1- Connect Veeam Backup for Microsoft Office 365 console, select the Organizations view. On the Home tab, click Backup on the ribbon.
2- Backup Office 365 Email, Specify job name and description page, enter a name for your backup job, and then click Next.
3- Veeam new backup job wizard, select objects to back up window, select Back up entire organization if you have enough users license for the entire organization if not, you need to select Back up the following objects. You can add by users, groups, sites, and organizations. Click the Add button.
4- I am going to add a user for backup and then click add.
5- After adding a user for backup click the next button.
6- Select objects to exclude page, we can add by users, groups, sites & Organization. Click next after you add them.
7- New Veeam Backup job wizard, specify backup proxy and repository window, select backup proxy and Azure Blob backup repository and then click next.
8- Select scheduling options page, enter your schedule information, and then click Create.
9- Select the new created office 365 email backup job and then click Start.
10- Now you can see the office 365 email job in progress.
Add Office 365 Organization using modern authentication, after successfully configuring modern authentication now I am going to add organizations with veeam backup for office 365.
How to add to the Veeam Backup for Microsoft Office 365 scope, an Office 365 organization using modern authentication
Now I am ready to add our tenant to Veeam backup for Microsoft Office 365.
1- Open Veeam Backup for Office 365 console, select organization and then Add Org.
2- Select the Organizations deployment type, select the services you want to protect and then click next.
3- Select region of your tenant and which authentication you need to use. Of course we are going for the modern authentication now (allow for using legacy authentication protocols) and then click next.
4- Exchange Online Credentials setup we need to provide all our collected information. Meaning the application ID, the application secret, our username, the app password and then click next.
5- Click the close button after verifying connection and organization parameters. The tenant will be added to your Veeam console successfully.
6- Now you can see an Organization successfully added.
The release of version 4 of Veeam Backup for Office 365, now we are able to use the so-called modern authentication. This means using service accounts enabled for MFA (multi-factor authentication).
We need an Azure Active Directory custom application and a service account that has MFA (Multi-Facture Authentication) enabled. The custom application (App application) registered in Azure Active Directory will allow Veeam Backup for Office 365 to access the Microsoft Graph API. With this access, we can pick up the data from the “Microsoft Office 365 organization tenant”.
In this strategy, the service account will be used to connect to the EWS and PowerShell services.
Preparation
In instance, we want to use modern authentication with Veeam Backup for Office 365.
The below steps should be done for using the modern authentication.
Register a custom application in Azure Active Directory Collect your Application ID and Secret Create a new client secret Create a new service account in Azure Active Directory Enable Multi-Factor Authentication (MFA) on this service account Assign roles to the service account Grant a service account required roles and permissions Get App password for an MFA-enabled service account Add tenant to Veeam with the service account
Register a custom application in Azure Active Directory
1- Open your Azure Active Directory admin center under the Manage tab and then select App registration.
2- Click on + new registration Under App registrations tab.
3- Enter new custom application a name; select the supported account type and then click on the register button.
4- After creating a new custom application, we need to provide it with some permission. For that go to your newly created app application and then select the + API Permissions button.
5- Now we need to add Microsoft Graph permissions to our custom app application. In the request API permissions wizard and then select Microsoft Graph.
6- Select Application permissions.
7- Expand Director Option and select Directory.Read.All. Expand Group option and select Group.Read.All from the list of available permissions, and then click Add permissions 1- Directory.Read.All 2- Group.Read.All These two permissions are needed to access the organization tenant.
8- This type of permission requires administrator consent. To grant administrator consent, click on Grant admin consent for (tenant name).
9- Click Yes to confirm granting permissions
10- Successfully granted admin consent for the request permission, Click + Add a permission button.
11- Scroll down and then select SharePoint.
12- Select Application permission and expand sites, select Sites.FullControll.all and then click on add permission.
13- Click on Grant admin consent for (tenant name)
14- Click Yes to confirm granting permissions
15- Successfully configured permissions click on + Add a Permission button.
16- Scroll down and then select exchange options
17- Choose Application permissions.
18- Click on Grant admin consent for (tenant name)
19- Click Yes to confirm granting permissions
20- We have successfully registered a custom application in your Azure Active Directory and you have successfully set the required permissions.
How to get your Application secret
Create a new client secret
1- To create a new client secret for our newly created custom application. Under Manage select Certificates & secrets and then click on + New client secret button under client secrets.
2- Add a New client secret wizard, specify a description, an expiration date, and then click Add button.
We have successfully created your application secret. The secret can be reviewed in the main settings area of your custom application under the Certificates & secrets options.
Collect Application Secret
3- To collect application secrets, go to the Certificates & secrets settings within your custom application and copy and then save it in note pad the value of it.
Collect Application ID
4- The first thing you need to collect the application ID. If you go back to the main site of the app registrations, copy application (client) ID and then save it in a note pad.
