File indexing and restore requirements

Configuration

Table 1. Coverage matrix for supported operating systems on Windows x64

IBM Spectrum Protect Plus	Windows Server 2008 R2* Standard and Datacenter editions	Windows Server 2012 R2 and Windows Server 2012R2 core* Standard and Datacenter editions	Windows Server 2016 and Windows Server 2016 core* Standard and Datacenter editions	Windows Server 2019 and Windows Server 2019 core* Standard and Datacenter editions
V10.1.0				--
V10.1.1				--
V10.1.2				--
V10.1.3				(Windows Server 2019 core only)
V10.1.4
V10.1.5
V10.1.6
V10.1.7
* The base release and later maintenance levels are supported. Windows Server core refers to Windows Server with the Server Core option

Restrictions

• When files are indexed in a Windows environment, the following directories on the resource are skipped:
  • \Program Files
  • \Program Files (x86)
  • \Windows
  • \winnt

  Files within these directories are not added to the IBM Spectrum Protect Plus inventory and are not available for file recovery.

• Encrypted Windows file systems are not supported for file cataloging or file restore.
• When restoring files in a ReFS environment, restore jobs from newer versions of Windows Server to earlier versions are not supported. For example, you cannot restore a file from Windows Server 2016 to Windows Server 2012.

Disk space

• The C:\ drive must have sufficient temporary space to save the file indexing results.
• When file systems are indexed, temporary metadata files are generated under the \temp directory and are deleted when the indexing is complete. The amount of free space required for the metadata depends on the total number of files in the system. Ensure that approximately 350 MB of free space is available per 1 million files.

Software

• File indexing and file restore operations for a Windows VM require that the Windows PowerShell binary path is set in the %PATH% environment variable.
• Ensure that the 64-bit Microsoft Visual C++ 2008 SP1 Redistributable Package is installed on the VM guest machine, before you start restore operation from a backup image.
• Install a supported version of a Windows 64-bit operating system in your environment. Ensure that the most recent patches and updates are installed.

Connectivity

Ensure that your system environment meets the following connectivity requirements:

• The hostname of the IBM Spectrum Protect Plus server should be resolvable from the Windows VM.
• The Internet Protocol (IP) address of the VM that is selected for indexing must be visible to the vSphere client or Hyper-V Manager.
• The Windows VM that is selected for indexing must support outgoing connections to port 22, which uses the Secure Shell (SSH) protocol, on the IBM Spectrum Protect Plus server.
• The network adapter that is used for the connection must be configured as a client for Microsoft Networks.
• The Microsoft® Windows Remote Management (WinRM) service must be running.
• Firewalls must be configured to enable IBM Spectrum Protect Plus to connect to the server by using WinRM.
• The IP address of the machine that you register must be reachable from the IBM Spectrum Protect Plus server and from the vSnap server. A Windows guest machine must have a WinRM service that is listening on port 5985.
• All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
• If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and from the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
• If DNS is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus server by using the command line.

Authentication and privilege requirements

The credentials that are specified for a VM must include a user with the following privileges:

• The system login credentials must have the permissions of the local administrator.

• The user identity must have the "Log on as a service" right, which is assigned through the Administrative Tools control panel on the local server (Local Security Policy > Local policies > User Rights Assignment > Log on as a service).

  For more information about the "Log on as a service" right, see Add the Log on as a service Right to an Account.

• The default security policy uses the Windows Challenge/Response (NTLM) protocol, and the user identity follows the default domain\Name format if the Hyper-V VM is attached to a domain. The format local administrator is used if the user is a local administrator. Credentials must be established for the associated VM by using the Guest OS user name and Guest OS password option within the associated backup job definition.
• File cataloging, backup, point-in-time restores, and other operations that start the Windows agent fail if a nondefault local administrator ID is entered as the Guest OS username when you define a backup job. A nondefault local administrator is any user ID that is created in the guest operating system and is granted the administrator role.

  This failure occurs if the registry key LocalAccountTokenFilterPolicy in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is set to 0 or not set. If the parameter is set to 0 or not set, a local nondefault administrator cannot interact with WinRM, which is the protocol that IBM Spectrum Protect Plus uses to install the Windows agent for file cataloging, send commands to this agent, and get results from it.

  Set the LocalAccountTokenFilterPolicy registry key to 1 on the Windows guest that is being backed up with catalog file metadata enabled. If the key does not exist, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and add a DWord Registry key named LocalAccountTokenFilterPolicy with a value of 1.

