Blog

Microsoft LAPS deployment and configuration guide

Source: Veeam

If you haven’t come across the term “LAPS” before, you might wonder what it is. The acronym stands for the “Local Administrator Password Solution.” The idea behind LAPS is that it allows for a piece of software to generate a password for the local administrator and then store that password in plain text in an Active Directory (AD) attribute.

Storing passwords in plain text may sound counter to all good security practices, but because LAPS using Active Directory permissions, those passwords can only be seen by users that have been given the rights to see them or those in a group with rights to see them.

The main use case here shows that you can freely give out the local admin password to someone who is travelling and might have problems logging in using cached account credentials. You can then have LAPS request a new password the next time they want to talk to an on-site AD over a VPN.

The tool is also useful for applications that have an auto login capability. The recently released Windows Admin Center is a great example of this:

To set up LAPS, there are a few things you will need to do to get it working properly.

  1. Download the LAPS MSI file
  2. Schema change
  3. Install the LAPS Group Policy files
  4. Assign permissions to groups
  5. Install the LAPS DLL

Download LAPS

LAPS comes as an MSI file, which you’ll need to download and install onto a client machine, you can download it from Microsoft.

Schema change

LAPS needs to add two attributes to Active Directory, the administrator password and the expiration time. Changing the schema requires the LAPS PowerShell component to be installed. When done, launch PowerShell and run the commands:

Import-module AdmPwd.PS

Update-AdmPwdADSchema

You need to run these commands while logged in to the network as a schema admin.

Install the LAPS group policy files

The group policy needs to be installed onto your AD servers. The *.admx file goes into the “windowspolicydefintions” folder and the *.adml file goes into “windowspolicydefinitions[language]”

Once installed, you should see a LAPS section in GPMC under Computer configuration -> Policies -> Administrative Templates -> LAPS

The four options are as follows:

Password settings — This lets you set the complexity of the password and how often it is required to be changed.

Name of administrator account to manage — This is only required if you rename the administrator to something else. If you do not rename the local administrator, then leave it as “not configured.”

Do not allow password expiration time longer than required by policy — On some occasions (e.g. if the machine is remote), the device may not be on the network when the password expiration time is up. In those cases, LAPS will wait to change the password. If you set this to FALSE, then the password will be changed regardless of it can talk to AD or not.

Enable local password management — Turns on the group policy (GPO) and allows the computer to push the password into Active Directory.

The only option that needs to be altered from “not configured” is the “Enable local admin password management,” which enables the LAPS policy. Without this setting, you can deploy a LAPS GPO to a client machine and it will not work.

Assign permissions to groups

Now that the schema has been extended, the LAPS group policy needs to be configured and permissions need to be allocated. The way I do this is to setup an organizational until (OU), where computers will get the LAPS policy and a read-only group and a read/write group.

Because LAPS is a push process, (i.e. because the LAPS client on the computer is the one to set the password and push it to AD) the computer’s SELF object in AD needs to have permission to write to AD.

The PowerShell command to allow this to happen is:

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

To allow helpdesk admins to read LAPS set passwords, we need to allow a group to have that permission. I always setup a “LAPS Password Readers” group in AD, as it makes future administration easier. I do that with this line of PowerShell:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

The last group I set up is a “LAPS Admins” group. This group can tell LAPS to reset a password the next time that computer connects to AD. This is also set by PowerShell and the command to set it is:

Set-AdmPwdResetPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Once the necessary permissions have been set up, you can move computers into the LAPS enabled OU and install the LAPS DLL onto those machines.

LAPS DLL

Now that the OU and permissions have been set up, the admpwd.dll file needs to be installed onto all the machines in the OU that have the LAPS GPO assigned to it. There are two ways of doing this. First, you can simply select the admpwd dll extension from the LAPS MSI file.

Or, you can copy the DLL (admpwd.dll) to a location on the path, such as “%windir%system32”, and then issue a regsvr32.exe AdmPwd.dll command. This process can also be included into a GPO start-up script or a golden image for future deployments.

Now that the DLL has been installed on the client, a gpupdate /force should allow the locally installed DLL to do its job and push the password into AD for future retrieval.

Retrieving passwords is straight forward. If the user in question has at least the LAPS read permission, they can use the LAPS GUI to retrieve the password.

The LAPS GUI can be installed by running the setup process and ensuring that “Fat Client UI” is selected. Once installed, it can be run just by launching the “LAPS UI.” Once launched, just enter the name of the computer you want the local admin password for and, if the permissions are set up correctly, you will see the password displayed.

If you do not, check that that the GPO is being applied and that the permissions are set for the OU where the user account is configured.

