MABS: DPM database size has exceeded the threshold limit (ID 3168)

June 26, 2017 at 10:18 am in Azure, Azure Backup, DPM database, ID 3168, MABS, Microsoft Azure Backup Server by Wim Matthyssen

Last week I saw the below Warning message pop up at a customer’s Microsoft Azure Backup Server (MABS). The description of this Warning message described the following:

“DPM database size has exceeded the threshold limit.

DPM database size: 1.15 GB

DPM database location: e:\DPMDB\ on “servername” (ID 3168)”

clip_image002

I could also find the same Warning message in the Event Viewer.

clip_image004

The message itself was confusing because the E: drive where the DPM database is located had plenty of free disk space and the DPM Database size alert was unmarked as you can see in the below screenshots.

clip_image006

clip_image008

Another important point is that the only way to open the Tape Catalog Retention box (on a MABS server) is by clicking the Modify Catalog Alert Threshold size … link which is only show in the Recommended action field of the warning message itself.

clip_image010

However, in the end I was able to solve this warning, by marking the setting Alert me when DPM database size reaches: and changing the size to 10 GB. Afterwards I unmarked this setting again and pressed OK. Almost directly after that, the Warning message disappeared.

clip_image012

clip_image014

Conclusion

Probably this warning message is some sort of bug in the MABS software or some kind of leftover from DPM 2012 (tape backups) on which the MABS v1 code is based. For the moment, the only way to get rid of this Warning message is by using the above workaround.

If you have any questions, feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: Unable to configure protection for a SQL database (ID 3170 and 33424)

June 19, 2017 at 2:45 pm in Azure, Azure Backup, ID 3170, ID 33424, MABS, Microsoft Azure Backup Server, SQL Server by Wim Matthyssen

Last week while configuring backup for some SQL databases for a customer with the Microsoft Azure Backup Server (MABS), I received the following Protection Status error: Unable to configure protection.

clip_image002

When opening the Monitoring tab on the MABS server, to investigate the problem, I found the following description for the error:

DPM could not start a recovery, consistency check, or initial replica creation job for SQL Server 2012 database “SQLServername\model” on “SQL Server” for following reason: (ID 3170)

The DPM job failed for SQL Server 2012 database “SQLServername\model” on “SQL Server” because the protection agent did not have sysadmin privileges on the SQL Server instance. (ID 33424 Details:)

clip_image004[6]

You can also find the similar error description in the Event Viewer on the MABS server, by opening the Application and Services LogsDPM Alerts.

clip_image006[6]

As the error suggests, the problem is that the built-in NT Authority\SYSTEM does not have sysadmin rights on that SQL Server instance. So to resolve this issue, perform the following steps. Open Microsoft SQL Server Management Studio on the SQL server. Open Security, open Logins, select the NT\AUTHORITY SYSTEM user and click Properties. In the Server Roles screen sysadmin should be checked, what for this specific database was not the case. So check sysadmin and press OK to save. You need to repeat this step for all instances having this problem.

clip_image008[5]

clip_image010[6]

After fixing this, you need to perform a consistency check on the MABS for all those databases with status Unable to configure protection. To do so right-click the unprotected database and select Perform consistency check …, which will retry the protection and solve the problem.

clip_image012

After completion, the Protection Status should be showing OK.

clip_image014

Hope this helps you fixing this problem when it occurs. If you have, any questions feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

How to install Microsoft Azure Backup Server v2 on Windows Server 2016

June 8, 2017 at 7:53 pm in Azure, Azure Backup, Hybrid backup, MABS, MABS v2, Microsoft Azure Backup, Microsoft Azure Backup Server, Microsoft Azure Backup Server v2, Modern Backup Storage, PowerShell, Windows Server 2016 by Wim Matthyssen

