In this guide series, the focus is to create a trial account that will be used in combination with Veeam Backup and Replication to store long term backup. In this case how to sigh up a Wasabi S3 free account for a trial. Later on also the ability to explain content directly from the cloud for granular restores. Wasabi S3 offers enterprise cloud blob storage at a reasonable price. They offer an interesting option for that entire customer who wants to benefit from cloud resources and in particular for object or blob storage. Wasabi offered for a fraction of the price when compared to other solutions in the market.
How to Create Wasabi S3 Account
To create a trial account is a straight forward process and requires no credit card. The trial gives access for 30 days for a maximum of 1 TB. 1- Browse the Wasabi website for sign up and then click Try or BUY Now.
2- Click Create Account
3- Enter details and then click start your free trial
4- You will receive an email from Wasabi for confirmation. Type your email address, password and then click signup
Create Account Wasabi S3 Bucket
5- Once the Wasabi account is created the next step is to create a bucket. Click create bucket
6- Enter a name for the bucket and the region and then click next
7- Click next.
8- Review the settings and then click create bucket
9- Select your bucket
10- Here you can create folder
11- Select settings
12- In the bucket settings we can edit settings for example enable Logging and Versioning or you can enable while creating the bucket.
13- The last step is to create the Access Key. Select create new access key
The status and creation of the keys can be controlled by the wasabi S3 console. The wizard will create an Access & Secret Key. This information is to provide when configuring client apps to access the pertinent bucket. In addition, it’s necessary to also provide the correct name of the region where the bucket is located. 14- Click create
15- Here you can get your access key and secret key
In this blog, I am going to restore files and folders from the tape backup. Please follow the below steps to restore files form tape.
1- Open the Veeam Backup & Replication console, select Home tab, and click on the Restore tab and select Tape
2- Select Restore files.
3- Restore from tape wizard, Objects to Restore option and then click Add.
4- Expand the server, browse to the file or folder or volume you need to restore. Select them and then click ok
5- Select Backup Set button
6- If you need to restore files from other restore points, so select them and click ok By default, Veeam Backup & Replication will restore the latest version of files and folders are available on the tape.
7- If you want to remove a file or folder from the list, select it and then click Remove. Click next
8- Restore from tape destination option, select an original location if you want to restore files and folder to its original server. This server option. If you want to restore files to another server. You can restore files to the Veeam backup server shared folder or to any other machine the one is added to Veeam Backup & Replication. Now select the browse button and select the folder where you need to restore files
9- Select the overwrite the existing files option and then click next
10- Review the restore from tape settings and then click Finish.
11- Files form tape successfully restored
12- Now you can see the files in restoration folder
In this blog, I will explain how to restore Virtual Machine in Veeam Backup & Replication.
1- Open Veeam Backup and Replication Console, click on Inventory options and click on VMware vSphere you can see the following virtual machine.
2- Here you need to select the vCenter server, after that select the virtual machine which you want to restore and click on restore option and then restore entire VM
3- Full Virtual Machine Restore wizard will open, so just select the Virtual Machine and click on next.
4- Here you can select restore location you can select any one option in these two so I am restoring the Virtual Machine to different locations so just select the location and click on the Next button.
5- Here it’s showing the Virtual Machine and original location here so we need to change the host location so just select the Host button and select the different Host where you need to restore the virtual machine.
6- Here you can select the available host where you need to restore and click on the OK button.
7- After selecting host so just click on next button.
8- Here you can select resources like Datastore or you can leave it default and click on the next button.
9- Now select the Database button if you want to change the datastore.
10- Select a Datastore and then click OK.
11- Select disk type
12- Select disk type and then click OK.
13- Now you can see the virtual machine hard disk and datastore size so verify the details and click on the Next button.
14- Select the name button.
15- Type a virtual machine name and click OK.
16- Click next.
17- Virtual Machine Network and click on next button.
18- Click next
19- Now you can type the reason why you are restoring the Virtual Machine and click on the Next button.
20- Choose the Power on target VM after the restoring option and then click on the Finish button.
21- Virtual Machine successfully restored so just click on close button.
22- Virtual Machine successfully restored
Related: How to use Extract Utility in Veeam Backup & Replication
Extract Utility Veeam Backup & Replication with an extract utility that can be used to restore virtual machines from Veeam backup files. The Veeam extract utility does not need any communication with Veeam. You can use it as an independent tool on Linux & Microsoft Windows virtual machines.