Troubleshooting

Like anything, LAPS can cause a few quirks. The two most common quirks I see include when staff with permissions cannot view passwords and client machines do not update the password as required.

The first thing to check is that the admpwd.dll file is installed and registered. Then, check that the GPO is applying to the server that you’re trying to change the local admin password on with the command gpresult /r. I always like to give applications like LAPS their own GPO to make this sort of troubleshooting much easier.

Next, check that the GPO is actually turned on. One of the oddities of LAPS is that it is perfectly possible to set everything in the GPO and assign the GPO to an OU, but it will not do anything unless the “Enable Local password management” option is enabled.

If there are still problems, double check that the permissions that have been assigned. LAPS won’t error out, but the LAPS GUI will just show a blank for the password, which could mean that either the password has not been set or that the permissions have not been set correctly.

You can double check permissions using the extended attribute section of windows permissions. You can access this by launching Active Directory users and computers -> Browse to the computer object -> Properties -> Security -> Advanced

Double click on the security principal:

Scroll down and check that both Read ms-Mcs-AdmPwd and Write ms-Mcs-admpwd are ticked.

In summary, LAPS works very well and it is a great tool for deployment to servers, especially laptops and the like. It can be a little tricky to get working, but it is certainly worth the time investment.

See more

The post Microsoft LAPS deployment and configuration guide appeared first on Veeam Software Official Blog.


Microsoft LAPS deployment and configuration guide

Veeam Intelligent Data Management for Huawei OceanStor

Source: Veeam

Veeam and Huawei recently released new, integrated storage snapshot and orchestration capabilities for customers using Veeam and Huawei OceanStor storage. This new Veeam Plug-in is based on the Veeam Universal Storage API and allows Veeam solutions to deliver higher levels of backup and recovery efficiency when paired with the Huawei OceanStor storage infrastructure.

The constant flow and management of data is taxing today’s organizations to their limit. Data has become hyper-critical to business, but IT organizations struggle to cope with their data’s hyper-growth and hyper-sprawl while protecting against data loss threats, ransomware, service outages and human error — all of which result in loss of business, productivity and reputation.

To address these new business and technical requirements, Veeam partnered with Huawei and other leading storage providers to deliver integrated data protection and storage solutions. OceanStor customers can now leverage Veeam storage integration for VMware environments, bringing new levels of Intelligent Data Management to their data center for better RTPO (recovery time and point objectives).

Faster, efficient backup for Huawei OceanStor

Backup operations strain production storage environments, resulting in lower performance. New Veeam-Huawei integration brings agentless Veeam Backup from Storage Snapshots capabilities to OceanStor storage, increasing Veeam backup speed by 2x, and up to 10x faster compared to competing backup solutions.

Veeam’s usage of VMware Change Block Tracking while reading data from storage snapshots minimizes the performance impact on production VMs during backup. As a result, the VMware snapshot lifetime is lowered to minutes instead of hours — which is often the case when using VMware-based backups without storage snapshots.

During standard Veeam backup procedures, Veeam uses parallel disk backup to reduce the time window, but the VMware VM snapshot may be open for some time as would be expected. This leads to higher IO at the time of the VMware VM snapshot, and could cause a possible performance impact on the VM.

The new integration allows Veeam to create Huawei snapshots in the background directly after the VM snapshot creation. The result is nearly instantaneous. In the example below, the VMware VM snapshot is open only until the storage snapshot was created, lowering the time required for the VMware snapshot to be open.

While certain variables can come into play and affect performance, this level of performance will not be uncommon for Huawei OceanStor customers using Veeam Availability storage snapshot integration.

Orchestrate your Huawei OceanStor storage snapshots

Veeam integration with OceanStor also includes orchestration capabilities that reduce backup management complexity and increase efficiency. The new Veeam Plug-in can orchestrate application-consistent storage snapshots without the need of any agent installed within the VMs.

In most IT organizations, backups are ideally scheduled during off hours, when they will not affect performance. However, the realities of today’s business demands on IT infrastructures make this approach obsolete. In today’s world, “off hours” don’t exist anymore. Constant use of available compute and infrastructure resources is key to better return on investment, so low usage windows are harder to find. More importantly, backups need to be taken more often to protect against data loss. Where one backup a night was acceptable in the past, the continuous creation of recovery points to meet higher recovery point objectives is now the common service level demand.

Veeam snapshot orchestration helps you address this need with a mix of frequent crash-consistent and application-consistent snapshots.

