Use DPM to back up and restore VMware virtual machines
This article explains how to use Data Protection Manager (DPM) version 1801 and later, to back up virtual machines running on the 5.5, 6.0, 6.5 or 6.7 versions of VMware vCenter and vSphere Hypervisor (ESXi).
Supported VMware features
DPM 1801 and later provides the following features when backing up VMware virtual machines:
Backup to tape is supported from DPM 2019.
- Agentless backup: DPM does not require an agent to be installed on the vCenter or ESXi server, to back up the virtual machine. Instead, just provide the IP address or fully qualified domain name (FQDN), and login credentials used to authenticate the VMware server with DPM.
- Cloud Integrated Backup: DPM protects workloads to disk, tape and cloud. DPM's backup and recovery workflow helps you manage long-term retention and offsite backup.
- Detect and protect VMs managed by vCenter: DPM detects and protects VMs deployed on a VMware server (vCenter or ESXi server). As your deployment size grows, use vCenter to manage your VMware environment. DPM also detects VMs managed by vCenter, allowing you to protect large deployments.
- Folder level auto protection: vCenter lets you organize your VMs in VM folders. DPM detects these folders and lets you protect VMs at the folder level and includes all subfolders. When protecting folders, DPM not only protects the VMs in that folder, but also protects VMs added later. DPM detects new VMs on a daily basis and protects them automatically. As you organize your VMs in recursive folders, DPM automatically detects and protects the new VMs deployed in the recursive folders.
- DPM protects VMs stored on a local disk, network file system (NFS), or cluster storage.
- DPM protects VMs migrated for load balancing: As VMs are migrated for load balancing, DPM automatically detects and continues VM protection.
- DPM can recover files/folders from a Windows VM without recovering the entire VM, which helps recover necessary files faster.
Prerequisites and Limitations
Before you start backing up a VMware virtual machine, review the following list of limitations and prerequisites.
- If you have been using DPM to protect a VMware server as a Windows Server, you cannot use the same fully qualified domain name (FQDN) or static IP. If you used a FQDN to identify your VMware VM, then use a static IP address to identify your VMware server. If you used a static IP address to identify your VMware VM earlier, then use a FQDN to identify your VMware VM. You cannot use a dynamic IP address. Note that DPM agent should not be pushed on to Windows Server that is acting as VMWare vCenter Server.
- If you use vCenter to manage ESXi servers in your environment, add vCenter (and not ESXi) to the DPM protection group.
- DPM cannot protect VMware VMs to a secondary DPM server.
- You cannot back up user snapshots before the first DPM backup. Once DPM completes the first backup, then you can back up user snapshots.
- DPM cannot protect VMware VMs with pass-through disks and physical raw device mappings (pRDM).
- DPM cannot detect or protect VMware vApps.
- DPM cannot protect VMware VMs with existing snapshots.
Configure DPM to protect VMware
The following information details how to configure VMware for DPM protection. To establish communication between DPM and the VMware server, configure the VMware credentials and establish a secure connection between DPM and the VMware vCenter Server or VMware vSphere Hypervisor (ESXi) server. If you use both vCenter Server and ESXi server, configure only the vCenter Server to work with DPM. You don't need to add ESXi servers to DPM. To manage a VMware server, DPM needs valid credentials to access VMware servers.
DPM does not use an agent to communicate with a VMware server. Instead, DPM uses a user name and password credential to authenticate its remote communication with the VMware server. Each time DPM communicates with a VMware server, DPM must be authenticated. As it can be necessary to change credentials, and a data center can have multiple vCenter servers requiring unique credentials, tracking these credentials can be a problem. However, DPM has a Manage VMware Credentials feature to securely store and manage credentials.
Note the following details about credentials:
- One credential can be used to authenticate multiple VMware servers.
- Once credential details such as: Description, User name, and Password are updated, DPM uses these credentials to communicate with all VMware servers.
- A credential can be deleted only if it is not being used to authenticate a VMware server.
Open the Manage VMware Credentials feature
In the DPM Administrator Console, click Management.
