Backing up Hyper-V data

Use a backup job to back up Hyper-V data with snapshots.

Before you begin

Review the following procedures and considerations before you define a backup job:
  • Register the providers that you want to back up. For more information see Adding a Hyper-V server
  • Configure SLA policies. For instructions, see Create backup policies.
  • Hyper-V Backup and Restore jobs require the installation of the latest Hyper-V integration services.

    For Microsoft Windows environments, see Supported Windows guest operating systems for Hyper-V on Windows Server.

    For Linux environments, see Supported Linux and FreeBSD virtual machines for Hyper-V on Windows.

  • IBM Spectrum Protect Plus uses Resilient Change Tracking (RCT) for tracking the changed blocks of Hyper-V virtual machine disks. For more information, see Resilient Change Tracking.
  • All Hyper-V servers, including cluster nodes, must have the Microsoft iSCSI initiator Service running in their Services list. Set the service to Automatic so that it is available when the machine boots.
  • Before an IBM Spectrum Protect Plus user can implement backup and restore operations, roles and resource groups must be assigned to the user. Grant users access to resources and backup and restore operations through the Accounts pane. For more information, see Managing user access.
  • If a virtual machine (VM) is associated with multiple SLA Policies, ensure that the policies are not scheduled to run concurrently. Either schedule the SLA Policies to run with a significant amount of time between them, or combine them into a single SLA policy.
  • If the IP address of the IBM Spectrum Protect Plus appliance is changed after an initial Hyper-V base backup is created, the target IQN of the Hyper-V resource may be left in a bad state. To correct this issue, from the Microsoft iSCSI Initiator tool, click the Discovery tab. Select the old IP address, then click Remove. Click the Target tab and disconnect the reconnecting session.
  • If a VM is protected by an SLA policy, the backups of the VM will be retained based on the retention parameters of the SLA policy, even if the VM is removed.

About this task

Restriction: File cataloging, backup, point-in-time restores, and other operations that invoke the Windows agent will fail if a non-default local administrator is entered as the Guest OS Username when defining a backup job. A non-default local administrator is any user that has been created in the guest OS and has been granted the administrator role.

This occurs if the registry key LocalAccountTokenFilterPolicy in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] is set to 0 or not set. If the parameter is set to 0 or not set, a local non-default administrator cannot interact with WinRM, which is the protocol IBM Spectrum Protect Plus uses to install the Windows agent for file cataloging, send commands to this agent, and get results from it.

Set the LocalAccountTokenFilterPolicy registry key to 1 on the Windows guest that is being backed up with Catalog File Metadata enabled. If the key does not exist, navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] and add a DWord Registry key named LocalAccountTokenFilterPolicy with a value of 1.

Procedure

To define a Hyper-V backup job, complete the following steps:

  1. In the navigation panel, click Manage Protection > Virtualized Systems > Hyper-V.
  2. Select resources to back up.
    Use the search function to search for available resources and toggle the displayed resources through the View filter. Available options are VMs and Datastore.
  3. Click Select SLA Policy to add one or more SLA policies that meet your backup criteria to the job definition.
  4. To create the job definition by using default options, click Save.
    The job runs as defined by the SLA policies that you selected. To run the job manually, click Jobs and Operations > Schedule. Select the job and click Actions > Start.
    Tip: When the job for the selected SLA policy runs, all resources that are associated with that SLA policy are included in the backup operation. To back up only selected resources, you can run an on-demand job. An on-demand job runs the backup operation immediately.
    • To run an on-demand backup job for a single resource, select the resource and click Run. If the resource is not associated with an SLA policy, the Run button is not available.
    • To run an on-demand backup job for one or more resources, click Create job, select Ad hoc backup, and follow the instructions in Running an ad hoc backup job.
  5. To edit options before you start the job, click the edit icon in the table Select Options.
    Tips for configuring options:
    Review the following tips to help you configure options for the backup job:
    • To set the options for child resources to the same values as the parent, click Set all options to inherit.
    • If multiple resources were selected for the backup job, the options are indeterminate. If you change the value for an option, that value is used for all selected resources after you click Save.
    • Options that are shown in yellow indicate that the option value has changed from the previously saved value.
    • To close the Options pane without saving changes, click Select Options.
    In the Backup Options section, set the following job definition options:
    Skip Read-only datastores

    Enable to skip datastores mounted as read-only.

