Veeam Backup Agent for Microsoft Windows
- Service Description
- Veeam Agent Manual Installation
- Installing Veeam Agent for Microsoft Windows using Discovery Rules
- Configuring Backup Jobs
- Restoring Data from the Veeam Agent for Microsoft Windows
Veeam Agent for Microsoft Windows lets you back up and restore computers running Windows operating systems. Backups are performed using the agent, which is installed on the local machine.
Veeam Agent for Microsoft Windows licenses are included as part of the service and automatically granted by the service provider. Licensing periods and paid service periods coincide for 1-month termы. This takes the responsibility of acquiring Veeam licenses off the user.
The service is managed from the Veeam Availability Console (VAC)—an online portal that gives each client an isolated environment for centrally managing the following operations:
- Installing and updating Veeam agents (backup agents and management agents)
- Veeam agent licensing — an automated background process that requires no user interaction
- Configuring backup policies and jobs
- Monitoring agent status, backup jobs, and storage space
The service is built for use with the Veeam Cloud Connect repository from Selectel as its primary cloud backup store. Clients request storage space (in increments of 50 GB) for their backups and are assigned a quota for the requested amount. Clients are isolated from one another in the cloud repository and may only access their backups.
To log into the VAC and start managing the service, open https://vac.selectel.ru and enter the login and password provided by Selectel.
- Physical servers and workstations
- Any VM or virtualization platform that supports Windows guest operating systems
Target physical and virtual machines can be hosted on any platform:
- Privately owned infrastructure (on-premises)
- Public or private cloud
- Any data center or provider
- Selectel VMs and dedicated servers
The only requirement is a connection to the Selectel services, which are published online (see network ports)
For the service to function properly, the following network permissions must be granted:
Computers to be backed up
Selectel cloud gateway — vcc.selectel.ru
|TCP, UDP||6180||Transfer backup traffic to cloud-based repository|
|Browser||VAC web UI — https://vac.selectel.ru||TCP||443||VAC console access to manage the service|
Computer with master agent or each computer to be backed up (for manual installation)
Veeam Installation Server — Veeam resource
Download agent installers from Veeam Internet servers
Computer with master agent
|TCP||135, 445, 49152-65535|
Install agents on computers using Discovery Policies
Veeam Agent Manual Installation
Agents must be installed and configured using accounts with local admin privileges for the target computer. The following information is required:
- vac.selectel.ru — Selectel Cloud Gateways address for agents
- Management agent connection rights are the same for gateways and the VAC
- The thumbprint of the certificate installed on the VAC and Veeam Cloud Connect® (Selectel gateways) is B5A51DF2AF422421DC87C233FEFF326F95A46ECB
Downloading the Management Agent
- Connect to the VAC by opening https://vac.selectel.ru and logging in with the login and password provided by Selectel.
- Select Managed Computers from the menu.
- In the main part of the window, click Download Agent from the Discovered Computers tab.
- The installation software (ManagementAgent.exe) will be downloaded to the local machine.
This can be done directly on the computer you wish to back up or the installation file can be downloaded locally and then copied to other computers.
Installing the Management Agent
Launch the management agent installation wizard with local admin rights. Accept the licensing agreement, and leave the default settings.
When the installation is complete, open Start — Programs, and open Veeam Management Agent. In the new window, set up the Selectel Cloud Gateway connection.
- Cloud Gateway — vcc.selectel.ru
- Port — 6180
- Username and password — same as for the VAC
- You can verify the certificate thumbprint by entering B5A51DF2AF422421DC87C233FEFF326F95A46ECB in the corresponding field.
You can also write local administrator rights for future backup agent installations from the VAC. Input format:
- .\Administrator — for local accounts
- Domain\Administrator — for domain accounts
Click Apply and check that the agent status is now Connected. This means the agent has successfully connected to the VAC, so it can be managed from the VAC and a backup agent can be installed.
This process has to be repeated on every computer you want to back up. For a few computers (2-5), this should not take much work.
Installing the Backup Agent
Once the management agent has been installed and connected to the Selectel gateway, it can be managed from the VAC and the backup agent can be installed.