Last week Microsoft released the second version (v2) of their Microsoft Azure Backup Server (MABS v2). As a hybrid backup solution, this new release based on System Center Data Protection Manager 2016 (SCDPM 2016) enables you to store data onto disk (low RTO) and in Azure (long retention, up to 99 years). MABS v2 uses RCT-based change tracking by using Windows Server 2016. This makes backups more reliable and scalable, but also improves backup performance (backup jobs could be up to 70 percent faster). MABS v2, which is included with the Azure Backup service and currently has version number 12.0.332.0., now not only supports Windows Server 2016 (W2K16) but also vSphere 6.5 (Preview mode). Beside those, you can also use it now to backup business critical Microsoft workloads such as SQL 2016, SharePoint 2016 and Exchange 2016. Those can be running on premise (physical servers, Hyper-V or VMware) or in the Azure cloud. As a nice extra, you can also back up Windows 10 client workloads.

clip_image002

In a previous blog post, I already told you all about MABS v1 on how to install it on a Windows Server 2012 R2. In this blog post, I will show you how you can deploy MABS v2 on a W2K16 server.

MABS v2 server requirements

  • MABS v2 can be installed as an on premise standalone physical server or VM, but also as an Azure IaaS VM (minimum size A2 Standard).
  • MABS v2 will run on following supported Operating Systems: Windows Server 2012 R2 and Windows Server 2016 (is required if you want to use the Modern Backup Storage feature).
  • MABS v2 must be domain joined. Be sure to add the server to the domain before the MABS installation. Microsoft does not support adding this server to the domain after the MABS installation.
  • The processor minimum requirements for a MABS v2 server are 1GHz dual-core CPU, recommended 2.33 GHz quad-core CPU.
  • The minimum RAM needed by a MABS v2 server is 4GB, recommended is 8 GB.
  • The recommended hard drive space is 3 GB.
  • MABS v2 must have .NET 3.5 SP1, .NET 4.6.1 features installed as a prerequisite.
  • MABS v2 should also have Hyper-V PowerShell installed.
  • MABS v2 should be running a dedicated, single-purpose server. Either it cannot be running on the same server, which has SCDPM or a SCDPM agent installed.
  • A validate Windows Server license is needed for the MABS v2 server.
  • The MABS v2 server needs to have access to the Internet because Microsoft Azure should be accessible from the MABS server.
  • To temporarily store, the largest restore from the Azure cloud, some scratch space is required when needed. So keep approximately 5 % of the total amount of data that needs to be backed-up to the cloud free on the C: drive.
  • A separate data disk for the backup storage pool is required. Like every other backup product the recommendation for the size of this disk is 1.5 times the size of the data you are going to protect.

MABS v2 prerequisites installation

Before we start the prerequisites installation, be shore to have a Recovery Services vault in place (create a new one, or use an existing) and download the vault credentials. When downloaded, place this file on the C:\Temp folder of the MABS server.

clip_image004

clip_image006

To install all required prerequisites, logon to the server you wish to use for your MABS v2 installation, open PowerShell and administrator and run the following commands to install .NET 3.5 SP1 and Hyper-V PowerShell (be shore to have the Windows Server 2016 installation ISO mounted – in my example to the D: drive). Be aware the server will reboot when the installation is completed. You can also download the complete script (.ps1) from the Microsoft TechNet Gallery.

clip_image008

MABS v2 software download

To download the MABS v2 software open PowerShell as an administrator and run the following PowerShell script. You can download the complete script (.ps1) from the Microsoft TechNet gallery. The script will download all the necessary files (8 files), extract them and start the setup.

MABS v2 installation

Click Microsoft Azure Backup Server to launch the setup wizard.

clip_image010

Setup will start copying some temporary files.

clip_image012

On the Welcome screen, click the Next.
 

clip_image014

This opens up the Prerequisite Check section. On this screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup Server have been met. If all of is OK, you will see a message indicating that the machine meets the requirements. Click Next.

clip_image016

On the SQL Settings page select, Install new Instance of SQL Server with this Setup, to install SQL 2016 SP1. Click Check and Install. You could encounter some error messages. If so follow the instructions and most likely, you should reboot the server and start the MABS installation all over again.

clip_image018

If the computer meets, the software and hardware requirements click Next.