    Skip temporary datastores mounted for Instant Access

    Enable to exclude temporary Instant Access datastores from the backup job definition.

    Priority

    Set the backup priority of the selected resource. Resources with a higher priority setting are backed up first in the job. Click the resource that you want to prioritize in the Hyper-V Backup section, and then set the backup priority in the Priority field. Set 1 for the highest priority resource or 10 for the lowest. If a priority value is not set, a priority of 5 is set by default.

    In the Snapshot Options section, set the following job definition options:
    Make VM snapshot application/file system consistent

    Enable this option to turn on application or filesystem consistency for the VM snapshot.

    VM Snapshot retry attempts

    Set the number of times IBM Spectrum Protect Plus should attempt to snapshot a VM before canceling the job.

    In the Agent Options section, set the following job definition options:
    Truncate SQL logs

    To truncate application logs for SQL during the Backup job, enable the Truncate SQL logs option.

    Restriction: It is possible that the same databases that are on a VM might be backed up as part of a VM backup job and a SQL Server backup job. Do not select this option if you want to back up the database transaction logs during the SQL Server backup operation. The log truncation deletes all inactive logs from the log file. The deleted log sequence causes discontinuity in the log backup.

    For more information about backing up SQL Server database logs, see Log backups.

    The credentials must be established for the associated VM through the Guest OS Username and Guest OS Password option within the backup job definition. The user identity follows the default domain\name format if the VM is attached to a domain. The format local_administrator is used if the user is a local administrator.

    The user identity must have local administrator privileges. Additionally, on the SQL server, the system login credential must have SQL sysadmin permissions enabled, as well as the Log on as a service right. For more information about this right, see Add the Log on as a service Right to an Account.

    IBM Spectrum Protect Plus generates logs pertaining to the log truncation function and copies them to the following location on the IBM Spectrum Protect Plus appliance: 
    /data/log/guestdeployer/latest_date/latest_entry/vm_name

    Where latest_date is the date that the backup job and log truncation occurred, latest_entry is the universally unique identifier (UUID) for the job, and vm_name is the hostname or IP address of the VM where the log truncation occurred.

    Restriction: File indexing and file restore are not supported from restore points that were copied to an IBM Spectrum Protect server.
    Catalog file metadata

    To turn on file indexing for the associated snapshot, enable the Catalog file metadata option. After file indexing is complete, individual files can be restored by using the File Restore pane in IBM Spectrum Protect Plus. Note that credentials must be established for the associated VM by using an SSH key, or a Guest OS Username and Guest OS Password option in the backup job definition. Ensure that the VM can be accessed from the IBM Spectrum Protect Plus appliance either by using DNS or hostname. Note that SSH keys are not a valid authorization mechanism for Windows platforms.

    Run as system user

    Run the file indexing as the system user. This allows the file indexing to be run at the highest privilege level on the client virtual machine. Catalog file metadata must be enabled to use this option.

    Exclude Files

    Enter directories to skip when file indexing is performed. Files within these directories are not added to the IBM Spectrum Protect Plus catalog and are not available for file recovery. Directories can be excluded through an exact match or with wildcard asterisks specified before the pattern (*test) or after the pattern (test*). Multiple asterisk wildcards are also supported in a single pattern. Patterns support standard alphanumeric characters as well as the following special characters: - _ and *. Separate multiple filters with a semicolon. Catalog file metadata must be enabled to use this option.

    Get SSL certificate thumbprint or Get SSH key
    Note: This setting will only be visible for Windows-based hosts if you set the global preference Windows Clients Port (WinRM) used for application and file indexing to 5986. For more information about global preferences, see Configuring global preferences.

    Verify the identity of the VM being backed up. Catalog file metadata must be enabled to use this option.

    For Windows-based virtual machines:

    Obtain the certificate thumbprint and verify that the certificate thumbprint matches the thumbprint of the certificate on the host. Click Get SSL certificate thumbprint.

