In celebration of Earth Day, we spoke to three Cisco experts about how our teams and individuals are driving Cisco’s leadership in sustainability.
Earth Day: What Makes Cisco a Sustainability Leader?
Today, we are going to discuss the Server Message Block (SMB) protocol which is incorporated into all Windows versions, both client and server. It is enabled by default and used to share files and printers. There are rather few versions of this protocol, but it was SMB 2.0, released with Windows Vista in 2006, that considerably improved its performance. Today, the latest version is SMB 3.1.1, that was released with Windows 10 and Windows Server 2016.
The focus of this version was on security by adding support for more encryption algorithms, leaving the performance practically unchanged. And although we don’t get the new protocol version with Windows Server 2019, there is one novelty added to the SMB protocol that affects the client side.
With the release of Windows Server 2019 (also available in Windows 10 version 1809), SMB connections on the client side now can be used without the SMB cache. In certain scenarios, this will accelerate the transfer of files sent using this protocol.
Here’s how you find this new parameter:
- For the Command Prompt, it’s the WRITETHROUGH parameter for the command Net Use
- For PowerShell, it’s the UseWriteThrough parameter for New-SmbMapping cmdlet.
Let’s see how it works and when it’s a good idea to use it.
SMB operation without the WriteThrough/UseWriteThrough parameters
By default, when Windows SMB client makes a connection to an SMB server, the client uses the SMB cache. We have to understand that this SMB client can be a Windows Server.
SMB client is a computer that makes the connection to a shared resource and SMB server is a computer that has that shared resource. The SMB cache is very useful in most cases. For example, imagine a user accessing their files on a file server. When he opens a file for the first time the SMB client downloads it completely but saves it in cache. When the user makes a modification to the file and saves the file, the file is not downloaded again, the load is faster since the file is in the cache. That is the default behaviour of the SMB cache for the SMB client and works in every Windows SMB version.
What is the WriteThrough parameter for?
This parameter allows to map a network unit with forced access (“direct write”) and thus omit all the operating system caches, forcing the read/write to disk.
Previously, “direct writing” was only possible in the shared resources of the cluster with the option marked “Continuous Availability.” In addition, version 3 of the SMB protocol and at least Windows Server 2012 were required. But with Windows Server 2019 and Windows 10 v.1809 you can now force the “direct write” from the client side.
Tip: To quickly check the version of your Windows Server (or Windows 10), run the winver command in either cmd or PowerShell.
When to use it?
This option can be used when we know for sure that the file that we’re going to write doesn’t exist at the destination yet and is of a considerable size. For example, it’ll be much faster for a backup software to write a backup file via SMB connection with “WriteThrough” parameter, avoiding the operating system’s cache.
How to enable the SMB WriteThrough connection
As previously noted, SMB connections are made from the SMB client, so to enable this, we would need to do the following.
WriteThrough with CMD
Execute the Net Use command to see the new WRITETHROUGH parameter:
Net Use Servershare /WriteThrough
If you want to assign a drive letter, execute:
Net Use (Drive letter): Servershare /WriteThrough
– Destination SMB Server: SYSADMIT-PC1
– Destination SMB Shared folder: SYSADMIT-Share
– Network unit: None
Example command would look like:
Net Use SYSADMIT-PC1SYSADMIT-Share /WRITETHROUGH
WriteThrough with PowerShell
The equivalent to the Net Use command in PowerShell is the New-SmbMapping cmdlet. It also allows us to make SMB connections without caching using the UseWriteThrough parameter.
– Destination SMB Server: SYSADMIT-PC1
– Destination SMB Shared folder: SYSADMIT-Share
– Network unit: S:
Example command would look like:
New-SmbMapping -LocalPath ‘S:’ -RemotePath ‘SYSADMIT-PC1SYSADMIT-Share’ -UseWriteThrough $True
As you see, it’s pretty easy to utilize the WriteThrough ability with a few short commands. What’s important is to understand when it’s a good idea to use it since in most cases using the cache is fine. But in certain scenarios like creating new large files at the destination, we would benefit going around the SMB’s cache.
