Veeam: Deploy an Immutable Repository

Released in 2008, Veeam Backup and Recovery enables systems administrators to backup virtual and physical machines to disks, tape, the cloud and immutable repositories which don’t allow data to be overwritten. In this guide, I will walk through basic configuration of a Veeam Server and an immutable backup repository.

What Is The Veeam Availability Suite?

The Veeam Availability Suite is made up of four main components:

1. The Administration Console – This is where administrators can perform management tasks such as scheduling backups.

2. The Proxy Server – This is where data is processed, compressed and sent to…(Next line, please.)

3. The Backup Repository – This is where backup data is stored.

4. (OPTIONAL) VEEAM One – Real-time Backup monitoring console.

It’s not uncommon to see all four running on the same server. For my intents and purposes, I will run the Administration Console on my SAW, the proxy server on a separate server running Windows Server 2022, the backup repository on an Alma Linuxserver, and VEEAM One on a separate server running Windows Server 2022.

Obtaining Veeam and Licensing

Licensing for all of these components can be obtained as a Not For Resale (NFR) copy here if you meet one of the requirements. I have chosen the “Blogger” option, and I’m sure it will work for you as well.

The license lasts for a year, but you can renew it. The NFR license enables sysadmins to backup twenty workloads compared to the community edition which only allows ten.

Setting Up The Administration Console

The setup for the Administration Console on the SAW was a dead simple next, next, next process. Just make sure to only select installation for the single component, not the entire suite. Remember – we’re breaking things out here! All of the required components (such as SQL Express) are installed for you.

Active Directory and Veeam

Some sysadmins recommend not using Active Directory authentication, but because I am separating components out, using multiple (in the future at COLO) hardened Linux repository’s, and using aggressive ACLs, I see no risk in doing so. VEEAM is VERY dependent on DNS so make sure you have records in place if you choose to pursue that route (Maybe I should write a guide for that).

Setting Up The Veeam Server

I am using a standard installation of Windows Server 2022 x64. This has been joined to my domain. As I mentioned previously, some best practices state the VBR server should not be joined to the domain. I’m using extremely aggressive ACLs and an off domain hardened (immutable) Linux repository server to make things much safer. In the future, I will add a SOBR and backup my VMs to the cloud, as well as an additional hardened repository at Colo. In my eyes, this justifies taking the risk – even if my VEEAM server were compromised, in theory, no one should be able to move laterally to my backup data and modify it.

After downloading VEEAM NFR for free (you can find it here), I was sent and email with the license key. I transfered the zip file as well as the key over to my newly created server, unzipped it and mounted the VEEAM ISO. After clicking setup.exe, I began the installation by clicking ‘Install’

On the next screen, I was prompted to select what type of installation I wanted to perform. Last night, I installed just the console for management purposes (option 3) on my SAW, so I wanted the full deal (option 1)

On the next page, accept the license agreement.

On the next page, I uploaded my aforementioned license file that was sent to me via email. Once that’s done, click next.

After a system check is performed, I’m ready to install. I did not customize any of the defaults as they looked fine to me. I did see that VEEAM 12 is now using PostgreSQL, rather than MS SQL Express, so that’s pretty cool.

After installation was finished, I was able to login to my SAW and connect to the remote server! This really couldn’t have been an easier process, not that I’m complaining!

Setting Up The Hardened Immutable Repository

Alright, now with that out of the way, let’s setup a hardened VEEAM Linux Repository server using Alma Linux! Utilizing a VEEAM hardened repository server has many advantages over over a traditional file server.

The files located on the server are immutable for a length of time. This means they cannot be edited or deleted by the VEEAM user until this time period expires. Even if your VEEAM server were to be compromised, your backup data is safe!

Additionally, this method does not use CIFS shares. This means it is much harder for your backups to become cryptolocked and held for ransom.

Setting Up The Virtual Machine

Let’s create the virtual machine! Give it the following specs:

• 2 CPU cores
• 4GB of memory
• 32GB HDD, Thin Provisioned
• A second virtual disk to store immutable data
• VMware Paravirtual SCSI Controller
• Network Adapter set to secure Management VLAN
• Alma linux ISO attached from datastore
• UEFI, Secure boot enabled

Once the VM is booted, select your language:

You will then be brought to a page that looks like this:

Make sure your Keyboard, Language, Time & Date settings are correct.

Under “Software Selection”, choose the “Minimal Install” option. This server does not require a GUI.

Under “Installation Destination”, We will configure automatic partitioning. Select the Manual Partitioning bubble and click done. You will then be brought to a page to add partitions. Add the following partitions as pictured below:

Still with me? Great! That was the hardest part of this process! Click “Done” and you’ll be brought back to the main dashboard.