Extract Utility Veeam Backup
Veeam extract utility can be use in two interfaces (Graphic user interface (GUI) and command line) I am using an extract utility Graphic user interface (GUI) interface The Veeam extract utility is located in the installation folder of Veeam, by default C:\Program Files\Veeam\Backup and Replication\Backup The folder includes three files for the extract utility: Veeam.Backup.Extractor.exe working in GUI (can be use on Microsoft Windows machines only) extract.exe: Veeam utility working in the command prompt interface, a version for Microsoft Windows extract: Veeam utility working in the command prompt interface, a version for Linux
Extract Utility GUI
Restore VM data using Veeam extract utility GUI Run the Veeam.Backup.Extractor.exe setup file extract utility file from the installation folder of Veeam Backup & Replication. Veeam Backup Extraction Utility wizard next to Backup file option and then click on the browse button
Specify a Veeam backup .vbk path. If the backup file is encrypted, the utility will require you to provide a credential to unlock the backup file.
Under the Target folder field, specify a path to the destination folder where you want to restore virtual machine data.
From the Virtual Machines list, select a virtual machine whose data you need to restore.
Click on Extract button, Machine data will be restored to the specified folder.
The Veeam extract utility can be start on Microsoft Windows machines only. If you plan to start the Veeam extract utility on that machine where Veeam backup not installed. You need to copy the Veeam.Backup.Extractor.exe and extract.exe file from the Veeam installation folder and store these 2 files to the same folder on the destination machine. Restoring files please wait
In this article, I will create a file to tape the job using the Veeam new file to Tape Job wizard.
1- Select the Home tab, right-click the Jobs tab, and select Tape Job and then Select Files to Tape.
2- New file to tape job wizard, under the Name field, type a name for the file to tape job. Under the Description option, type a description of the file to tape the job and then click next.
3- File to tape, (Files and Folders) step of the wizard, click the Add button.
4- Select file or folder windows pop up, From the Server drop-down list; select a Windows Server the one you want to backup files or folders. Select files & folders that you need to backup and then click on ok.
5- If you want to back up files and folders from a Windows server or Linux server, first make sure you have added as a managed server to the Veeam backup infrastructure. If you want to back up files and folders from an SMB server or NFS share, and then make sure you have added as a file share to the inventory. Now in the Files and Folders windows, you use the Up and Down buttons on your right side menu to move sources up or down.
6- Select Include masks & Exclude masks fields to filter the file & folder contents and then click ok
7- Select Next.
Media pool for full backup
8- New file to tape job wizard, Full Backup options. Select a media pool that you want to use for full backups. If you need to create a new media pool click here. Backup schedule option select the Run the full backup automatically checkbox to specify the full backup schedule and click next
9- Incremental Backup option, Select a media pool that will use for incremental backups. Backup schedule, select the Run incremental backup automatically checkbox and specify the schedule for the incremental backup.
10- Select Microsoft volume shadow copy (VSS) to enable backup of files with the help of Microsoft shadow volume copies. Select Eject media upon job completion option if you want tape automatically eject from the drive. Select Advanced
11- At the advanced settings. Then select the Notifications tab, Configure e-mail notification and then click ok
12- Select the Run the job when I click Finish option if you need to start file to tape job right and then click the Finish button.
13- Now files and folder job has been created and running
Archive Veeam Backup to AWS S3, The Veeam Backup & Replication solution offers backup, restore, and replication functionality for physical servers, virtual machines, and workstations as well as cloud-based workloads.
A native S3 interface for Veeam Backup & Replication is part of the Veeam Availability. It will allow us to push backups to an S3 compatible service to maximize backup capacity.
The following below steps will represent the functionality of Veeam Backup and Restore which acts as an intermediate agent to manage primary data storage and secondary & archival storage:
2- Backup Infrastructure tab, click on Backup Repositories, and then click Add Repository.
3- Select the Object storage as repository type.
4- Choose Amazon S3 as object storage type.
5- Type repository name, Description and then click next.
6- Select Add
7- To access Amazon S3 bucket type credentials and then click OK.
8- Select Data center region and then click Next.
9- Select the Datacenter region to use and the Bucket. Click the Browse button to specify the correct folder to use to store the backups.
10- Click New Folder and specify the folder name. Click OK.