The post When to use SMB WriteThrough in Windows Server 2019 appeared first on Veeam Software Official Blog.
Starting from the recently released version 3, Veeam Backup for Microsoft Office 365 allows for retrieving your cloud data in a more secure way by leveraging modern authentication. For backup and restores, you can now use service accounts enabled for multi-factor authentication (MFA). In this article, you will learn how it works and how to set up things quickly.
How does it work?
For modern authentication in Office 365, Veeam Backup for Microsoft Office 365 leverages two different accounts: an Azure Active Directory custom application and a service account enabled for MFA. An application, which you must register in your Azure Active Directory portal in advance, will allow Veeam Backup for Microsoft Office 365 to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations’ data. A service account will be used to connect to EWS and PowerShell services.
Correspondingly, when adding an organization to the Veeam Backup for Microsoft Office 365 scope, you will need to provide two sets of credentials: your Azure Active Directory application ID with either an application secret or application certificate and your services account name with its app password:
Can I disable all basic authentication protocols in my Office 365 organization?
While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols.
First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach.
Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365.
And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.
How can I get my application ID, application secret and application certificate?
Application credentials, such as an application ID, application secret and application certificate, become available on the Office 365 Azure Active Directory portal upon registering a new application in the Azure Active Directory.
To register a new application, sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center. Select New application registration under the App registrations section:
Add the app name, select Web app/API application type, add a sign-on URL (this can be any custom URL) and click Create:
Your application ID is now available in the app settings, but there’re a few more steps to take to complete your app configuration. Next, you need to grant your new application the required permissions. Select Settings on the application’s main registration page, go to the Required permissions and click Add:
In the Select an API section, select Microsoft Graph:
Then click Select permissions and select Read all groups and Read directory data:
Note that if you want to use application certificate instead of application secret, you must additionally select the following API and corresponding permissions when registering a new application:
- Microsoft Exchange Online API access with Use Exchange Web Services with full access to all mailboxes’ permissions
- Microsoft SharePoint Online API access with Have full control of all site collections permissions
To complete granting permissions, you need to grant administrator consent. Select your new app from the list in the App registrations (Preview) section, go to API Permissions and click Grant admin consent for <tenant name>. Click Yes to confirm granting permissions:
Now your app is all set and you can generate an application secret and/or application certificate. Both are managed on the same page. Select your app from the list in the App registrations (Preview) section, click Certificates & secrets and select New client secret to create a new application secret or select Upload certificate to add a new application certificate:
For application secret, you will need to add secret description and its expiration period. Once it’s created, copy its value, for example, to Notepad, as it won’t be displayed again:
How can I get my app password?
If you already have a user account enabled for MFA for Office 365 and granted with all the roles and permissions required by Veeam Backup for Microsoft Office 365, you can create a new app password the following way:
- Sign into the Office 365 with this account and pass additional security verification. Go to user’s settings and click Your app settings:
- You will be redirected to https://portal.office.com/account, where you need to navigate to Security & privacy and select Create and manage app passwords:
- Create a new app password and copy it, for example, to Notepad. Note that the same app password can be used for multiple apps or a new unique app password can be created for each app.
Now you have all the credentials to start protecting your Office 365 data. When adding an Office 365 organization to the Veeam Backup for Microsoft Office 365 scope, make sure you select the correct deployment type (which is ‘Microsoft Office 365’) and the correct authentication method (which in our case is Modern authentication). Keep in mind that with v3, you can choose to use the same or different credentials for Exchange Online and SharePoint Online (together with OneDrive for Business). If you want to use separate custom applications for Exchange Online and SharePoint Online, don’t forget to register both in advance in a similar way as described in this article.
Today is Cloud Field Day 5, and Veeam will be presenting at 8.30am PST.
Cloud Field Day bring together innovative IT product vendors and independent thought leaders to share information and opinions in a presentation and discussion format. Independent bloggers, speakers, freelance writers, and podcasters have a public presence that has immense influence on the ways that products and companies are perceived by IT practitioners.
