Sign In
English
Deutsch
Français
Русский
Italiano
Español
Nederlands
中文
日本
Český
Polski
Türkçe
Since the recent release of ESX 3.5 Update 2 and Veeam Backup 2.0, both featuring Microsoft Volume Shadow Copy Service (VSS) support, we've been getting many questions from our customers asking why this feature is needed.
It’s true that the whole VSS support issue around VMware disaster recovery solutions created a lot of confusion due to each vendor having different opinions about the usefulness of this feature, as well as different implementation approaches, with some of them being quite questionable. So I decided to perform some testing on real applications to investigate whether VSS support is really required for a disaster recovery solution, and what VSS support implementation approaches are the most correct at this moment.
For my testing, I used one of the most common mission-critical applications, an Active Directory domain controller. To make a long story short, here's the summary table for my testing results:
For the testing, I used my test lab containing a few clean domain controllers. I've chosen one domain controller (DC1) to perform all the testing on, and performed its backup of a live domain controller with the different VMware disaster recovery solutions listed in the table above. For all the solutions supporting VSS integration, I performed the backup with that option enabled.
As soon as I finished creating the backups, I switched to my test DC, created a few test users there to simulate post-backup activity, verified that the test users were replicated over to the other DC successfully, and crashed my test DC. Here's a short video for this step.
At this point, I shut down the remaining domain controller, and created a copy of the whole lab so that I could test recovery for all solutions in similar conditions. After testing recovery with each solution, I rolled the whole lab backup to this state.
Recovery testing showed that in the case of Veeam Backup 2.0, and the latest VMware Consolidated Backup, the recovered DC was fully functional.
One thing I noted, however, is that with VCB, the domain controller did not start up in the recovery mode during the first boot, as it did with Veeam Backup 2.0. According to however, when performing a VSS-integrated domain controller restore, the system must be rebooted in Directory Services Restore mode when Active Directory is running on the server (which is exactly our case). To my understanding, booting in this mode is required so that the NTDS.DIT file is not locked with Active Directory services, antivirus or other applications when the shadow copy restore is performed. So I don't know whether or not this domain controller restore approach is supported by Microsoft.
This video demonstrates the DC recovery process using the most correct VSS-integrated recovery implementation, as provided by Veeam Backup 2.0.
With all the other solutions I have tested (including vRanger Pro, which was originally the first to claim having VSS support), the recovered DC was not functional and was put into the condition known as an update sequence number rollback, or . The only way to recover a DC from rollback is to forcibly demote the domain controller, and reinstall it. Luckily, I had my lab fully preserved, so instead I could simply rollback the entire Active Directory.
This video demonstrates the DC recovery using a solution not featuring correctly implemented VSS support.
As you can see, some applications cannot be restored correctly by simply starting up the VM image, even when VSS is leveraged to perform the backup. Some applications, especially those featuring replication, require a certain sequence of actions to be restored from a backup made by leveraging VSS. Similar to the domain controller that I used to perform my testing, Microsoft Exchange Server is another example of a mission-critical application that must be restored using an application-specific restore technique (refer to for more information about VSS-integrated backup and restore of Microsoft Exchange server).
If you ask me why I am the first one to bring this issue up - I don't know. Could it be simply because no one ever tried to actually restore VMs to the production environment from their backups? I can understand how this type of issue could be overlooked in a small test lab setting, where typically only one DC is installed. But before you put your VMware backup solution into production – give some serious thought to the recoverability of the backups it produces.
For more detailed information on correctly using VSS in VMware environments, please read the "VMware and VSS: Application Backup and Recovery" white paper available at Veeam Backup product page.
about 3 years ago
hi
thats an excellent article and the reason why you dont see any body else talking about they are not many who wrote about it. You have started that and people would follow.
i am putting your link on my blog too.
bhanu
about 3 years ago
veeam needs VCB infrastructure in order to perform snapshot based VMDK backups. by using the VCB version 1.5 and VSS enabler that comes with the latest VMTools, VSS aware applications inside VMs can be backed up in a consistent manner.
q1: i wonder if veeam supports sending backups to a tape device?
q2: for file based restores from VMDKs, how/where do you keep related catalog info?
about 3 years ago
Gahadir,
Veeam does not Require VCB, you can also do a service console based backup of standard ESX servers. Veeam has it’s own implementation of VSS or you can opt to us the VSS enabler that comes with the latest VMTools through VCB.
a1) Veeam does not support sending data directly to a tape device unless that device presents itself as a drive or network share that the Windows server can connect to. Veeam does have a post job script ability to kickoff a tape backup once the job completes
a2) File level recovery is done directly from the backup file (image). At this time the individual files are not cataloged (since they’re not individually backed up) but Veeam provides an easy to use explorer like interface to browse for the files.
about 2 years ago
I would be very happy if you would update your test (or add it as second one) in which you take a detailed look to the new version 4 with support of vStorage API under an environment with ESX / vSphere 4 Enterprise against your competitors.
We must find the a solution for our planned new environment with 3 or 4 ESX Enterprise Servers while next month – at january 2010 the new servers should be ready to run and we must find and buy the best solution for it before!
In our actual (very old) environment with physical servers we use Symantec BackupExec v12. They offer also an addon to backup ESX-Servers / VMs. But is it a good idea or was another solution a better choice? We try in moment the new solution from Acronis, “Backup & Recovery” v10, a week ago we have seen a presentation about the bundle of a quantum DXi (with dedup) and esXpress which works as virtual appliances and it looks / sounds very smart. Some weeks ago we tested your product in version 3.5.
A big point for us is the support for MS SQL 2005 / 2008 and Exchange 2007. You make a test with a Domain-Controller for your article above and show / write that it works. Can Veeam Backup v4 also create (and restore!) consistent backups of SQL- and EXC-Servers? What is with their logfiles? While a “normal” backup with integrated mechanism of the SQL-Server I can cut them after writing the .bak-files. Is this also possible when I use Veeam Backup with VSS? And what’s the right way for Exchange? It was good if you can create a perfect backup with Veeam Backup but I can’t restore the full server normally – that’s the way for a real big desaster. In all other cases I’ll surely need only one mailbox or one mail in one mailbox…
about 2 years ago
Veeam v4 VSS integration module supports Exchange 2007 and SQL 2008 hot backups fine. We’ve been running v4 for over a month now, and we are performing backup testing weekly (restoring backups to test environment), it’s been flawless for us.
about 2 years ago
Dear Paul,
have you ever tried to restore all dcs in a domain at the same time ?
I tried to create a test environment by restoring the veeam-backups of all our 3 production dcs to vmware workstation (using the vm-copy backup method in veeam-backup).
Everything seemed to work according your restore video.
My problem was that on all the restored dcs the sysvol and netlogon shares were missing.
I think the problem is that after the restore all dcs are in a non-authoritative state.
I found the following kb-articel
which deals with this problem.
I followed the kb-article but was not able to get the netlogon-share up.
The sysvol-share appeared, but when I tried to start the netlogo-service I got an error message that the folder
C:\windows\sysvol\sysvol\lra-deg.local\scripts
does not exist.
Greetings Martin
about 2 months ago
thats really an excellent article.I am very happy and excited to read this blog this really very nice and informative.hope so see more helpful post in future.I appreciate your knowledge.thanks for that.