In the list of assets to manage, click Production Servers.
In the tool ribbon, click Manage VMware Credentials. The Manage Credentials dialog opens. Using the Manage Credentials dialog, you can add, update, or delete credentials.
See the following sections for detailed information on adding, updating, or deleting credentials.
Add VMware server credentials
You add a credential to the DPM server so you can pair it up with credential on the VMware server. Remember, the credential on the DPM server must be identical to the credential on the VMware server. To add a credential, in the Manage Credentials dialog:
Click Add to open the Add Credential dialog.
Type your information in the Name, Description, User name, and Password fields. Once you've added text in the required fields, the Add button becomes active.
- Name is what appears in the Credential column of the Manage Credentials dialog. Name is a required field and is the identifier for the credentials. This field cannot be edited later. If you want to change the name of a credential, you must add a new credential.
- Description is descriptive text or an alternate name so you can recognize or distinguish the credentials in the Manage Credentials dialog. The Description text is an optional field and appears in the Description column of the Manage Credentials dialog.
- User name and Password are the user name and password for the user account used to access the server. Both fields are required.
Click Add to save your new credentials. Once you have created credentials, you can use them to authenticate with a VMware server.
Update VMware server credentials
Most organizations need to update credentials due to security reasons or personnel changes. When VMware server credentials are changed, the credentials used by DPM also need to be updated. If a VMware server's credentials (user name and password) have changed, you must add matching credentials in DPM.
Once you have matching credentials in DPM, update the VMware server credentials using the following steps:
- In the DPM Administrator console, click Management.
- In the list of assets to manage, click Production Servers.
- In the list of computers, select the VMware server whose credentials need to be updated. In the example image, demovcenter1.Contoso.com is the VMware server with broken credentials.
- On the Administrator console tool ribbon, click Change Settings. The Change Settings dialog opens. It displays all credentials on the DPM server. In the example image, demovcenter_002 is the DPM credential to pair with demovcenter1.Contoso.com.
- From the list, select the credential on the DPM server to match the VMware credential and click Update. In the image, notice demovcenter_002 authenticates a production server, and demovcenter1.Contoso.com is now protected.
Delete VMware server credentials
When you delete credentials, you are removing the credential from the list on the DPM server. DPM doesn't allow you to delete a credential that is used to authenticate a production server.
To delete a credential
- In the DPM Administrator Console, click Management, click Production Servers, and in the tool ribbon, click Manage VMware Credentials.
- In the Manage Credentials dialog, select the credential. Make sure the credential is not associated with any Production Servers.
- Click Delete to remove the credential from the list.
Set up secure communication between DPM and a VMware server
DPM communicates with the VMware server securely over an HTTPS channel. To create the secure communication, install a trusted certificate on both the VMware server and DPM server. If the connection to your vCenter is not secure, you can secure it by installing a certificate on the DPM server. Use the same certificate to make a secure connection with the VMware server.
To verify there is a secure communication channel between DPM and vCenter, open a browser on the DPM server and access the VMware server. If you are using Chrome, and you do not have a valid certificate you see the strikethrough in the URL, like this example:
If you are using Internet Explorer, and you don't have a valid certificate, you see this message when you access the URL:
To fix the error, install a valid certificate on the DPM server and the VMware server. In the previous images, the DPM server has a valid certificate, but the certificate is not in the trusted root certification authority store. To fix this situation, add the certificate to the VMware server.
On the Certificate dialog, on the Certification Path tab, click View Certificate.
In the new Certificate dialog, click the Details tab, and then click Copy to File to open the Certificate Export Wizard.
In the Certificate Export Wizard, click Next, and on the Export File Format screen, select DER encoded binary X.509 (.CER), then click Next.
On the File to Export screen, type a name for your certificate and click Next.
Click Finish to complete the Certificate Export Wizard.
Locate the exported certificate. Right-click the certificate and select Install Certificate to open the Certificate Import Wizard.
In the Certificate Import wizard, click Local Machine and then click Next.
To find the location where you want to place the certificateOn the Certificate Store screen, click Place all certificates in the following store and click Browse.