During this two hour session Anthony Spiteri, David Hill and Michael Cade will be discussing Veeam’s innovative integration with Public Cloud and Service Providers, and will be showcasing Veeam’s flagship features around Cloud Mobility, instant restore and other great features and capabilities.
Cloud Field Day has brought together a number of key delegates from the virtualization and cloud community. It is truly an interactive and informative session. For more information on the Cloud Field Day delegates click here.
To interact and chat with the presenters during the presentation, follow the links below for twitter information.
With Update 4’s exciting new cloud features, there are settings within AWS and Azure that you should familiarize yourself with to help negate some of the egress traffic costs, as well as help with security.
Right now, let’s talk about the scenarios where:
- You are backing up Azure/AWS instances, utilizing Veeam Backup & Replication with a Veeam Agent, while utilizing Capacity Tier all inside of AWS/Azure
- You have a SOBR instance in AWS/Azure and utilize Capacity Tier
- When N2WS backup and recovery/Veeam Availability for AWS performs a copy to Amazon S3
- If Veeam is deployed within AWS/Azure and you perform a DR2EC2 without a proxy or DR2MA
In AWS, by default, all traffic written into S3 from a resource within a VPC, like an EC2 instance, face egress costs for all these scenarios listed above. By default, when we archive data into S3 or do a disaster recovery to EC2, where Veeam uploads the virtual disk into S3, so AWS can convert to Elastic Block Store (EBS) volumes (AWS VMimport), we face an egress charge per GB. There is the option to utilize a NAT gateway/instance, but again there is a price associated with that as well.
Thankfully, there is an option that you could enable, which is basically the “don’t charge me egress!” button. That feature is called VPC Endpoints for AWS and VNet Service Endpoints for Azure.
Limit AWS egress costs
“A VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC Endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network”.
You simply enable VPC Endpoints for your S3 service within that VPC and you will no longer face egress cost when an EC2 instance is traversing data into S3. This is because the EC2 instance doesn’t need a public IP, internet gateway or NAT device to send data to S3.
Now that you enabled the VPC Endpoint, I highly recommend that you create a bucket policy to specify which VPCs or external IP addresses can access the S3 bucket.
Limit Azure egress costs
Azure handles the egress costs from their instances into Blob in the same manner AWS does, but with Azure the nomenclature is different, they use VNets instead of VPCs and they too have a feature that can be enabled at the VNet level: VNet Service Endpoints.
“Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.”
With Azure, you can then setup a firewall within the storage account to limit internet access to that resource.
Again, this is for instances hosted within a VNet or VPC talking to their respected object storage within the same region, not on-premises to an S3/Azure storage account.
- Controlling Access to Services with VPC Endpoints
- Gateway VPC Endpoints
- How Do I Add an S3 Bucket Policy?
- Virtual Network Service Endpoints
- Configure Azure Storage firewalls and virtual networks
Today at Google Cloud NEXT, David Goeckeler unveiled the next phase of our journey with Google Cloud: the expansion of our multicloud and hybrid collaboration to include Google Cloud’s Anthos.
The Next Phase of Co-Innovation – Cisco and Google Cloud
Without a doubt, the automated reporting engine in Veeam Availability Orchestrator and the disaster recovery plan documentation it produces are among its most powerful capabilities. They’re something we’ve had a lot of overwhelmingly positive feedback from customers that benefit from them, and I feel that sharing some more insights into what these documents are capable of will help you understand how you can benefit from them, too.
Imagine coming in to work on a Monday morning to an email containing an attachment that tells you that your entire disaster recovery plan was tested over the weekend without you so much as lifting a finger. Not only does that attachment confirm that your disaster recovery plan has been tested, but it tells you what was tested, how it was tested, how long the test took, and what the outcome of the test was. If it was a success, great! You’re ready to take on disaster if it decides to strike today. If it failed, you’ll know what failed, why it failed, and where to start fixing things. The document that details this for you is what we call a “test execution report,” but that is just one of four fully-automated documentation types that Veeam Availability Orchestrator can put in your possession.