Click “Network & Hostname”. You’ll be brought to a screen that shows all available network adapters. Click the switch to enable it and click “Configure”.

On the Configure window, click “IPv4 Settings”. Set the Method to “Manual”, then click “Add”. This will allow you to set a static IP for your virtual machine. Give it an IP, Netmask, Gateway, and DNS Server as shown below. NOTE! We will need to create forward and reverse DNS entries for this. If you are using Active Directory or something other than your firewall for DNS, use that as your DNS Server! Set your Domain’s FQDN in “Search Domains”.

Then once you are finished, Click “Save”. Before you click “Done”, let’s set the hostname of the server.

Please be sure to include the FQDN in your domain name. For example, hostname.internal.whatever.com Click “Apply” then click “Done”.

Next we need to set the root password. Choose a secure password and ensure “Lock root account” is and root SSH login are disabled. This will prevent the root user from logging in or SSHing to your server. Click “Done” when you are finished.

Now we will create the management user. This is the account you will use to perform initial setup and system maintenance. Click on “Create User”.

Type in the management user’s full name, username and set a password. Ensure “Make this user administrator” and “Require a password to use this account” are both checked. Click “Done” when you are finished.

Once you are satisfied with all of the options you selected, click “Begin Install”.

Immutable Repository: Post Install Setup

This hardened repository server WILL NOT be joined to the domain for security reasons. We DO however, need to create forward and reverse DNS records for it because VEEAM heavily utilizes DNS. Setting up Active Directory is beyond the scope of this guide, but perhaps I will create one in the future. Please ensure the appropriate A and PTR records exist and point to your repo server’s hostname.

Add A Secondary Hard Disk

With that out of the way, I will need to add a secondary disk to the repo server to store my backups. I am currently running vSphere 8, so I logged into the web console and edited the VM’s hardware properties and added a secondary 20TB thin provisioned disk.

Now we have to SSH into the repo server VM and initialize the disk so that it is visible to the operating system, format and mount it. I ran the following:

lsblk

to get the disk identifier. It looks like this disk is recognized at /dev/sdb. Perfect. Let’s partition the disk.

sudo fdisk /dev/sdb

// then at the below promt, type G to create a new GPT partition table:
Welcome to fdisk (util-linux 2.32.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xfd942014.

Command (m for help): g

// Press n to create a new partition:
Command (m for help): n

// Press p to create a primary partition:
Command (m for help): p
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p

// Select 1 as the default partition:
Partition number (1-4, default 1): 1

// It will ask you to select the first and last sector. Just press Enter to use the entire disk. 

Created a new partition 1 of type 'Linux' and of size 19.9 TiB.

// Press w to write the changes to your disk:
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

If I run lsblk again, you will see I now have /dev/sdb1 and a newly created 20TB partition!

With the disk partitioned, we will now need to format it with the XFS file system. VEEAM strongly recommends in their whitepapers that XFS is used for immutable repositories:

// Format the partition
sudo mkfs.xfs /dev/sdb1

With the drive partitioned and formatted XFS, let’s mount the disk:

// Change directory into mnt
cd /mnt

// Make a directory that will be used as the mount point.
sudo mkdir vbrbackups

// Add mount point to fstab file so it is mounted on boot. 
sudo vi /etc/fstab

// Add the following line to the end of the file:
/dev/sdb1 /mnt/backup xfs defaults 0 0

// Press ESC and type wq! to write the file. To mount the disk for the first time, run:
sudo mount -a

// if you did not receive any errors, the disk has been successfully mounted! Run lsblk again to see it is mounted in the correct directory. (See screenshot above.)

Create Permissions AND Service Accounts For VEEAM

We will now need to create a user and group that can access the directory. This is the service account that VEEAM will use to perform backups:

// Create the User:
sudo useradd -m veeam 

// Set a strong password for this user (You will be prompted to type it twice.)
sudo passwd veeam

// Create the group
sudo groupadd backupadmins

// Add the veeam user to the group:
sudo usermod -aG backupadmins veeam

Finally, I gave the appropriate permissions to the veeam service user to access /mnt/vbrbackups:

// Give permissions to veeam user and group:
sudo chown veeam:backupadmins /mnt/vbrbackups

// Make the directory immutable
chmod 2775 /mnt/vbrbackups

Conclusion

That’s it! Basic server configuration is now finished! All I have to do at this point is add the vCenter server and the repo to the VEEAM console and start backing virtual machines up! Be sure to check out my other blog posts located here!