Planning
There are different ways to backup your data - over the network, direct from SAN, or "hot add." Your proxy server can itself be a virtual machine if you choose over the network or hot add modes. Hot add is supposed to be very efficient, as it gives a direct access path to the other VM's disks, similar to SAN-based backup, but I just didn't trust mounting production drives across multiple VMs. So I chose over the network for this walk through. As long as your proxy VM and the VM it's backing up are on the same physical hosts, the physical network won't actually be involved. It's actually recommended practice that you only have one ESX host per virtual proxy.
Setup
You need a service account, preferably in an active directory domain, to run the backup process as. This service account's password can have NO SPECIAL CHARACTERS as of TSM 6.2.2. While vcbMounter can handle a password with special characters, TSM cannot. A bug report has been filed. This service account needs to be setup in your vCenter with the following permissions:
- Log on to the VI Client as a user with Administrator privileges.
- From the VI Client, click Administration in the navigation bar.
- Click the Roles tab.
- Click Add Role. The Add Role dialog box appears.
- Type a name for the new role, for example, VMware Consolidated Backup User. THE EXISTING SAMPLE ROLE IS NOT GOOD ENOUGH.
- Select the following privileges for the new role. Click the plus (+) signs to expand the lists, as needed.
- Global > Cancel Task
- VirtualMachine > Inventory > Create
- VirtualMachine > Inventory > Remove
- VirtualMachine > Interaction > Power On
- VirtualMachine > Configuration > Disk Lease
- VirtualMachine > State > Create Snapshot
- VirtualMachine > State > Remove Snapshot
- VirtualMachine > Provisioning > Allow Virtual Machine Download
- VirtualMachine > Provisioning > Allow Read‐only Disk Access
- VirtualMachine > Provisioning > Customize
- VirtualMachine > Provisioning > Allow Disk Access
- VirtualMachine > Provisioning > Allow Virtual Machine Files Upload
- Resource > Assign Virtual Machine to Resource Pool
- Click OK to complete the process.
Note: If this is the same account you logged into vCenter as, you'll lose your administrative privileges. Any other member of the vCenter's Windows Administrators Group will be able to get you back in.
Now that permissions are sorted out, let's build your proxy server. You need a staging partition whose size is equivalent to the sum of the sizes of all of the VMDK's of your single largest VM. I actually built in additional space to provide for growth. During the backup process, the VM being backed up will be copied to this partition before being sent off to TSM. It's a sequential process, which is why this partition only needs to be as large as the largest VM you plan on backing up.
After installing Windows and configuring to your liking (disabling IPv6 is a good idea to help with address translation issues), you'll need to install the VCB Framework from VMware. Now let's configure it by editing C:\Program Files (x86)\VMware\VMware Consolidated Backup Framework\config\config.js:
BACKUPROOT="E:\" --The staging partition
HOST="vCenter.somedomain.com" --FQDN of your vCenter Server
USERNAME="__sspi__" --Use the currently logged in user
PASSWORD="" --Password is passed from TSM
TRANSPORT_MODE=nbd --Network-based backup
When installing TSM Client 6.2.2, choose Custom and select the VMware option. After the install is complete, open the GUI and go to Edit-Client Preferences and click onto the VM Backup tab.
- Backup Type > VMware Full VM (or whatever you want)
- Domain for VM Backup > Domain Backup Types > Domain Full VM
- Domain for VM Backup > VM Options > ALL-VM
- Domain for VM Backup > VM host, VM folder or VM name > ALL-VM
- Press Insert
- VMware Virtual Center or ESX Server > Host: FQDN of your vCenter Server
- VMware Virtual Center or ESX Server > User: Your Service Account
- Datastore Location: The staging partition
- Apply, Ok, Ok
You should narrow the Domain in a large environment as discussed in the Planning section. Now modify dsm.opt to suit your environment. If you choose to do a file level backup of your VCB Proxy, be sure to exclude the staging drive. Now set the password for your service account within TSM:
c:\program files\tivoli\tsm\baclient\dsmc SET PASSWORD -type=VCB "vCenter.somedomain.com" "Domain\ServiceAccountUsername" "password"Explicitly give the service account full control of C:\Program Files\Tivoli\TSM\baclient and C:\Program Files (x86)\VMware.
Testing
You can test the ALL-VM domain or just one VM at a time (by specifying optional vmname) with the following command:
c:\program files\tivoli\tsm\baclient\dsmc backup vm vmname -vmbackuptype=FULLScheduling
Once testing has completed, you can schedule the backup by running your standard scheduler service on the VCB Proxy and creating a special schedule on your TSM server that kicks off the following client command:
The quotes must be exactly as so.'"C:\Progra~1\Tivoli\TSM\baclient\dsmc backup vm -vmbackuptype=FULL"'
Troubleshooting
If you get IP address lookup failures, check what hostname it's trying to hit. Ensure proper DNS translation is occurring on the VCB Proxy server for that hostname. You can use the Windows hosts file as needed.
To snapshot 2008 & 2008 R2 VMs, you may need to set the following flag while the VM is offline:
Edit Settings-Options-Advanced-General-Configuration Parameters
Add Row:
disk.EnableUUID = FALSE
To troubleshoot the scheduled command, change the schedule to STARTTIME=NOW on the TSM server and then run it in the foreground by executing the following on the VCB Proxy:
dsmc sched -optfile="C:\Program Files\Tivoli\path\to\dsm.opt"