As soon as your first failover plan is created within Veeam Availability Orchestrator, you’ll be able to produce the plan definition report. This report provides an in-depth view into your entire disaster recovery plan’s configuration, as well as its components. This includes the groups of VMs included in that plan, the steps that will be taken to recover those VMs, and the applications they support in the event of a disaster, as well as any other necessary parameters. This information makes this report great for auditors and management, and can be used to obtain sign-off from application owners who need to verify the plan’s configuration.
Readiness check report
Veeam Availability Orchestrator contains many testing options, one of which we call a readiness check, a great sanity check that is so lightweight that it can be performed at any time. This test completes incredibly quickly and has zero impact on your environment’s performance, either in production or at the disaster recovery site. The resulting report documents the outcome of this test’s steps, including if the replica VMs are detected and prepared for failover, the desired RPO is currently met, the VMware vCenter server and Veeam Backup & Replication server are online and available, the required credentials are provided, and that the required failover plan steps and parameters have been configured.
Test execution report
Test execution reports are generated upon the completion of a test of the disaster recovery plan, powered by enhanced Veeam DataLabs that have been orchestrated and automated by Veeam Availability Orchestrator. This testing runs through every step identified in the plan as if it were a real-world scenario and documents in detail everything you could possibly want to know. This makes it ideal for evaluating the disaster recovery plan, proactively troubleshooting errors, and identifying areas that can be improved upon.
This report is exactly the same as the test execution report but is only produced after the execution of a real-world failover.
Now that we understand the different types of reports and documentation available in Veeam Availability Orchestrator, I wanted to highlight some of the key features for you that will make them such an invaluable tool for your disaster recovery strategy.
All four reports are automatically created, updated and published based on your preferences and needs. They can be scheduled to complete at any frequency you see fit – daily, weekly, monthly, etc., but are also available on-demand with a single-click. This means that if management or an auditor ever wants the latest, you can hand them real-time, up-to-date documentation without the laborious, time-consuming and error-prone edits. You can even automate this step if you like by subscribing specific stakeholders or mailboxes to the reports relevant to them.
All four reports available with Veeam Availability Orchestrator ship in a default template format. This template may be used as-is, however, it is recommended to clone it (as the default template is not editable) and customize to your organization’s specific needs. Customization is key, as no two organizations are alike, and neither are their disaster recovery plans. You can include anything you like in your documentation, from logos, application owners, disaster recovery stakeholders and their contact information. Even all the 24-hour food delivery services in the area for when things might go wrong, and the team needs to get through the night. You name it, you can customize and include it.
Built-in change tracking
One of the most difficult things to stay on top of with disaster recovery planning is how quickly and dramatically environments can change. In fact, uncaptured changes are one of the most common causes behind disaster recovery failure. Plan definition reports conveniently contain a section titled “plan change log” that detail any edits to the plan’s configuration, whether by automation or manual changes. This affords you the ability to track things like who changed plan settings, when it was changed, and what was changed so that you can preemptively understand if a change was made correctly or in error, and account for it before a disaster happens.
Proactive error detection
The actionable information available in both readiness check and test execution reports enable you to eradicate risk to your disaster recovery plan’s viability and reliability. By knowing what will and what will not work ahead of time (e.g. a recovery that takes too long or a VM replica that has not been powered down post-test), you’re able to identify and proactively remediate any plans errors that occur before disaster. This in turn delivers confidence to you and your organization that you will be successful in a real-world event. Luckily in the screenshot below, everything succeeded in my test.
Understanding compliance requirements laid out by your organization or an external regulatory body is one thing. Assuring that those compliance requirements have been met today and in the past when undergoing a disaster recovery audit is another, and failure to do so can be a costly repercussion. Veeam Availability Orchestrator’s reports enables you to prove that your plan can meet measures like maximum acceptable outage (MAO) or recovery point objectives (RPO), whether they’re defined by governing bodies like SOX, HIPAA, SEC, or an internal SLA regulation.