clip_image020

Provide a location for the installation of all the files and click Next. In my example, I changed all locations to my E: drive.
 

clip_image022

Provide a strong password for restricted local user accounts (this password will not expire) and click Next.
 

clip_image024

It is strongly recommended to use Microsoft update when you check for updates because this will offer all security and important updates for MABS. Select whether to use Microsoft Update or not and click Next.

clip_image026

Review all settings and if all are OK click Install.

clip_image028

clip_image030

Click Next to start the Microsoft Azure Recovery Service Agent installation.

clip_image032

Click Install.

clip_image034

clip_image036

When the agent installation is completed, click Next.

clip_image038

Provide your vault credentials to register the machine to the Azure backup vault. Click Next.
 

clip_image040

Provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can automatically generate a passphrase or provide your own minimum 16-character passphrase. Also, enter a location to save the passphrase. If all is done click Next.

clip_image042

Once registration succeeded the wizard proceeds with the installation and configuration of SQL Server 2016 SP1. This could take some time.

clip_image044

clip_image046

It is possible that you receive the following error message, if so just click OK (you can change the staging area after the MABS setups completes).
 

clip_image048

When setup completes successfully, click Close.
 

clip_image050

Double click the Microsoft Azure Backup server icon on your desktop to launch MABS.

clip_image052

clip_image054

You can also verify if the MABS server connection to the Recovery Services vault. To do so go to your Recovery Services vault, click Overview and click Backup management servers. There you should see the newly installed MABS server.

clip_image056

As a final step, do not forget to run Windows update to install all necessary updates after the MABS installation.

clip_image058

Now you are ready to start working with this brand new product. Have fun and till next time!

Wim Matthyssen (@wmatthyssen)

New features for Azure Backup and Azure Site Recovery released

June 1, 2017 at 10:02 am in Azure, Azure Backup, Azure Site Recovery, Cloud, Modern Backup Storage, Windows Server 2016 by Wim Matthyssen

Microsoft was very busy on the last day of May, because yesterday they launched many new features, not only for Azure Backup but also for Azure Site Recovery. I tried to list some of them below.

Azure Backup

  • Windows Server System State backups with Azure Backup now in public preview

This new extension allows the Azure Backup agent (MARS Agent) to integrate with the Windows Server Backup feature that is available natively on every Windows Server. It allows and provides seamless and secure backups of your Windows Server System State directly to Azure without the need to provision any on-premises infrastructure.

You can read more about it here

 

clip_image002

  • Microsoft Azure Backup Server v2 released which allows Windows Server 2016 and vCenter/ESXi 6.5 protection

This week Microsoft also released the second version (v2) of their Microsoft Azure Backup Server (MABS v2), which supports Windows Server 2016, vSphere 6.5 and the latest business critical applications such as SQL 2016, SharePoint 2016 and Exchange 2016. This new version is available for download from a Recovery Services vault in the Azure Portal or directly from here.

 

clip_image004

If you are interested to read more about MABS v2 you can do so over here

An important remark to make is that when you install MABS v2 on a Windows Server 2016 the VMware protection will be in preview mode, because VMware first needs to release support for VDDK 6.5.

In addition, the UserVoice I opened to address this issue to the Azure Team will be closed, so everyone who voted will get some votes back.

  • Introducing Modern Backup Storage with Azure Backup Server on Windows Server 2016

With the latest release of Azure Backup Server (MABS v2), which is based on System Center Data Protection Manager 2016 (SCDPM 2016), Modern Backup Storage can be used. This technology will improve performance and reduces consumption (50 % disk storage savings and 3x faster backups) by leveraging ReFS block cloning and deduplication.

 

clip_image006

You can read more about it here

 

Azure Site Recovery

  • Disaster recovery for Azure IaaS virtual machines with Azure Site Recovery is now in public preview

This will allow you to use Azure Site Recovery (ASR) to easily replicate and protect IaaS based applications running on Azure to a different Azure region of your choice without deploying any additional infrastructure components or software appliances in your subscription.