In the Select Certificate Store dialog, select Trusted Root Authority Certificate and click OK.
Click Next and then click Finish to import the certificate successfully.
Once you have added the certificate, sign into your vCenter server to verify the connection is secure.
Add a new user account in VMware server
DPM uses your user name and password as credentials for communicating and authenticating with VMware server. An authenticated user has, at least the following privileges, which are required for successfully protecting a VM:
The recommended steps for assigning these privileges:
Create a role, for example, BackupAdminRole
- In the vSphere Web Client, from the Navigator menu, click Administration > Roles.
- From the Roles provider drop-down menu, select the vCenter Server to which the role applies.
- On the Roles pane, click '+' to open the Create Role dialog and create a role.
- Name the role, BackupAdminRole.
- Select the privileges (identified in the preceding bulleted list) for the role and click OK.
Create a new user, for example, BackupAdmin
When you create a user, that user must be in the same domain as the objects you want to protect.
- In the vSphere Web Client, on the Navigator menu, click Administration.
- In the Administration menu, click Users and Groups.
- To create a new user, on the Users tab, click '+' to open the New User dialog.
- Provide a User name and password for the role. Use BackupAdmin as the User name. Additional information is optional.
Assign the role, BackupAdminRole, to the user, BackupAdmin
- In the vSphere Web Client, on the Navigator menu, click Administration.
- In the Administration menu, click Global Permissions.
- On the Global Permissions pane, click the Manage tab.
- On the Manage tab, click '+' to open the Add Permission dialog.
- In the Add Permissions dialog, click Add.
- In the Select Users/Groups dialog, choose the correct domain from the Domain menu, then in the User/Group column select BackupAdmin, and click Add. The user name appears in the Users field in the format: domain\BackupAdmin.
- Click OK to return to the Add Permissions dialog.
- In the Assigned Role area, from the drop-down menu, select the role, BackupAdminRole, and click OK. The new user and role association appears in the Manage tab.
Add a VMware server to DPM
In the DPM Administrator Console, click Management > Production Servers > Add to open the Production Server Addition Wizard.
On the Select Production Server type screen, select VMware Servers, and click Next.
On the Select Computers screen, provide the following information:
- Server Name/IP Address: enter the VMware server fully qualified domain name (fQDN) or IP address.
- SSL Port: select the SSL port number used to communicate with the VMware server. DPM uses Https to communicate with VMware servers over a secured connection. To successfully communicate with VMware servers, DPM requires the SSL port number configured for that VMware server. If the VMware servers are not explicitly configured with different SSL ports, continue with default port, 443.
- Specify Credential: Select the credential needed to authenticate with this VMware server. If the required credential has not yet been added to DPM, choose Add New Credential. Then, provide the Name, Description, User name, and Password for the credential. Once you have filled out the fields, click Add to add the server to the list of VMware Servers. If you would like to add more VMware servers to the list, repeat this step. If you are finished adding servers to the list, click Next.
On the Summary screen, select the server you want to add, and click Add. After adding the VMware servers to DPM, see Configure Backup for information about the available methods of protection.
Disable secure communication protocol
If your organization does not want to use secure communication protocol (HTTPS), you can create a registry key to disable it. To create this registry key:
Copy and paste the following text into a .txt file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
Save the file with the name, DisableSecureAuthentication.reg, to your DPM server.
Double-click the file to activate the registry entry.
Once you've added the VMware server(s) to DPM, you're almost ready to start protection in DPM. However, before you begin protection, you need to allocate disk storage that DPM can use for short-term storage. For guidance on adding storage, see Adding Storage to DPM. Once you have added storage, you are ready to use the Create New Protection Group wizard to create a protection group for the VMware VMs.
VMware provides VM folders that let you organize VMs as you like.
DPM can protect individual VMs, as well as cascading levels of folders that contain VMs. Once you select a folder for protection, all folders (and VMs) within this folder are automatically detected and protected. This is called folder-level protection. DPM detects and configures protection for the VMs at 12 AM (based on the DPM server's local timezone). When DPM detects that new VMs have been created, DPM configures protection by end of that day.