11- You can enable the Limit object storage consumption option to keep storage costs under control. Choose Make recent backups immutable for days to use native object storage capabilities and specify the retention in days. Click Next.
12- Click Finish to save the configuration.
13- The new S3 Repository has been created successfully.
3- Configure a Scale-Out repository
Veeam Scale-out Backup Repository is a key technology for many/various additional competencies for managing backup data.
1- From the Backup Infrastructure tab, click on the Scale-out Repositories and then click Add Scale-out Repository to create a new one.
2- Enter a Name, a Description and then click next.
3- Click the Add button to specify the Performance Tier Extent.
“Configuring a Local Backup Repository” I have already configured a local backup repository name (Backup Repository Cloud).
4- Select the Repository to use then and then click OK.
5- After selecting the Performance Tier click next.
6- Choose Data locality option as Placement Policy then click next.
7- Enable the Extend Scale-out repository capacity with object storage option and select the S3 Repository previously created. This default value is set as 30 days. Click Apply.
8- Click Finish to create the Scale-out Repository.
9- Scale-out Repository created.
4- Create a Backup Job Veeam
Now we need to create a new Backup Job to take advantage of the Immutability feature.
1- Select Home, select backup job and then virtual machine.
2- Enter job name and click next.
3- Click add
4- Select virtual machine and then click OK.
5- Select from the Backup repository drop-down menu the just we have created Scale-out Repository and then click next.
6- Guest processing click next.
7- Backup schedule click next.
8- Summary click finish
9- Right click the created Backup Job and then select Start to start the backup immediately.
During the first execution, an Active Full Backup is being performed. If you are willing to test the archival process to the protected bucket, after the initial Full Backup you should perform some additional (incremental) backups. At least 3 additional Incremental Backups and one another Active Full Backup.
2 Full active backup and 3 Incremental backup
5- Move backups to the Cloud Tier Immutability
To move backups immediately to the selected Object Storage (Amazon S3).
1- Select the Backup Infrastructure option and expand the Scale-out Repositories. Select the Repository previously configured and then select Edit the Scale-out Repository.
2- Select Capacity Ties, set the Move backup files older than the field to 0, and then click Finish to save the configuration.
3- Hold CTRL & right-click on the Scale-out Backup Repository and then select Run tiering job now.
4- The offload process is started and backups are moved to the S3 Object Storage. I am going to stop this process because I have free trial AWS with one GB storage capacity. Just testing in my lab.
5- The backup will be also found in the AWS S3 bucket.
Adding an organization fails within the 401: Unauthorized and Connect to PowerShell Access Denied errors in Office 365 tenants with enabled Security Defaults
Require MFA (Multi-Factor Authentication) for all users, including administrators & Azure management. Require Azure MFA (Multi-Factor Authentication) registration Block legacy authentication
Conditional Access: Require MFA for all users Create a Conditional Access policy
The below steps will help you to create a Conditional Access policy to require All users to perform multi-factor authentication.
Adding an organization fails 401:
1- Signin Microsoft Azure as a security administrator, global administrator, or Conditional Access administrator. Select the Azure Active Directory
2- Select Security under manage tab.
3- Under protect tab select Conditional Access.
4- Click on + New policy.
5- Type your policy a name. We recommend that institutional create a meaningful standard for the names of their policies. Select Users and groups Under Assignments
6- Select Include tab, and then select All users.
7- Select Exclude tab and then select Users and groups.
8- Select your organization’s emergency access or break-glass accounts and then choose the select button.
9- Select Cloud apps or actions, select Include and select All cloud apps.
10- Select the Exclude tab, select excluded cloud apps, choose any applications that do not require multi-factor authentication, and click on the create button.
11- Choose the Conditions tab, select Client apps (Preview), and then select Configure to Yes. Under Select the client apps this policy will apply to leave all defaults selected and then select Done.
12- Under Access controls option select Grant, choose Grant access, select Require multi-factor authentication checkbox and select Select.
13- Confirm your settings and choose Enable policy to On. Select Save to create to enable your policy.
1- Connect Veeam Backup for Microsoft Office 365 console, select the Organizations view. On the Home tab, click Backup on the ribbon.
2- Backup Office 365 Email, Specify job name and description page, enter a name for your backup job, and then click Next.
3- Veeam new backup job wizard, select objects to back up window, select Back up entire organization if you have enough users license for the entire organization if not, you need to select Back up the following objects. You can add by users, groups, sites, and organizations. Click the Add button.