How to create a new service account in Azure Active Directory
1- Now we need to create the service user, which will connect from Veeam Backup for Office 365 to your tenant. In the Office 365 admin center, click on + new user to create a user without a product license.
2- The user which we are going to create will be our service user for MFA (Multi-Factor Authentication). Type a name, initial password and then click on create
How to configure an MFA-enabled service account
After successfully created a service user, now we can proceed with activating MFA for it. Go back to the all users overview within your azure active directory admin center.
3- Select your newly created service user. Select … On the top right of the ribbon, and then select Multi-Factor Authentication.
4- Select your service user on the left side and then click enable (MFA) on the right side under quick steps.
5- Click on enable multi-factor auth button.
6- The account is successfully enabled for MFA. Click close.
7- Now you can review your user which is now enabled for MFA.
Assign roles to the service account
The user needs the correct permissions and roles to backup Exchange Online and SharePoint Online. We have the choice to do this via the Exchange Admin Center.
For Exchange Online (Global Administrator or Exchange Administrator) role. Additionally, you need the ApplicationImpersonation role.
For SharePoint Online (Global Administrator or SharePoint Administrator) role.
I have this as testing purposes and for this blog post. I would not recommend assigning the Global Administrator in a production environment. Either uses the Exchange Administrator and the SharePoint Administrator role.
1- Select user account (veeam_vbo).
2- Click on Assigned roles under manage and then click on + Add assignments.
3- Select the role in the Directory role wizard on the left hand side and then click add.
4- Successfully assigned the roles.
SharePoint Admin Center
1- Login with SharePoint Admin Center, select access control, and then Apps that don’t use modern authentication.
2- Verify allow access is selected.
How to grant a service account required roles and permissions
1- Add ApplicationImpersonation role via the Exchange Admin Center. Select the permission tab on the left-hand side. Under admin, roles click the + button to add a new role.
2- Type a role group name and description. Select the Write Scope to default and then click the + button.
3- Under Roles to add the ApplicationImpersonation, Mail Recipient, Mail Search, View only configuration, View only recipient role from the list, and then click ok.
5- Add a member, it means our service account for this new role group. For that click on the + button under Members.
6- Select your newly created service user, click on add button and then click OK.
7- Click on save button.
8- The user has been granted the ApplicationImpersonation role.
To get an app password for an MFA-enabled service account
1- The last thing we need to do before adding our tenant to Veeam Backup for Microsoft Office 365 is to collect your app password. Login with new user account & go through the additional security verification methods for this new account.
2- Now we need to select if we would like to receive text messages or if Microsoft calls you within the configuration of the phone verification. I am going to select an Authentication phone option (country code phone number) and select send me a code by text message and then click Next.
3- Type the verification code and then click on verify button.
4- This app password is wanted within the Tenant configuration in Veeam Backup for Office 365. Copy it in notepad or save it for our later use. Click on the done button.
5- After login to user office 365 account, click on my account icon and then click my account
6- You will be redirected to https://portal.office.com/account. Under my account select the Security & Privacy tab to create and manage your passwords. Click on create and manage passwords.
7- Additional security verification (app passwords) click on create button.
8- Enter a name and then click next.
9- Copy your password and save it in notepad and then click close.
10- You will need to sign in with this user if you have an existing service account. In the right-hand upper corner, select the settings and then your app settings (Office 365).
I have created a new user, so I don’t want to do that here.
System Center Virtual Machine, in the article I will guide you on how to install Microsoft’s System Center Virtual Machine Manager 2019 (SCVMM). If you run Microsoft’s Hyper-V as your virtualization platform then you probably want a way to manage your Hyper-V hosts as well as the virtual machines that reside on this.
4- Virtual Machine Libraries Configuration click here
Install System Center Virtual Machine Manager
I am using a trial version of SCVMM which we can download if from the Microsoft Website
1- Browse the windows explorer to install SCVMM. Double click on SCVMM_2019.exe to start the installation.
2- The SCVMM install welcome screen, click next.
3- Accept the SCVMM license agreement and then click on next.
4- The SCVMM installer needs to extract the downloaded files. Please select a destination folder location and make sure you have enough free disks space (approximately 28GB) then click on next.
5- Confirm the settings and folder where you want to extract then click on Extract.
6- The installation files start extracting. This will take a few minutes to complete the extraction process.
7- Now the extraction of SCVMM is complete. Click on finish button.
Open your Hyper-V manager console and connect to your SCVMM host. Now we need to build a new VM for the System Center Virtual Machine Manager server.
8- Right click on host then click new and then Virtual Machine.
9- New Virtual Machine Wizard, click the next button to proceed.
10- Type your VM name (SCVMM) and select where to store the VM files. Click Next.
11- Choose Generation 1 and then click next.
12- The minimum memory recommended 4GB so as this is just a test lab, click on next.
13- Select a virtual switch you want to deploy this VM to then click next.
