. The log truncation deletes all inactive logs from the log file. The deleted log sequence causes discontinuity in the log backup.

   For more information about backing up SQL Server database logs, see Log backups.

   The credentials must be established for the associated VM by using the Guest OS user name and Guest OS Password option within the backup job definition. When the VM is attached to a domain, the user identity follows the default domain\name format. If the user is a local administrator, the format local_administrator is used.

   The user identity must have local administrator privileges. On the SQL Server server, the system login credential must have the following permissions:

   • SQL Server sysadmin permissions must be enabled.
   • The Log on as a service right must be set. For more information about this right, see Add the Log on as a service Right to an Account.

   IBM Spectrum Protect Plus generates log files for the log truncation function and copies them to the following location on the IBM Spectrum Protect appliance:

   /data/log/guestdeployer/latest_date/latest_entry/vm_name

   where latest_date is the date that the backup job and log truncation occurred, latest_entry is the universally unique identifier (UUID) for the job, and vm_name is the host name or IP address of the VM where the log truncation occurred.

   Restriction: File indexing and file restore are not supported from restore points that were copied to cloud resources or repository servers.

   Catalog file metadata

   Turn on file indexing for the associated snapshot. When file indexing is completed, individual files can be restored by using the File Restore pane in IBM Spectrum Protect Plus. Credentials must be established for the associated VM by using an SSH key, or the Guest OS Username and Guest OS Password options within the backup job definition. Ensure that the VM can be accessed from the IBM Spectrum Protect Plus appliance either by using DNS or a host name.

   Restriction: SSH Keys are not a valid authorization mechanism for Windows platforms.

   Run as system user

   Run the file indexing as the system user. This allows the file indexing to be run at the highest privilege level on the client virtual machine. Catalog file metadata must be enabled to use this option.

   Exclude Files

   Enter directories to skip during file indexing. Files within these directories are not added to the IBM Spectrum Protect Plus catalog and are not available for file recovery. Directories can be excluded through an exact match or with wildcard asterisks specified before the pattern (*test) or after the pattern (test*). Multiple asterisk wildcards are also supported in a single pattern. Patterns support standard alphanumeric characters as well as the following special characters: - _ and *. Separate multiple filters with a semicolon. Catalog file metadata must be enabled to use this option.

   Get SSL certificate thumbprint or Get SSH key

   Note: This setting will only be visible for Windows-based hosts if you set the global preference Windows Clients Port (WinRM) used for application and file indexing to 5986. For more information about global preferences, see Configuring global preferences.

   Verify the identity of the VM being backed up. Catalog file metadata must be enabled to use this option.

   For Windows-based virtual machines:

   Obtain the certificate thumbprint and verify that the certificate thumbprint matches the thumbprint of the certificate on the host. Click Get SSL certificate thumbprint.

   Get SSL certificate thumbprint

   Get the SSL certificate thumbprint for the Windows-based host. You must complete this step when registering servers for the first time or if the certificate on the server changes.

   The HTTPS listener must be enabled on the host. You must create a self-signed certificate and then enable the HTTPS listener if it is not already enabled. For more information, see How to configure WinRm for HTTPS.

   When upgrading to IBM Spectrum Protect Plus 10.1.9, systems that are already registered in the previous version are set to trust on first use (TOFU) and the certificate thumbprint will automatically be added to the registration information in the catalog.

   SSL certificate thumbprint

   The SSL certificate thumbprint is displayed here. Confirm that the certificate thumbprint matches the thumbprint of the certificate on the host that you are adding.

   For Linux-based virtual machines:

   Obtain the server key and verify that the key type and key fingerprint match the host. Click Get server key.

   Get server key

   The SSH server key for the Linux-based host. You must complete this step when adding servers for the first time or if the key on the server changes.

   When upgrading to IBM Spectrum Protect Plus 10.1.9, systems that are already registered in the previous version are set to trust on first use (TOFU) and the SSH key fingerprint will automatically be added to the registration information in the catalog.

   Key type

   The type of key for the Linux-based host is displayed. The following key types are supported:

   • RSA with a minimum key size of 2048 bits
   • ECDSA
   • DSA

   Key fingerprint

   The MD5 hash of the SSH key fingerprint is displayed. Confirm that they key fingerprint matches the key fingerprint of the host that you are adding.

   Use existing user

   Select a previously entered user name and password for the provider.

   Guest OS Username/Password

   For some tasks (such as cataloging file metadata, file restore, and IP reconfiguration), credentials must be established for the associated VM. Enter the user name and password, and ensure that the VM can be accessed from the IBM Spectrum Protect Plus appliance either by using DNS or a host name.

6. To troubleshoot a connection to a hypervisor VM, use the Test function.
   The Test function verifies the hypervisor tool settings and tests DNS settings between the IBM Spectrum Protect Plus appliance and the VM. Select a single VM, and then click Select Options. You must select Catalog file metadata. Select Use existing user to select a previously entered username and password for the resource. Alternately, enter a username in the Guest OS Username and password in the Guest OS Password fields if you have not previously entered the username and password for the resource. Click Test. For more information, see Testing the connection to a vCenter Server virtual machine.
7. Click Save.
8. To configure additional options, click the Policy Options clipboard icon that is associated with the job in the SLA Policy Status section. Set the following additional policy options:

   Pre-scripts and Post-scripts

   Run a pre-script or a post-script. Pre-scripts and post-scripts are scripts that can be run before or after a job runs. Windows-based machines support Batch and PowerShell scripts while Linux®-based machines support shell scripts.

   In the Pre-script or Post-script section, select an uploaded script and a script server where the script will run. Scripts and script servers are configured by using the System Configuration > Script page.

   To continue running the job if the script associated with the job fails, select Continue job/task on script error.

   When this option is enabled, if a pre-script or post-script completes processing with a non-zero return code, the backup or restore operation is attempted and the pre-script task status is reported as COMPLETED. If a post-script completes with a non-zero return code, the post-script task status is reported as COMPLETED.

   When this option is disabled, the backup or restore is not attempted, and the pre-script or post-script task status is reported as FAILED.

   Run inventory before backup

   Run an inventory job and capture the latest data of the selected resources before starting the backup job.

   Exclude Resources

   Exclude specific resources from the backup job by using single or multiple exclusion patterns. Resources can be excluded by using an exact match or with wildcard asterisks specified before the pattern (*test) or after the pattern (test*).

   Multiple asterisk wildcards are also supported in a single pattern. Patterns support standard alphanumeric characters as well as the following special characters: - _ and *.

   Separate multiple filters with a semicolon.

   Exclude Resources by Tag

   Exclude specific resources based on associated VM tags from the backup job. Resources can be excluded through an exact match or with wildcard asterisks specified before the pattern (*test) or after the pattern (test*). Multiple asterisk wildcards are also supported in a single pattern. Patterns support standard alphanumeric characters as well as the following special characters: - _ and *. Multiple filters may be separated with a semicolon.

   Force Full Backup of Resources

   Force base backup operations for specific VMs or databases in the backup job definition. Separate multiple resources with a semicolon.

9. To save any additional options that you configured, click Save.