Scale out protection of clustered VMware servers
In large VMware deployments, a single vCenter server can manage thousands of VMs. DPM supports scale-out protection of VMware server clusters. The new scale-out feature removes the limit of a one-to-one relationship between a VMware cluster and a DPM server. You can add a VM to a protection group on any of the recognized DPM servers. Multiple DPM servers can be used to protect VMs managed by a single vCenter server. However, only one DPM server can protect a VM or folder at any given time. VMs and folders that are already protected by one DPM server cannot be selected by another DPM server. To deploy scale-out protection, there must be a minimum of two DPM servers. In the following example graphic, D1 and D2 are visible to all virtual machines hosted on nodes N1, N2, N3, and N4. When protection groups on D1 or D2 are created, any virtual machine can be added.
Backing up virtual machines to a disk, tape or cloud
DPM can back up VMware VMs to disk, tape and to the Azure cloud. You specify the protection method while creating the new Protection Group.
DPM provides application-consistent backups of Windows VMs and file-consistent backups of Linux VMs (provided you install VMware tools on the guest).
Back up virtual machine to Tape
Applicable to DPM 2019
For long term retention on VMware backup data on-premises, you can now enable VMware backups to tape. The backup frequency can be selected based on the retention range (which will vary from 1-99 years) on tape drives. The data on tape drives could be both compressed and encrypted. DPM 2019 supports both OLR (Original Location Recovery) & ALR (Alternate Location Recovery) for restoring the protected VM.
Use the following procedure:
- In the DPM Administrator console, click Protection > Create protection group to open the Create New Protection Group wizard.
- On the Select Group Members page, select the VMWare VMs you want to protect.
- On the Select Data Protection Method page, select I want long-term protection using tape.
- In Specify Long-Term Goals > Retention range, specify how long you want to keep your tape data (1-99 years). In Frequency of backup, select the backup frequency that you want.
- On the Select Tape and Library Details page, specify the tape and library that'll be used for back up of this protection group. You can also specify whether to compress or encrypt the backup data.
Create a Protection Group for VMware VMs
In the Administrator Console, click Protection.
On the tool ribbon, click New to open the Create New Protection Group wizard.
In the Select Protection Group Type screen, select Servers and click Next.
In the Select Group Members screen, expand the Available members folders and select the folders to protect and click Next. Once you select a folder, the member is added to the Selected members list. Items already protected by a DPM server cannot be selected again. View the DPM server that protects an item by hovering over the item in the Available members list.
On the Select Data Protection Method screen, type a Protection group name, and then select the protection method. For protection method, you can choose: short-term protection to a hard drive, long term backup to tape, or online protection to the cloud. Once you've selected your protection method, click Next.
If you have a standalone tape or tape library connected to the DPM server, you'll be able to select I want long-term protection using tape.
On the Specify Short-Term Goals screen, for the Retention Range specify the number of days your data is kept on disk. If you want to change the schedule when application recovery points are taken, click Modify. On the Express Full Backup tab, choose a new schedule for the time(s) and days of the week when Express Full Backups are taken. The default is daily at 8 PM, local time for the DPM server. When you have the short-term goals you like, click Next.
If you want to store data on tape for long-term storage in Specify long-term goals, indicate how long you want to keep tape data (1-99 years). In Frequency of backup, specify how often backups to tape should run. The frequency is based on the retention range you've specified:
- When the retention range is 1-99 years, you can select backups to occur daily, weekly, bi-weekly, monthly, quarterly, half-yearly, or yearly.
- When the retention range is 1-11 months, you can select backups to occur daily, weekly, bi-weekly, or monthly.
- When the retention range is 1-4 weeks, you can select backups to occur daily or weekly.
On a stand-alone tape drive, for a single protection group, DPM uses the same tape for daily backups until there is insufficient space on the tape. You can also collocate data from different protection groups on tape.
On the Select Tape and Library Details page, specify the tape/library to use, and whether data should be compressed and encrypted on tape.