4- I am going to add a user for backup and then click add.
5- After adding a user for backup click the next button.
6- Select objects to exclude page, we can add by users, groups, sites & Organization. Click next after you add them.
7- New Veeam Backup job wizard, specify backup proxy and repository window, select backup proxy and Azure Blob backup repository and then click next.
8- Select scheduling options page, enter your schedule information, and then click Create.
9- Select the new created office 365 email backup job and then click Start.
10- Now you can see the office 365 email job in progress.
Add Office 365 Organization using modern authentication, after successfully configuring modern authentication now I am going to add organizations with veeam backup for office 365.
How to add to the Veeam Backup for Microsoft Office 365 scope, an Office 365 organization using modern authentication
Now I am ready to add our tenant to Veeam backup for Microsoft Office 365.
1- Open Veeam Backup for Office 365 console, select organization and then Add Org.
2- Select the Organizations deployment type, select the services you want to protect and then click next.
3- Select region of your tenant and which authentication you need to use. Of course we are going for the modern authentication now (allow for using legacy authentication protocols) and then click next.
4- Exchange Online Credentials setup we need to provide all our collected information. Meaning the application ID, the application secret, our username, the app password and then click next.
5- Click the close button after verifying connection and organization parameters. The tenant will be added to your Veeam console successfully.
6- Now you can see an Organization successfully added.
The release of version 4 of Veeam Backup for Office 365, now we are able to use the so-called modern authentication. This means using service accounts enabled for MFA (multi-factor authentication).
We need an Azure Active Directory custom application and a service account that has MFA (Multi-Facture Authentication) enabled. The custom application (App application) registered in Azure Active Directory will allow Veeam Backup for Office 365 to access the Microsoft Graph API. With this access, we can pick up the data from the “Microsoft Office 365 organization tenant”.
In this strategy, the service account will be used to connect to the EWS and PowerShell services.
Preparation
In instance, we want to use modern authentication with Veeam Backup for Office 365.
The below steps should be done for using the modern authentication.
Register a custom application in Azure Active Directory Collect your Application ID and Secret Create a new client secret Create a new service account in Azure Active Directory Enable Multi-Factor Authentication (MFA) on this service account Assign roles to the service account Grant a service account required roles and permissions Get App password for an MFA-enabled service account Add tenant to Veeam with the service account
Register a custom application in Azure Active Directory
1- Open your Azure Active Directory admin center under the Manage tab and then select App registration.
2- Click on + new registration Under App registrations tab.
3- Enter new custom application a name; select the supported account type and then click on the register button.
4- After creating a new custom application, we need to provide it with some permission. For that go to your newly created app application and then select the + API Permissions button.
5- Now we need to add Microsoft Graph permissions to our custom app application. In the request API permissions wizard and then select Microsoft Graph.
6- Select Application permissions.
7- Expand Director Option and select Directory.Read.All. Expand Group option and select Group.Read.All from the list of available permissions, and then click Add permissions 1- Directory.Read.All 2- Group.Read.All These two permissions are needed to access the organization tenant.
8- This type of permission requires administrator consent. To grant administrator consent, click on Grant admin consent for (tenant name).
9- Click Yes to confirm granting permissions
10- Successfully granted admin consent for the request permission, Click + Add a permission button.
11- Scroll down and then select SharePoint.
12- Select Application permission and expand sites, select Sites.FullControll.all and then click on add permission.
13- Click on Grant admin consent for (tenant name)
14- Click Yes to confirm granting permissions
15- Successfully configured permissions click on + Add a Permission button.
16- Scroll down and then select exchange options
17- Choose Application permissions.
18- Click on Grant admin consent for (tenant name)
19- Click Yes to confirm granting permissions
20- We have successfully registered a custom application in your Azure Active Directory and you have successfully set the required permissions.
How to get your Application secret
Create a new client secret
1- To create a new client secret for our newly created custom application. Under Manage select Certificates & secrets and then click on + New client secret button under client secrets.
2- Add a New client secret wizard, specify a description, an expiration date, and then click Add button.
We have successfully created your application secret. The secret can be reviewed in the main settings area of your custom application under the Certificates & secrets options.
Collect Application Secret
3- To collect application secrets, go to the Certificates & secrets settings within your custom application and copy and then save it in note pad the value of it.