 

clip_image007

You can read more about it here

 

Enjoy reading about these nice new features and have fun testing them out.

Wim Matthyssen (@wmatthyssen)

Azure Security Center: Endpoint Protection installation failed with “Permission denied”

May 18, 2017 at 2:56 pm in Azure, Azure Security Center, Cloud, Endpoint Protection, Microsoft Antimalware by Wim Matthyssen

Most of you who are already familiar with Azure Security Center (ASC), know that it periodically analyzes the security state of your Azure resources. Whenever Security Center identifies a potential security vulnerability, it creates a recommendation. Last week when trying to apply the solution for such a Recommendation, namely Install Endpoint Protection, the Endpoint Protection installation failed with “Permission denied”.

clip_image002

The error showed that the installation failed because of an RBAC issue (permission error), However, the user used was a Subscription co-admin (Role Owner), so that could not cause the problem because he has all permissions needed.

Because Endpoint Protection is deployed as an extension and deployments of extensions are handled by the VM agent, my next troubleshoot step was to check the log of Azure VM agent on that particular VM.

The path to access this log is: “C:\WindowsAzure\Logs\WaAppAgent.log

clip_image004

clip_image006

But also no issue over here.

Therefore, after troubleshooting for some time, I finally opened a support request to Microsoft. As a response to this request, Microsoft confirmed that this error is under investigation of the product team and that there currently is a design change request in the making to get this problem fixed. For the moment, the problem only occurs in some Azure Regions. In the meantime as a temporary workaround in wait for the real fix, they suggest to install the Azure Antimalware extension from Compute or Azure PowerShell instead of with ASC.

To deploy the Azure Antimalware extension using the Azure Portal you can follow these steps:

Log in to the Azure portal

Select the VM, select Extensions and click Add on the Extensions blade

clip_image008

Select Microsoft Antimalware and click Create on the Microsoft Antimalware blade

clip_image010

To enable Antimalware with the default settings just click OK without putting in any configuration values. If you prefer you can also configure it with your own settings and values

clip_image012

Once the extension successfully installs, it reflects in ASC and the recommendation for that specific VM is gone. Hope this helps!

Wim Matthyssen (@wmatthyssen)

Azure PowerShell: Migrate an Azure ASM Virtual IP address (VIP) to an ARM Public IP address (PIP)

May 9, 2017 at 12:13 pm in ARM, ASM, Azure, Azure PowerShell, Cloud, PIP, Public Cloud, Public IP address, VIP, Virtual IP address by Wim Matthyssen

The last weeks, I am assisting some customers with the migration of their existing Azure Service Manager (ASM) VMs to the Azure Resource Manager (ARM) portal. Most of those workloads are migrated with the use of Azure Site Recovery (ASR). The only thing ASR cannot handle for the moment is the migration of the Cloud Services Virtual IP Address (VIP). This public IP address can for example used by an IIS website running on a specific IaaS virtual machine (VM) which is part of that Cloud Service. You can work around this problem, as in many of these cases, by using Azure PowerShell. Below I will wake you through this process with an example.

Overview used Azure VMs:

clip_image002
1) First, we need to login and prepare the ARM environment. To do so run following PowerShell commands (change variables as needed):

clip_image004

clip_image006

2) Next we need to login to the ASM environment

clip_image008

3) As the next step we need to reserve the public IP Address

clip_image010

4) Next we need to de-associate the Reserverd IP address from the Cloud Service. Press Yes when asked

clip_image012

clip_image014

5) When you now check the list of reserved IP addresses, it will show the reserved IP address 40.68.191.13 as unassigned. The attribute InUse is set to False and the ServiceName and DeploymentName attributes are empty

clip_image016

6) Also check if the Reserved IP address is valid for migration

clip_image018

7) Next we need to prepare the Reserved IP address for migration

clip_image020

8) Now run the following PowerShell command to finalize the migration of the Reserved IP address

clip_image022

9) You can verify the availability of the migrated Public IP address by login in to the Azure portal. Under Public IP address, you should see the resource with the correct IP address

clip_image024

clip_image026

10) Now, you can move this resource to the correct resource group. When you do so, and your asked to Confirm the move, click Yes

clip_image028

clip_image030

clip_image032

11) Afterwards you can assign the public IP address to whichever resource you would like

clip_image034

clip_image036

That concludes this blog post. Hope it comes to your use.