- On the Review Disk Allocation screen, recommended disk allocations are displayed. Recommendations are based on the retention range, the type of workload and the size of the protected data. Click Next.
- On the Choose Replica Creation Method screen, specify how the initial replication of data in the protection group is performed. If you choose to replicate over the network, we recommended you choose an off-peak time. For large amounts of data or less than optimal network conditions, consider replicating the data offline using removable media.
- On the Consistency Check Options screen, select how you want to automate consistency checks. You can enable a check to run only when replica data becomes inconsistent, or according to a schedule. If you don’t want to configure automatic consistency checking, you can run a manual check. To run a manual check, right-click the protection group in the Protection area of the DPM console, and select Perform Consistency Check.
- On the Specify Online Protection Data screen, select the data source(s) that you want to protect.
- On the Specify Online Backup Schedule screen, specify how often you want to take a backup from the disk backup to Azure. A recovery point is created each time a backup is taken.
- On the Specify Online Retention Policy screen, specify how long you want to retain your data in Azure. Read more about backing up DPM to Azure in the article, Backup DPM workloads with Azure Backup.
- On the Choose Online Replication screen, choose your method for creating your initial backup copy. The default choice is to send the initial backup copy of your data over the network. However, if you have a large amount of data, it may be more timely to use the Offline Backup feature. See the Offline Backup article in Azure for more information, including a step-by-step walkthrough.
- On the Summary screen, review the settings. If you are interested in optimizing performance of the protection group, see the article, Optimizing DPM operations that affect performance. Once you are satisfied with all settings for the protection group, click Create Group to create the protection group and trigger the initial backup copy.
The Status screen appears and gives you an update on the creation of your protection group, and the state of your initial backup.
Restore VMware virtual machines
This section explains how to use DPM to restore VMware VM recovery points. For an overview on using DPM to recover data, see Recover protected data. In the DPM Administrator Console, there are two ways to find recoverable data - search or browse. When recovering data, you may, or may not want to restore data or a VM to the same location. For this reason DPM supports three recovery options for VMware VM backups.
- Original location recovery (OLR) - Use OLR to restore a protected VM to its original location. You can restore a VM to its original location only if no disks have been added or deleted, since the back up occurred. If disks have been added or deleted, you must use alternate location recovery.
- Alternate location recovery (ALR) - When the original VM is missing, or you don't want to disturb the original VM, recover the VM to an alternate location. To recover a VM to an alternate location, you must provide the location of an ESXi host, resource pool, folder, and the storage datastore and path. To help differentiate the restored VM from the original VM, DPM appends "-Recovered" to the name of the VM.
- Individual file location recovery (ILR) - If the protected VM is a Windows Server VM, individual files/folders inside the VM can be recovered using DPM’s ILR capability. To recover individual files, see the procedure later in this article.
Restore a recovery point
- In the DPM Administrator Console, click Recovery view.
- Using the Browse pane, browse or filter to find the VM you want to recover. Once you select a VM or folder, the Recovery points for pane displays the available recovery points.
- In the Recovery points for field, use the calendar and drop-down menus to select a date when a recovery point was taken. Calendar dates in bold have available recovery points.
- On the tool ribbon, click Recover to open the Recovery Wizard.
- Click Next to advance to the Specify Recovery Options screen.
- On the Specify Recovery Options screen, if you want to enable network bandwidth throttling, click Modify. To leave network throttling disabled, click Next. No other options on this wizard screen are available for VMware VMs. If you choose to modify the network bandwidth throttle, in the Throttle dialog, select Enable network bandwidth usage throttling to turn it on. Once enabled, configure the Settings and Work Schedule.
- On the Select Recovery Type screen, choose whether to recover to the original instance, or to a new location, and click Next.
- If you choose Recover to original instance, you don't need to make any more choices in the wizard. The data for the original instance is used.
- If you choose Recover as virtual machine on any host, then on the Specify Destination screen, provide the information for ESXi Host, Resource Pool, Folder, and Path.