If you’d like to learn more about how Veeam Availability Orchestrator can help you meet your disaster recovery documentation needs and more, schedule a demo with your Veeam representative, or download the 30-day FREE trial today. It contains everything you need to get started, even if you’re not currently a Veeam Backup & Replication user.
The post Disaster recovery plan documentation with Veeam Availability Orchestrator appeared first on Veeam Software Official Blog.
Veeam is excited to be a Global Diamond Sponsor at all 39 AWS Summits around the world, participating jointly with N2WS, our top-rated AWS backup and DR solution. These events are a great opportunity for organizations not only to learn about the latest innovations in areas like cloud mobility, data retention, and disaster recovery, but also to engage with the AWS community and exchange the latest best practices around the cloud. Check here for the latest schedule of AWS Summits — they’re free events so there’s no excuse not to attend!
What you’ll see from Veeam and N2WS at AWS Summits
Veeam will showcase our latest cloud solutions at all AWS Summits through live demos, sponsored sessions, theater sessions, and meetings with our experts. This will include deep dives on:
- Veeam Availability Suite 9.5 Update 4: Introduced earlier this year, this product unveils several major cloud capabilities with one of the biggest additions being Veeam Cloud Tier. Cloud Tier provides unlimited capacity for long-term data retention by using native, cost-effective object storage integrations with Amazon S3 and other public clouds. Another great feature of Update 4 is Veeam Cloud Mobility, providing easy portability and recovery of any on-premises or cloud-based workloads to AWS and other public clouds.
- Veeam Availability for AWS: This new solution combines the market-leading N2WS cloud-native backup and recovery of AWS workloads with the ability to consolidate the backup data in a central Veeam repository. This enables customers to reliably move data to and holistically manage across multi-cloud environments. It also mitigates the risk of losing access to cloud applications and ensures protection of AWS data against accidental deletion, loss of AWS account access, data-level security threats and outages.
- N2WS Backup & Recovery: A cloud-native backup tool built specifically for AWS, this point solution gives customers the ability to automatically back up AWS data as often as needed and recover it far more quickly than with traditional on-premises backup solutions, simplifying workloads and saving time and resources.
While the cloud delivers significant business benefits, based on the AWS shared responsibility model, businesses must still take direct action to guard data and enable business continuity in the event of an outage or disaster. Veeam’s solutions and its expanding partnership with AWS enable businesses to achieve this goal and take ownership of their cloud data.
Are you attending an AWS Summit? Join us at the Veeam N2WS booth and let’s talk cloud data protection!
If you cannot make it to AWS Summits this year, check out our multi-cloud demos online.
It is no secret anymore, you need a backup for Microsoft Office 365! While Microsoft is responsible for the infrastructure and its availability, you are responsible for the data as it is your data. And to fully protect it, you need a backup. It is the individual company’s responsibility to be in control of their data and meet the needs of compliance and legal requirements. In addition to having an extra copy of your data in case of accidental deletion, here are five more reasons WHY you need a backup.
With that quick overview out of the way, let’s dive straight into the new features.
Increased backup speeds from minutes to seconds
With the release of Veeam Backup for Microsoft Office 365 v2, Veeam added support for protecting SharePoint and OneDrive for Business data. Now with v3, we are improving the backup speed of SharePoint Online and OneDrive for Business incremental backups by integrating with the native Change API for Microsoft Office 365. By doing so, this speeds up backup times up to 30 times which is a huge game changer! The feedback we have seen so far is amazing and we are convinced you will see the difference as well.
Improved security with multi-factor authentication support
Multi-factor authentication is an extra layer of security with multiple verification methods for an Office 365 user account. As multi-factor authentication is the baseline security policy for Azure Active Directory and Office 365, Veeam Backup for Microsoft Office 365 v3 adds support for it.