Wim Matthyssen (@wmatthyssen)

Azure IaaS: Build a VM from a Bring your Own License (BYOL) image with Azure PowerShell

April 24, 2017 at 9:16 am in ARM, Azure, Azure Hybrid Use Benefit, BYOL, Cloud, IaaS, PowerShell by Wim Matthyssen

For all people who do not yet know, with the Azure Hybrid Use Benefit you can use your on-premises Windows Server licenses that includes Software Assurance for Windows Server (Standard and Datacenter Editions) virtual machines (VM) in Azure. More recently also Azure Hybrid Use Benefits for Windows Client which includes Windows 10 (only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user – User Subscription Licenses or Add-on User Subscription Licenses – are eligible) came in Preview.

By using your existing licenses, you only pay for the base compute rate (equal to the Linux rate for VMs) without the Windows licenses cost, which can save you up to 40 %.

You can download the Azure Hybrid Use Benefit datasheet here

clip_image002

These days it’s even simpler to deploy a new Azure server VM whit your own on premise license via the Windows Server BYOL images available in the Azure Marketplace. There are images available for the following Server Oss (*be aware that not all Azure Subscriptions can use the BYOL images):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (not available in all regions)

You can search for the Windows Server images by running following PowerShell command:

clip_image004

In the above screenshot, you can see that some Skus now contain the BYOL suffix.

You can search for the Windows Client images by running following PowerShell command:

clip_image006

To build a VM with from a BYOL image you can run following Azure PowerShell script (adjust all variables for your own use):

clip_image008

The script is also available on Microsoft TechNet

When the script is completed and the VM is build, you can log into the VM via remote desktop. Like you can see the VM is not registered and you’ll able to use your own Windows product key.

clip_image010

Hope this comes in handy!

Wim Matthyssen (@wmatthyssen)

Azure IaaS: VM status Running (Installing Extensions)

March 29, 2017 at 6:13 am in ASM, Azure, Azure PowerShell, Cloud, IaaS, Installing Extension, Microsoft, Public Cloud by Wim Matthyssen

Last week while migrating Azure IaaS VMs from ASM to ARM, I noticed that one VM was showing the status “Running (Installing Extension)” in the Azure Classic portal. When I tried to connect to that specific VM with RDP no connection could be made. This status also prevented me from doing some automation activities, the VM however still responded to a ping.

clip_image002

When I opened the DASHBOARD page of the VM and looked at the extensions, I saw that the Microsoft.Compute.VMAccessAgent showed following error:

clip_image003

The simplest way I found to resolve this error was to delete the extension, and add it back. To do so login to the Azure portal with your Azure account. Go to Virtual Machines and click on the specific VM. On the opened blade select Extensions, right click the VMAccessAgent and click Delete. When asked to delete the extension select Yes

clip_image005

clip_image006

clip_image007

clip_image008

To reinstall the VMAccess extension open PowerShell ISE, connect to your Azure subscription with your Azure account and run the following command (replace cloud service name and VM name by your own)

clip_image010

To check the current status of the extension, run following command (replace cloud service name and VM name by your own):

clip_image012

Or you can also check trough both Azure portals

clip_image014

clip_image016

After the reinstallation of the VMAccessAgent, it ran with STATUS Success and I was able to reconnect to the VM with RDP. This concludes this blog post, hope it helps whenever you have this issue.