Unlimited recovery options from storage snapshot

With Veeam Explorer for Storage Snapshots, you can use either Veeam orchestrated, or any other existing Huawei storage snapshot, to recover full VMs or single items from a snapshot, in many ways depending on what will be most efficient for the recovery situation.

Veeam integration brings new levels of flexibility for recovery with Huawei OceanStor storage. Full VM recovery is simple and quick, but more often than not, simple item recovery within a VM is the recovery use case.

Veeam Explorer for Storage Snapshots gives IT teams recovery of individual items without requiring the normal time and resource consuming process of re-provisioning a VM. This item-level recovery is supported for Microsoft Exchange, SQL, Active Directory and SharePoint objects through a simple Windows Explorer-like interface. Veeam allows data, files, emails and more to be pulled from backups and into the production environment with a few clicks. Recovering Oracle databases out of a storage snapshot is also supported.

Automated DR/recovery verification and DataLabs

The new Veeam Plug-in for Huawei also brings automation to one of the biggest pain points and inconsistencies most organizations struggle to address in their backup and recovery operations. That is the fact that most IT backup administrators can never really be sure they can recover from the restore points in a disaster or when data is lost.

With Veeam and Huawei integration, Veeam On-Demand Sandbox for Storage Snapshots automates the process of creating a completely isolated copy of your production environment, verifies the viability from the snapshot, reports that status, and then deprovisions the environment. Veeam builds the DataLab from recent storage snapshots created by Huawei or any other third-party software and runs through a complete routine to verify VM boot, network connections, and application function. When finished, Veeam then reports the test results via email or through enhanced reporting found in Veeam Availability Suite.

Creating what Veeam calls a DataLab, addresses two core needs in modern IT Infrastructures. First, it addresses the need for verified recoverability to meet regulatory and operational requirements, not to mention peace of mind for the IT team knowing they are prepared for disaster recovery when they are called.

Second, DataLabs are extremely valuable to address the needs of your development teams, or any others that constantly require a dedicated lab environment with real-world data for the purpose of new solution development, upgrade and deployment testing, as well as risk assessment and mitigation planning.

Veeam and Huawei OceanStor are better together

Huawei is the latest storage provider to partner with Veeam for more efficient data management, more efficient backup, and faster recovery. Regardless of whether you want to speed up your Veeam backups or if you want to use storage snapshots next to real backups to lower your RTPO, with the newly released Veeam Storage Plug-in for Huawei OceanStor, you are on the right track and ready for the future.

More resources

The post Veeam Intelligent Data Management for Huawei OceanStor appeared first on Veeam Software Official Blog.


Veeam Intelligent Data Management for Huawei OceanStor

SysAdmin Day 2018: Are we administering systems like it is 2018?

Source: Veeam

Days of appreciation in the workplace are an interesting event. Whether it’s Administrative Professional’s Day, Boss’s Day, Day of the Programmer, or others I may have missed (and many in other fields, such as medicine), they are a way to offer thanks for professions that are at times hard. However, I challenge the acknowledgement of a profession like system administration comes with a big caveat: Has this process been innovated for 2018?

SysAdmin Day started (it can be traced to the year 2000) as a great way to give thanks to the professionals in the mix for the hard work that goes along with being a system administrator. Take this into context at the beginning of this century however. Things were harder then. There were more manual IT tasks, more equipment and less automation. This was an important time when the IT space was ripe for innovation, and platforms such as virtualization and the cloud were strictly a meteorological term.

The challenge I pose for today is to ask if systems are indeed being administered like it’s 2018. Are SysAdmins seeking investments (not just with products, but even personal skills) in automation? Are SysAdmins looking to have visibility into all of their data? Are SysAdmins able to have the mobility for workloads that they need today? These are important questions today that are in line with the spirit of the SysAdmin day; but I challenge the skills of a SysAdmin are dependent on the capabilities of the modern era.

Each of those questions are important in today’s IT landscape. The mobility aspect is one that I am very passionate about, and it can avoid problems later. I’ll discuss this one in a bit more detail. When a SysAdmin mentions mobility, what comes to mind? Answers could range from moving an application to a new piece of hardware, doing an upgrade to a new version, or even changing location of an application to a higher performing network or site. I challenge that today’s mobility expectation is that applications can be mobile to the best platforms. This includes the cloud, a hypervisor platform such as Hyper-V, vSphere or Acropolis, or even a next-generation technology for the application. SysAdmins need to be careful to not create traps in their IT practice to have obsolete components in the mix.