Group Policy Object requirements

You can specify the Group Policy Object (GPO) setting by navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Incoming NTLM traffic.

Alternatively, click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic

Specify the Group Policy Object (GPO) setting by navigating to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Incoming NTLM traffic and Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.

For the NTLM traffic, specify one of the following options:

• Allow all
• Allow all accounts

Restrictions

• A file system that was created on a newer kernel version might not be mountable on a system with a previous kernel version. In this case, restoring files from the newer to the previous system is not supported.
• When files are indexed in a Linux environment, the following directories on the resource are skipped:
  • /tmp
  • /usr/bin
  • /Drivers
  • /bin
  • /sbin
• Files in virtual file systems like /proc, /sys, and /dev are also skipped. Files within these directories are not added to the IBM Spectrum Protect Plus inventory and are not available for file recovery.

Disk space

• The system disk must have sufficient temporary space to save the file indexing results.
• When file systems are indexed, temporary metadata files are generated under the /tmp directory and are then deleted when the indexing is complete. The amount of free space required for the metadata depends on the total number of files in the system. Ensure that approximately 350 MB of free space is available per 1 million files.

Software

• The bash and sudo packages must be installed. sudo must be at version 1.7.6p2 or later. Run sudo -V to check the version.
  Tip: The required bash and sudo packages are included in the supported Linux 86_64 operating systems installation packages.
• Ensure that the supported version of Linux x86_64 is installed. Ensure that the most recent patches and updates are installed.
• The International Components for Unicode (libicu) RPM-package must be installed for the corresponding version of your operating system.
• In a Linux environment, depending on your version or distribution, ensure that the Linux utility package util-linux-ng or util-linux package is current.
• RHEL and CentOS 6 users: To ensure that the util-linux-ng or util-linux package is current, run the following command:

  yum update package_name

  where package_name is the name of the Linux utility package.
• If data resides on Logical Volume Manager (LVM) volumes, ensure that the LVM version is 2.0.2.118 or later.

  Run the lvm version command to check the version and run the yum update lvm2 command to update the package if necessary.

• If data resides on LVM volumes, the lvm2-lvmetad service must be disabled, as it can interfere with the ability of IBM Spectrum Protect Plus to mount and resignature volume group snapshots and clones. To disable the service, complete the following steps:
  1. Run the following commands:

     systemctl stop lvm2-lvmetad  
     systemctl disable lvm2-lvmetad

  2. Edit the /etc/lvm/lvm.conf file and specify the following setting:

     use_lvmetad = 0

     For more information, see The Metadata Daemon (lvmetad).
• If data resides on XFS file systems and the version of the xfsprogs package is between 3.2.0 and 4.1.9, the file restore operation can fail due to a known issue in the xfsprogs package that causes corruption of a clone or snapshot file system when its Universally Unique Identifier (UUID) is modified. To resolve this issue, update the xfsprogs package to version 4.2.0 or later. For more information, see Debian Bug report logs.

Connectivity

Ensure that your system environment meets the following connectivity requirements:

• The secure file transfer protocol (SFTP) subsystem for SSH is enabled.
• The SSH service is running on port 22 on the proxy host server.
• Firewalls are configured to allow IBM Spectrum Protect Plus to connect to the proxy host server by using SSH.
• IBM Spectrum Protect Plus uses the Network File System (NFS) to mount storage volumes for backup and restore operations. Ensure that the native Linux NFS client is installed on the proxy host server.
• All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment can be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
• If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and from the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
• If DNS is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus server by using the command line.

Authentication and privileges

The recommended approach is to create a dedicated IBM Spectrum Protect Plus agent user with the privileges that are shown in the sample configuration:

• Create the user by using the command:

  useradd -m sppagent

  where sppagent specifies the IBM Spectrum Protect Plus agent user.
• Set a password by using the command:

  passwd sppagent_password

  where sppagent_password specifies the agent password.
• To enable superuser privileges for the agent user, set the !requiretty setting. At the end of the /etc/sudoers configuration file, add the following lines:

  Defaults: sppagent !requiretty
  sppagent ALL=(root) NOPASSWD:ALL

  If your sudoers file is configured to import configurations from another directory, for example /etc/sudoers.d, you can add the lines in the appropriate file in that directory.