This capability allows Veeam Backup for Microsoft Office 365 v3 to connect to Office 365 securely by leveraging a custom application in Azure Active Directory along with MFA-enabled service account with its app password to create secure backups.
From a restore point of view, this will also allow you to perform secure restores to Office 365.
Veeam Backup for Microsoft Office 365 v3 will still support basic authentication, however, using multi-factor authentication is advised.
By adding Office 365 data protection reports, Veeam Backup for Microsoft Office 365 will allow you to identify unprotected Office 365 user mailboxes as well as manage license and storage usage. Three reports are available via the GUI (as well as PowerShell and RESTful API).
License Overview report gives insight in your license usage. It shows detailed information on licenses used for each protected user within the organization. As a Service Provider, you will be able to identify the top five tenants by license usage and bring the license consumption under control.
Storage Consumption report shows how much storage is consumed by the repositories of the selected organization. It will give insight on the top-consuming repositories and assist you with daily change rate and growth of your Office 365 backup data per repository.
Mailbox Protection report shows information on all protected and unprotected mailboxes helping you maintain visibility of all your business-critical Office 365 mailboxes. As a Service Provider, you will especially benefit from the flexibility of generating this report either for all tenant organizations in the scope or a selected tenant organization only.
Simplified management for larger environments
Microsoft’s Extensible Storage Engine has a file size limit of 64 TB per year. The workaround for this, for larger environments, was to create multiple repositories. Starting with v3, this limitation and the manual workaround is eliminated! Veeam’s storage repositories are intelligent enough to know when you are about to hit a file size limit, and automatically scale out the repository, eliminating this file size limit issue. The extra databases will be easy to identify by their numerical order, should you need it:
Flexible retention options
Another top question is about the used retention type. The default retention type can best be seen as an “item-level” backup method when Veeam Backup for Microsoft Office 365 backs up and stores the data modified between now and the defined retention period. To give a simple example, if the retention period is set to 5 years, everything between today and 5 years ago will be protected. In tomorrow’s backup, it will add data modified or added within this day and remove the oldest data which modification date falls out of the specified retention period.
The described retention behavior perfectly meets the needs of companies who don’t want to store more data than their internal policy requires. But those who have already been using Veeam’s flagship solutions for years found this confusing, as they are used to the full and forever incremental backup approach.
We listened to your feedback! Starting with Veeam Backup for Microsoft Office 365 v3, you can leverage the similar “snapshot-based” retention type. Within the configuration of the repository, there are two options now to choose from: Item-level retention and Snapshot-based retention.
Based upon the choice, backup jobs pointing to this repository will apply the retention type. This is a global setting per repository. Also note that once you set your retention option, you will not be able to change it.
As Microsoft released new major versions for both Exchange and SharePoint, we have added support for Exchange and SharePoint 2019.
We have made a change to the interface and now support internet proxies. This was already possible in previous versions by leveraging a change to the XML configuration, however, starting from Veeam Backup for Microsoft Office 365 v3, it is now an option within the GUI. As an extra, you can even configure an internet proxy per any of your Veeam Backup for Microsoft Office 365 remote proxies. All of these new options are also available via PowerShell and the RESTful API for all the automation lovers out there.
On the point of license capabilities, we have added two new options as well:
- Revoking an unneeded license is now available via PowerShell
- Service Providers can gather license and repository information per tenant via PowerShell and the RESTful API and create custom reports
To keep a clean view on the Veeam Backup for Microsoft Office 365 console, Service Providers can now give organizations a custom name.
Based upon feature requests, starting with Veeam Backup for Microsoft Office 365 v3, it is possible to exclude or include specific OneDrive for Business folders per job. This feature is available via PowerShell or RESTful API.
Go to the What’s New page for a full list of all the new capabilities in Veeam Backup for Microsoft Office 365.
Time to start testing?
There’s no better time than the present for you to get your hands-on Office 365 backup. Download Veeam Backup for Microsoft Office 365 v3, or try Community Edition FREE forever for up to 10 users and 1 TB of SharePoint data.