14- This is one of the most important parts of the System Center Virtual Machine install process, make sure to change the virtual hard disk to Use an existing virtual hard disk and browse to the extracted location of the SCVMM download. Select SCVMM_2019 VM and then click next.
15- Review the Summary of System Center virtual machine and then click on Finish.
Configure System Center Virtual Machine Manager
16- Hyper-V manager console and browse through your virtual machines the one we newly deployed System center virtual machine. Right-click on SCVMM and then click connect.
17- Virtual Machine window opens click the start button.
18- System center virtual machine starting Services.
19- Now we have run through the Windows 2019 server installation. Select your country/region and then click next.
20- Click Accept.
21- Type a local administrator password and then click the finish button.
22- Windows 2019 server successfully installed, log in to the server with the local administrator credentials.
Now we need to join the System center virtual machine to a domain. Click Here
In the next article, we need to start the installation of the SQL Database. On the desktop of Server 2019 VM, we can see Microsoft has placed two icons for me to use to start the SCVMM installation.
Install Windows Assessment and Deployment KIT. In this article I will cover the steps to install the latest version of Windows ADK for SCVMM (System Center Virtual Machine Manager). Windows ADK is an external dependency when you install SCVMM. There are 2 ways to install the Windows ADK. Via GUI and via command line. We have to download ADK – Windows PE and install them one by one. We install Windows ADK first and then add Windows PE to our ADK installation.
Select the Install Windows Assessment and Deployment Kit and then click next.
3- If you want to send or not to send anonymous usage data to Microsoft, then click next.
4- Windows assessment and deployment Click accept the license terms.
5- To install Windows ADK for SCVMM, Select the features you want to install and then click on Install.
6- Windows assessment and deployment kit installing features.
7- The Windows ADK installation is complete. Click the close button.
Install Windows PE Add-on for Windows ADK
8- In the above steps, we installed Windows ADK. Now we will install the Windows PE add-on for Windows ADK. Download adkwinpesetup.exe and then double click on it to run.
9- Select Install ADK Windows Preinstallation environment add-ons and then click next.
10- To accept license terms, click the Accept button.
11- Now you can see there is only a feature that is included which is the Windows Preinstallation Environment (Windows PE).
In this article, I am going to explore how to Add MX Record in DNS Manager Server. MX themselves stands for Mail Exchange and is a necessity when configuring the email server
1- Expand Forward Lookup Zones right-click on your external domain (xpertstec.com) and then select New Mail Exchange (MX).
2- So, click browse.
3- Select your DNS server > Forward lookup zones > your external domain (xpertstec.com) > select mail and click ok.
Alias CNAME Record, In this post, I can use this method to add an Alias canonical name (CNAME) reserve record for your Web server to a zone in Domain Name Server on your domain controller.
Add Alias CNAME Record
1- Expand Forward Lookup Zones and right-click on your external domain (xpertstec.com) and then select New Alias (CNAME).
2- within the Name, field Aname (autodiscover) for your certificate and then click on browse.
3- Select your DNS server > Forward lookup zones > your external domain (xpertstec.com) > so select mail and click ok.
A forward lookup zone is a critical component of DNS (Domain Name System) that helps to match domain names with the appropriate IP addresses. When you type a domain name into your web browser, DNS is responsible for finding the correct IP address so that you can load the website.
Without DNS, you would have to remember the IP address of every website you wanted to visit, which would be nearly impossible.
Forward lookup zones use a series of DNS records to store information about a domain and its associated IP address. The most common DNS record is the A record, which maps a domain name to an IP address.
There are also CNAME records, which can be used to redirect one domain to another, and MX records, which route email messages to the correct server. Creating and maintaining a lookup zone is critical for any administrator.
In this article, I’m going to discuss How to Create a Forward look-up zone is a Domain Name System zone in which hostname to IP address and IP address to hostname relations is saved.
1- On your active directory DNS server, open DNS Manager Right click on forward lookup zone and select New Zone.
2- Click Next.
3- Default settings click next.
4- Default settings so click next.
5- In the Forward Lookup Zone Name field enter your external domain name (my external domain is xpertstec.com).
6- We will manually create all the records in this zone so select do not allow dynamic updates click next.
1- Expand Forward Lookup Zones and select your external domain (xpertstec.com) On the right side imply place right-click and then select New Mail Exchange (MX).
2- So, click browse.
3- Select your DNS server > Forward lookup zones > your external domain (xpertstec.com) > select mail and then click ok.
Add Host A Record in DNS Manager Microsoft Windows Server 2012
Host A Record DNS Manager
Open DNS Manager in windows server 2012
1- Expand Forward Lookup Zones and select your external domain (xpertstec.com) On the right side imply place right-click and then select New Host (A or AAAA).
2- In the Name, field type the first name on your certificate. within the IP address field type the interior IP of your Exchange server. for instance, it is 10.0.0.24 Click Add Host
3- The host record created successfully and then click ok.