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: Anti-Virus Exclusions

March 3, 2017 at 1:05 pm in Anti-Virus Exclusions, Azure, Azure Backup, Cloud, hybrid cloud, MABS, Microsoft Azure Backup Server by Wim Matthyssen

Running a solid, constantly updated antivirus product on your servers is a necessity to keep a healthy and secure server environment. However, with installing an antivirus product, you also risk having issues with certain workloads and services on those severs. Just like System Center Data Protection Manager (SCDPM), the Microsoft Azure Backup Server (MABS) is compatible with most antivirus software products. Though, the implemented antivirus product can also affect MABS performance and, if not configured properly, can cause data corruption of replicas and recovery points.

clip_image002

So, to avoid file conflicts and to minimize performance degradation between your MABS server and the antivirus software running on top of it, you should disable real-time monitoring by the antivirus software for all of the following processes and directories, which are listed below.

MABS processes to exclude from antivirus real-time monitoring

For information about configuring real-time monitoring based on process name or folder name, check the documentation of your antivirus vendor.

  • DPMRA.exe (*full path: C:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\DPMRA.exe)
  • csc.exe  (*full path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -> you can also exclude csc.exe in all the other Microsoft.NET Framework folders)
  • cbengine.exe (*full path: C:\Program Files\Microsoft Azure Backup\DPM\MARS\Microsoft Azure Recovery Services Agent\bin\cbengine.exe)

 

clip_image004

clip_image006

clip_image008

 

MABS directories in the MABS Program Files folder to exclude from antivirus real-time monitoring

Be aware that when you installed MABS on another drive then “C:”, like in the example below, look under the correct drive for the folders to exclude.

  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\Temp\MTA\*
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\XSD\*
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\bin
  • C:\Program Files\Microsoft Azure Backup\DPM\MARS\Microsoft Azure Recovery Services Agent\bin
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\Cache (*MABS scratch folder)

 

clip_image010

clip_image012

clip_image014

clip_image016

clip_image018

 

Delete infected files on the MABS server

As a final remark, I would also advise to configure to delete infected files by default on the MABS server rather than automatically cleaning or quarantining them. Automatic cleaning and quarantining can result in data corruption because these processes cause the antivirus software to modify files, making changes MABS cannot detect.

 

In summary, there are a lot of antivirus settings you should keep track of when running MABS. I’ve tried to list all of the exclusions, so hopefully it will help you with getting the most out of your MABS setup. If you have any questions, feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmatthyssen)

PowerShell: BgInfo Automation script

February 23, 2017 at 9:19 am in BgInfo, Client Hyper-V, Hyper-V, PowerShell, scvmm, VM Template, Windows Server 2016, Windows Sysinternals, WS2016 by Wim Matthyssen

Probably everyone knows the Windows Sysinternals tool BgInfo (currently version 4.21). For those who don’t, it’s a great free tool which captures system information from a workstation or server (probably where it is the most useful) and displays the catched data on the Desktop of that machine. It can show useful information like, DNS settings, used IP Addresses, computer name, domain name, OS version, memory, etc. If you want to read more about this tool you can do so via following link: https://technet.microsoft.com/en-us/sysinternals/bginfo.aspx

Whenever I create a new Windows Server 2016 Virtual Machine (VM) template for customers, I mostly add this tool in the base image (also called golden image) and set it so it starts up automatically whenever a user logs on to the server. To automate this process, I wrote a PowerShell script which does all of the following:

  • Download the latest BgInfo tool
  • Create the BgInfo folder on the C drive
  • Extract and cleanup the BgInfo.zip file
  • Download the logon.bgi file which holds the preferred settings
  • Extract and cleanup the LogonBgi.zip file
  • Create the registry key (regkey) to AutoStart the BgInfo tool in combination with the logon.bgi config file
  • Start the tool for the first time

Prerequisites

Windows PowerShell 5.0

PowerShell script:

To use the script copy and save the above as BGInfo_Automated_v1.0.ps1 or download it here. Afterwards run the script with Administrator privileges from the server you wish to use for your VM template. If you want to change configuration settings, just open the logon.bgi file and adjust the settings to your preferences.

image

image

image

image

Hope this script comes in handy for you. If you have and questions or recommendations about it, please contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)