One common example is to have obsolete applications on obsolete hardware. I occasionally have spoken to organizations who have obsolete applications on obsolete operating systems which require obsolete hardware. This really strikes me as a bad practice point today. I’m usually talking to these organizations about options related to backup and Availability technologies, however, we reach a stopping point with some of the obsolete museum pieces that are still critical to their operation. I commonly have to advise that organizations have bigger problems than backup when these situations arise. There can be a bigger business issue if the organization is dependent on something that can’t be made available due to obsolete technologies.

These are just a few examples, but the life of the SysAdmin is a tough job. It always has been, and always will be. There is a debate on whether there even will be a SysAdmin job in the near future due to newer technologies (such as the cloud). I challenge that there will be, but only if the SysAdmins of today adapt to current conditions and deliver the best service with the best technologies that don’t put their organizations at risk. For those SysAdmins out there — great job, keep up the good work and always be on the lookout for what you can do better next time, for the next project and for whatever comes up tomorrow.

The post SysAdmin Day 2018: Are we administering systems like it is 2018? appeared first on Veeam Software Official Blog.


SysAdmin Day 2018: Are we administering systems like it is 2018?

#1 Hyper-Availability for Nutanix Enterprise Cloud

Source: Veeam

In June 2017 we announced that we would be working on support for the Nutanix Acropolis Hypervisor (AHV) and shortly after in October we were able to show an alpha build of the code and demo what functionality would be arriving. Today we are excited and pleased to announce that our Hyper-Availability story is generally available for the entire Nutanix Enterprise Cloud platform, allowing us to protect all virtualized workloads – VMware vSphere, Microsoft Hyper-V and Nutanix AHV – in an application consistent state.

Support for Nutanix AHV comes with a new product –– Veeam Availability for Nutanix AHV –– which includes many of the same easy-to-use features and functionality from Veeam Backup & Replication in a familiar portable backup file format. This also includes the ability to align your strategy with the 3-2-1 backup methodology through one of our many Veeam Cloud Service Providers (VCSP) partners, tape or backup copy to disk for offsite backups and long-term retention.

Overview

Veeam Availability for Nutanix AHV will consist of three components:

  1. Veeam Backup & Replication 9.5 update 3a minimum
  2. Veeam Backup Proxy Appliance for AHV
  3. Veeam Backup repository (deduplication devices not supported in v1)

Veeam Backup & Replication 9.5 Update 3a

The Veeam backup server is there to allow for authentication from the Veeam backup proxy appliance to give the ability to send backup files to the Veeam backup repository. The Veeam Backup Server also offers the ability for longer term retention to either tape, disk or Veeam Cloud Connect.

Veeam Backup Proxy Appliance for AHV

The proxy appliance will be deployed within the Nutanix Acropolis hyper-converged infrastructure cluster. Management of the appliance as well as the configuration, scheduling and execution of backups and full-VM restores will be handled by a new web UI, specifically designed to look and operate like Prism for familiarity, to Nutanix administrators and users.

Veeam Backup repository

The Veeam backup repository is a folder on a storage device that acts as a backup target that is managed by the Veeam backup server.

Features

Application consistency

The ability to take application consistent backups of your mission critical workloads is a must. This is achieved by requesting a Distributed Storage Fabric (DSF) snapshot within the Nutanix AHV cluster. Nutanix guest tools (NGT) can then be used to trigger the preparation of the guest operating system for an online backup. For VMs where application consistency is required but NGT is not installed, Veeam recommends using the server edition of Veeam Agent for Microsoft Windows or for Linux.

Changed Block Tracking

When Veeam Backup & Replication performs incremental backup, it needs to know what data blocks have changed since the previous job session. To get the list of changed data blocks, Veeam Backup & Replication uses the changed block tracking mechanism, or CBT. CBT Increases the speed and efficiency of incremental backups. The backup process will leverage the AHV CBT for full and incremental backups.

Protection domains

The ability to leverage Nutanix Protection Domains not only means the ability to keep a short-term amount of fast Recovery Point Objective (RPO) snapshots in place but it also means that this same Protection Domain which is a defined group of virtual machines can be leveraged to simplify backup management also.

Workflow

The backup proxy communicates with Nutanix AHV to trigger a virtual machine snapshot, retrieves virtual machine data block by block from datastores hosting virtual machines, compresses and deduplicates it and writes to the backup repository in Veeam’s proprietary format.

Veeam Backup & Replication creates per-VM backup chains: One backup chain contains data for one VM only.

Recovery

Now let’s get to the interesting part, the backup is the insurance policy that none of us hope we ever have to use, the recovery though is where we could be saving jobs and lives.

Veeam Backup Proxy Appliance for AHV

Recovery options from the proxy appliance will be full-VM recovery to the original location, performed from within the web UI. The ability to restore individual virtual machine disks is also possible from the web UI.