- Connect to the VAC.
- From the menu, select Managed Computers. A list of all computers with the management agent installed and connected will be displayed under the Discovered Computers tab.
- Check each server and click Install Backup Agent.
- The Install Backup Agent window will open.
If local administrator rights were entered while configuring the management agent, then leave the Account specified... option selected.
If not, choose The following user account, click +Create New, and enter the administrator login and password for that machine. If a local account is used, add .\(local user, like .Administrator) before the name; for a domain account, use the standard domain\name format. To simultaneously install backup agents on multiple computers, this account should be present on each one.
In addition to installing backup agents on the selected servers, it's also possible to immediately apply a backup policy (backup job template). Under the Backup policy to apply menu, choose an existing policy or click +Create New.
During the initial setup, when no policies are present, you have to choose No policy and assign policies to agents separately. The process for creating, configuring, and attaching policies is described below.
Applying policies activates the Enable read only UI access... toggle switch, which is responsible for enabling Agent UI Mode (see below). This lets you enable or disable the ability to manage backup agents on local machines during installation. By default, when applying policies, the switch turns on (enabled); this disables local management and sets to read only. It can be switched off (disabled), which enables local management.
If No policy is applied, the switch will be deactivated and set to off. The backup agent can be managed locally. At this stage, this cannot be changed.
After installing backup agents and applying policies, read only UI access is enabled by default. This can be changed in the Agent UI Mode settings.
Click Apply to apply settings. The backup agent will be installed on the selected computers.
Under the Agent Deployment column, click Installation to view installation details.
When the installation is complete, the backup agent status will be shown in the console.
Backup agent status details can be found under the Backup Agents tab.
Launching the Backup Agent Locally
The backup agent can be launched on a local machine: Start — Veeam — Veeam Agent for Microsoft Windows.
The backup agent window:
This window tells you that the license and edition are managed by your administrator, which means that a Veeam® rental license from Selectel has been automatically installed and that the backup agent edition (server or workstation) were also chosen automatically.
The yellow text "This application is managed by your system administrator" indicates that a policy has been applied to the backup agent and that Agent UI Mode has been set to read-only UI. This means the backup agent cannot be managed locally, only through the VAC.
Configuring Agent UI Mode
As stated above, applying policies to a backup agent automatically switches it to read-only UI, which prevents local management. This means you cannot change any settings or backup jobs, nor launch a restore from the computer. You can only view settings and manually launch backups.
To enable local management, you have to switch Agent UI Mode for the specific backup agent to Full admin access mode from the VAC:
- On the left side of the console, select Backup Jobs.
- In the new frame, click Managed Backup Agents from the top and check the relevant agent.
- Click Agent UI Mode and choose Switch to full admin access from the dropdown menu.
The backup agent can now be configured on the local machine. The message "This application is managed by your system administrator" will be gone from the agent window, and settings will be active.
Installing Veeam Agent for Microsoft Windows using Discovery Rules
If you have a large number of computers (5 or more) that you would like to connect to the service, manually installing agents on each one would be tedious and time consuming. In cases like these, we recommend using Discovery Rules to install agents.
This method lets you discover servers and install agents centrally from the VAC, which significantly reduces manual operations and installation time. You will not need to manually install the management agent on each server or configure the VAC connection.
To use Discovery Rules, deploy the master agent and connect to the VAC. The master agent is a management agent that is responsible for the following tasks:
- Discovering network computers
- Uploading Veeam agent installation packages to discovered computers
- Installing Veeam agents on discovered computers
The master agent and its installation are otherwise no different than standard management agents. In addition to the functions listed above, it can also manage the backup agent on the computer it’s deployed on.
To deploy a master agent, select a computer that is networked to all other computers to be backed up. For example, if the client has a platform with one or more interconnected grey subnets, the master agent should be installed on one of the computers on this platform. If the client has multiple isolated platforms or subnets (locations), you will have to install a master agent in each location.