Collect Application ID
4- The first thing you need to collect the application ID. If you go back to the main site of the app registrations, copy application (client) ID and then save it in a note pad.
How to create a new service account in Azure Active Directory
1- Now we need to create the service user, which will connect from Veeam Backup for Office 365 to your tenant. In the Office 365 admin center, click on + new user to create a user without a product license.
2- The user which we are going to create will be our service user for MFA (Multi-Factor Authentication). Type a name, initial password and then click on create
How to configure an MFA-enabled service account
After successfully created a service user, now we can proceed with activating MFA for it. Go back to the all users overview within your azure active directory admin center.
3- Select your newly created service user. Select … On the top right of the ribbon, and then select Multi-Factor Authentication.
4- Select your service user on the left side and then click enable (MFA) on the right side under quick steps.
5- Click on enable multi-factor auth button.
6- The account is successfully enabled for MFA. Click close.
7- Now you can review your user which is now enabled for MFA.
Assign roles to the service account
The user needs the correct permissions and roles to backup Exchange Online and SharePoint Online. We have the choice to do this via the Exchange Admin Center.
For Exchange Online (Global Administrator or Exchange Administrator) role. Additionally, you need the ApplicationImpersonation role.
For SharePoint Online (Global Administrator or SharePoint Administrator) role.
I have this as testing purposes and for this blog post. I would not recommend assigning the Global Administrator in a production environment. Either uses the Exchange Administrator and the SharePoint Administrator role.
1- Select user account (veeam_vbo).
2- Click on Assigned roles under manage and then click on + Add assignments.
3- Select the role in the Directory role wizard on the left hand side and then click add.
4- Successfully assigned the roles.
SharePoint Admin Center
1- Login with SharePoint Admin Center, select access control, and then Apps that don’t use modern authentication.
2- Verify allow access is selected.
How to grant a service account required roles and permissions
1- Add ApplicationImpersonation role via the Exchange Admin Center. Select the permission tab on the left-hand side. Under admin, roles click the + button to add a new role.
2- Type a role group name and description. Select the Write Scope to default and then click the + button.
3- Under Roles to add the ApplicationImpersonation, Mail Recipient, Mail Search, View only configuration, View only recipient role from the list, and then click ok.
5- Add a member, it means our service account for this new role group. For that click on the + button under Members.
6- Select your newly created service user, click on add button and then click OK.
7- Click on save button.
8- The user has been granted the ApplicationImpersonation role.
To get an app password for an MFA-enabled service account
1- The last thing we need to do before adding our tenant to Veeam Backup for Microsoft Office 365 is to collect your app password. Login with new user account & go through the additional security verification methods for this new account.
2- Now we need to select if we would like to receive text messages or if Microsoft calls you within the configuration of the phone verification. I am going to select an Authentication phone option (country code phone number) and select send me a code by text message and then click Next.
3- Type the verification code and then click on verify button.
4- This app password is wanted within the Tenant configuration in Veeam Backup for Office 365. Copy it in notepad or save it for our later use. Click on the done button.
5- After login to user office 365 account, click on my account icon and then click my account
6- You will be redirected to https://portal.office.com/account. Under my account select the Security & Privacy tab to create and manage your passwords. Click on create and manage passwords.
7- Additional security verification (app passwords) click on create button.
8- Enter a name and then click next.
9- Copy your password and save it in notepad and then click close.
10- You will need to sign in with this user if you have an existing service account. In the right-hand upper corner, select the settings and then your app settings (Office 365).
I have created a new user, so I don’t want to do that here.
Add Azure Blob Storage, In this guide, I will add a new Microsoft Azure blob storage repository to the Veeam Backup for Microsoft Office 365 backup infrastructure.
1- Open Veeam Backup for Microsoft Office 365, select the Backup Infrastructure tab and then select Backup Repositories.
6- Specify location for backup repository click next.
7- Specify if you want to extend your backup repository to object storage option, choose to offload backup data to object storage, and select Azure Blob (you just created it).
8- Choose Encrypt data uploaded to object storage, click Add for Password.
9- Enter a Password and then click OK.
10- Click the next button.
11- Specify retention policy settings, I am going to keep the default settings, click Advanced.
12- Advanced Settings wizard, you can change the retention policy schedule as you want and click ok.
13- Click Finish.
14- Now you can see storage repository successfully added.