Veeam Backup & Replication 9.5 Update 3a

When it comes to the granular restore options, it is required to be in the Veeam backup server to perform these tasks. Granular restore options include:

  • Windows file level restore
  • Application items restore (Microsoft Active Directory, Microsoft Exchange, Microsoft SharePoint, Microsoft SQL Server and Oracle)
  • VM disk export (VMDK, VHD or VHDX)
  • Direct Restore to Microsoft Azure

I am super excited to see the technical innovation happening within Veeam, the elevation of the Hyper Converged market leader as a Veeam elite alliance partner and the addition of the third hypervisor within the Hyper-Availability Platform. I am now even more excited to see where this product goes in the future. I strongly encourage anyone that has AHV deployed or under evaluation to download the fully-functional FREE 30-day trial today.

See more

The post #1 Hyper-Availability for Nutanix Enterprise Cloud appeared first on Veeam Software Official Blog.


#1 Hyper-Availability for Nutanix Enterprise Cloud

Veeam Backup for Microsoft Office 365 v2: SharePoint and OneDrive support is here!

Source: Veeam

Microsoft Office 365 adoption is bigger than ever. When Veeam introduced Veeam Backup for Microsoft Office 365 in November 2016, it became an immense success and Veeam has continued building on top of that. When we released version 1.5 in 2017, we added automation and scalability improvements which became a tremendous success for service providers and larger deployments. Today, Veeam is announcing v2 which takes our solution to a completely new level by adding support for Microsoft SharePoint and Microsoft OneDrive for Business. Download it right now!

Data protection for SharePoint

By adding support for SharePoint, Veeam extends its granular restore capabilities known from the Veeam Explorer for Microsoft SharePoint into Office 365. This allows you to restore individual items – documents, calendars, libraries and lists – as well as a complete SharePoint site when needed. With the new release, Veeam can also help you back up your data if you are still in the migration process and are still using Microsoft SharePoint on premises or running in a hybrid scenario.

Data protection for OneDrive for Business

The most requested feature was support for OneDrive for Business as more and more companies are using it to share files, folders and OneNote books internally. With Veeam Explorer for Microsoft OneDrive for Business, you can granularly restore any item available in your OneDrive folder (including Microsoft OneNote notebooks). You have the option to perform an in-place restore, restore to another OneDrive user or another folder in OneDrive, export files as an original or zip file, and if you get hit by a ransomware attack and your complete OneDrive folder gets encrypted Veeam can perform a full restore as well.

Enhancements

Besides the introduction of new platform support, there are also several enhancements added.

Major ease-of-use and backup flexibility improvements with a newly redesigned job wizard for easier and more flexible selection of Exchange Online, OneDrive for Business and SharePoint Online objects. Making it easier than ever to set-up, search and maintain visibility into your Office 365 data. Granularly search, scale and perform management of backup jobs for tens-of-thousands of Office 365 users!

Restore data located in Microsoft Teams! You can protect Microsoft Teams when the underlying storage of the Teams data is within SharePoint Online, Exchange Online or OneDrive for Business. While data can be protected and restored, the Teams tabs and channels cannot. After restoring the item, it can however be reattached manually.

Compare items with Veeam Explorer for Microsoft Exchange. It is now possible to perform a comparison on items with your production mailbox to see which properties are missing and only restore those without restoring the full file.

As with the 1.5 release, everything is also available for automation by either leveraging PowerShell or the Restful API which now fully supports OneDrive for Business and SharePoint.

Another enhancement is the possibility to change the GUI color as you like. This option made its way into Veeam Backup for Microsoft Office 365 after being introduced in Veeam Backup & Replication.

Starting with version 2, Veeam Backup for Microsoft Office 365 is now able to automatically check for updates, so you can rest assured you are always up to date.

And finally, the log collection wizard has been updated as it now allows you to collect logs for support in case you run into an issue, as well as configure extended logging for all components.

Community Edition introduced

Version 2 marks the release of Veeam Backup for Microsoft Office 365 Community Edition! This FREE product functionality is identical to the paid version, but with the following limitations:

  • Maximum number of Exchange Online users: 10
  • Maximum number of OneDrive for Business users: 10 users associated with the same 10 Exchange Online users
  • Maximum amount of SharePoint data protected: 1TB
  • Best effort support

 

The post Veeam Backup for Microsoft Office 365 v2: SharePoint and OneDrive support is here! appeared first on Veeam Software Official Blog.


Veeam Backup for Microsoft Office 365 v2: SharePoint and OneDrive support is here!