- On the Summary screen, review your settings and click Recover to start the recovery process. The Recovery status screen shows the progression of the recovery operation.
Restore an individual file from a VM
You can restore individual files from a protected VM recovery point. This feature is only available for Windows Server VMs. Restoring individual files is similar to restoring the entire VM, except you browse into the VMDK and find the file(s) you want, before starting the recovery process. To recover an individual file or select files from a Windows Server VM:
In the DPM Administrator Console, click Recovery view.
Using the Browse pane, browse or filter to find the VM you want to recover. Once you select a VM or folder, the Recovery points for pane displays the available recovery points.
In the Recovery Points for: pane, use the calendar to select the date that contains the desired recovery point(s). Depending on how the backup policy has been configured, dates can have more than one recovery point. Once you've selected the day when the recovery point was taken, make sure you've chosen the correct Recovery time. If the selected date has multiple recovery points, choose your recovery point by selecting it in the Recovery time drop-down menu. Once you chose the recovery point, the list of recoverable items appears in the Path: pane.
To find the files you want to recover, in the Path pane, double-click the item in the Recoverable item column to open it. Select the file, files, or folders you want to recover. To select multiple items, press the Ctrl key while selecting each item. Use the Path pane to search the list of files or folders appearing in the Recoverable Item column. Search list below does not search into subfolders. To search through subfolders, double-click the folder. Use the Up button to move from a child folder into the parent folder. You can select multiple items (files and folders), but they must be in the same parent folder. You cannot recover items from multiple folders in the same recovery job.
When you have selected the item(s) for recovery, in the Administrator Console tool ribbon, click Recover to open the Recovery Wizard. In the Recovery Wizard, the Review Recovery Selection screen shows the selected items to be recovered.
On the Specify Recovery Options screen, if you want to enable network bandwidth throttling, click Modify. To leave network throttling disabled, click Next. No other options on this wizard screen are available for VMware VMs. If you choose to modify the network bandwidth throttle, in the Throttle dialog, select Enable network bandwidth usage throttling to turn it on. Once enabled, configure the Settings and Work Schedule.
On the Select Recovery Type screen, click Next. You can only recover your file(s) or folder(s) to a network folder.
On the Specify Destination screen, click Browse to find a network location for your files or folders. DPM creates a folder where all recovered items are copied. The folder name has the prefix, DPM_day-month-year. When you select a location for the recovered files or folder, the details for that location (Destination, Destination path, and available space) are provided.
On the Specify Recovery Options screen, choose which security setting to apply. You can opt to modify the network bandwidth usage throttling, but throttling is disabled by default. Also, SAN Recovery and Notification are not enabled.
On the Summary screen, review your settings and click Recover to start the recovery process. The Recovery status screen shows the progression of the recovery operation.
VMware parallel backups
With earlier versions of DPM, parallel backups were performed only across protection groups. With DPM 2019, all your VMWare VMs backup within a single protection group would be parallel, leading to faster VM backups. All VMWare delta replication jobs would run in parallel. By default, number of jobs to run in parallel is set to 8.
You can modify the number of jobs by using the registry key as shown below (not present by default, you need to add):
Key Path : Software\Microsoft\Microsoft Data Protection Manager\Configuration\ MaxParallelIncrementalJobs\VMWare Key Type : DWORD (32-bit) value.
You can modify the number of jobs to a higher value. If you set the jobs number to 1, replication jobs run serially. To increase the number to a higher value, you must consider the VMWare performance. Considering the number of resources in use and additional usage required on VMWare vSphere Server, you should determine the number of delta replication jobs to run in parallel. Also, this change will affect only the newly created Protection Groups. For existing Protection groups you must temporarily add another VM to the protection group. This should update the Protection Group configuration accordingly. You can remove this VM from the Protection Group after the procedure is completed.
VMWare vSphere 6.7
To backup vSphere 6.7 do the following:
Enable TLS 1.2 on DPM Server
VMWare 6.7 onwards had enabled TLS as communication protocol.
Set the registry keys as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 s"SchUseStrongCrypto"=dword:00000001