    Get SSL certificate thumbprint
    Get the SSL certificate thumbprint for the Windows-based host. You must complete this step when registering servers for the first time or if the certificate on the server changes.
    The HTTPS listener must be enabled on the host. You must create a self-signed certificate and then enable the HTTPS listener if it is not already enabled. For more information, see How to configure WinRm for HTTPS.
    When upgrading to IBM Spectrum Protect Plus 10.1.9, systems that are already registered in the previous version are set to trust on first use (TOFU) and the certificate thumbprint will automatically be added to the registration information in the catalog.
    SSL certificate thumbprint
    The SSL certificate thumbprint is displayed here. Confirm that the certificate thumbprint matches the thumbprint of the certificate on the host that you are adding.

    For Linux-based virtual machines:

    Obtain the server key and verify that the key type and key fingerprint match the host. Click Get server key.

    Get server key
    The SSH server key for the Linux-based host. You must complete this step when adding servers for the first time or if the key on the server changes.
    When upgrading to IBM Spectrum Protect Plus 10.1.9, systems that are already registered in the previous version are set to trust on first use (TOFU) and the SSH key fingerprint will automatically be added to the registration information in the catalog.
    Key type
    The type of key for the Linux-based host is displayed. The following key types are supported:
    • RSA with a minimum key size of 2048 bits
    • ECDSA
    • DSA
    Key fingerprint
    The MD5 hash of the SSH key fingerprint is displayed. Confirm that they key fingerprint matches the key fingerprint of the host that you are adding.
    Use existing user

    Enable to select a previously entered username and password for the provider.

    Guest OS Username/Password

    For some tasks (such as cataloging file metadata, file restore, and IP reconfiguration), credentials must be established for the associated VM. Enter the username and password, and ensure that the VM can be accessed from the IBM Spectrum Protect Plus appliance either through DNS or hostname.

    The default security policy uses the Windows NTLM protocol, and the user identity follows the default domain\name format if the Hyper-V virtual machine is attached to a domain. The format local_administrator is used if the user is a local administrator.

  6. To troubleshoot a connection to a hypervisor VM, use the Test function.
    The Test function verifies the hypervisor tool settings and tests DNS settings between the IBM Spectrum Protect Plus appliance and the VM. Select a single VM, and then click Select Options. You must select Catalog file metadata. Select Use existing user to select a previously entered username and password for the resource. Alternately, enter a username in the Guest OS Username and password in the Guest OS Password fields if you have not previously entered the username and password for the resource. Click Test. For more information, see Testing the connection to a Hyper-V Server virtual machine.
  7. Click Save.
  8. To configure additional options, click the Policy Options field that is associated with the job in the SLA Policy Status section. Set the additional policy options:

    Pre-scripts and Post-scripts

    Run a pre-script or a post-script. Pre-scripts and post-scripts are scripts that can be run before or after a job runs at the job level. Windows-based machines support Batch and PowerShell scripts while Linux-based machines support shell scripts.

    In the Pre-script or Post-script section, select an uploaded script and a script server where the script will run. Scripts and script servers are configured on the System Configuration > Script page.

    To continue running the job if the script associated with the job fails, select Continue job/task on script error.

    When this option is enabled, if a pre-script or post-script completes processing with a non-zero return code, the backup or restore operation is attempted and the pre-script task status is reported as COMPLETED. If a post-script completes with a non-zero return code, the post-script task status is reported as COMPLETED.

    When this option is disabled, the backup or restore is not attempted, and the pre-script or post-script task status is reported as FAILED.

    Run inventory before backup

    Run an inventory job and capture the latest data of the selected resources before starting the backup job.

    Exclude Resources

    Exclude specific resources from the backup job through single or multiple exclusion patterns. Resources can be excluded through an exact match or with wildcard asterisks specified before the pattern (*test) or after the pattern (test*).

    Multiple asterisk wildcards are also supported in a single pattern. Patterns support standard alphanumeric characters as well as the following special characters: - _ and *.

    Separate multiple filters with a semicolon.

    Force Full Backup of Resources

    Force base backup operations for specific VMs or databases in the backup job definition. Separate multiple resources with a semicolon.

  9. To save any additional options that you configured, click Save.

What to do next

After you define a backup job, complete the following action:
Action How to
Create a Hyper-V restore job definition. See Restoring Hyper-V data.