After deploying one or more master agents, create Discovery Rules, which, depending on their configuration, let you:
- Discover computers on the network
- Install management agents and backup agents on discovered computers
- Apply backup policies to these computers
- Change the UI mode of backup agents
Preliminary requirements for network-based discovery:
- On discovered computers, create Windows firewall inbound rules that allow incoming TCP traffic from the master agent (Remote Address) on the following destination ports (Local Port): 135, 445, 49152-65535.
- Ensure the local administrator account login and password is the same for every discovered computer. This lets you discover and install agents using the same rule, instead of requiring separate rules for each machine.
- If you plan on assigning backup policies during discovery, you can create them beforehand.
To create discovery rules:
- Connect to the VAC.
- Select Rules from the menu.
- A list of existing rules will be displayed. To create a new rule, click +New.
- In the new window, enter a name for your rule and click Next.
- Verify the name of the organization and click Next.
- Leave Network-based discovery selected and click Next.
- Click +Add, enter a network name and IP address range, then click OK and Next.
- Enter the local administrator username, adding .\ before the name, and password. If the local administrator’s login information was previously entered into the master agent, you can check the box to use the credentials specified in the master management agent configuration and leave the previous boxes blank.
- Filters may be configured if need be.
- Configure email notifications (optional).
- Choose an agent installation option:
- Discover remote computer without installing backup agent (install backup agent later) — after launching, computers within the specified IP range will only be discovered. You can then select which computers to install agents on
- Discover remote computer, install backup agent and assign the selected backup policy — agents (management and backup) are immediately installed on all discovered computers, which lets you assign and create new policies and enable/disable read only UI access.
- Check the resulting policy settings and click Finish.
The discovery rule will appear in the list. To launch, check the corresponding box and click Run.
Basic discovery is quick (less than a minute), whereas discovery with install takes a few minutes.
After adding your discovery rules, open the Managed Computers tab and check the results.
In this table we see that:
- 2 computers were discovered: their status under Cloud Connection reads Online.
- agents have only been installed on the first computer. The Agent Deployment status reads Success only for computer ya1.
Discovered computers don’t require agents if the rule is set to only discover computers, or if the rule is set to install agents, but it doesn’t work (this happens, but is easily fixed).
To install agents on discovered computers, check the computers and click Install Backup Agents, which will become active.
Afterwards, choose the installation parameters (account, backup policy, UI mode) and click Apply.
Configuring Backup Jobs
There are three ways to configure backup jobs:
- Using backup policies
In the VAC, a backup policy is created that serves as a backup job template and can be centrally assigned to selected backup agents.
Applying a backup policy to a backup agent automatically creates a backup job with the relevant settings on selected agents. This is easier than manually configuring backup jobs for each agent. You can create multiple policies with different configurations and assign them to the desired backup agent.
- Individually configuring jobs in the VAC
Instead of creating and editing policies and then assigning them to backup agents, you can individually configure backup jobs in the VAC by selecting the required backup agent. After modifying the configuration, the target backup agent will have the status Custom under the Backup Policy column.
This is convenient when a policy is applied to a group of agents, and then changes have to be made for a single agent; all remaining agents will retain the original policy.
- Locally configuring the backup agent
If Agent UI Mode is set to read-only, then you won’t be able to change the backup agent’s settings directly in the application. The same applies to backup jobs.
This limits the local administrator’s ability to modify jobs. All backups can only be made through the VAC console, which is accessible to backup administrators.
If Agent UI Mode is set to full admin access, then the settings applied in the VAC can be changed locally. To do this, launch Configure Backup on the local computer either from Start — Programs — Veeam or from the backup agent window.
Configuring Backup Policies
To manage backup policies, connect to the VAC and in the upper right-hand corner, click Configuration and then select Backup Policies from the left-side menu.
To create a new policy, click +New. Existing policies can be edited, copied, and deleted.
To avoid creating a policy from scratch, you can use the existing Basic_bcp_policy, which was created by the provider and is available to every client. This is a universal policy that fits most situations.
We recommend using it as a template when creating your own policies. This requires making a copy of the policy, renaming it, and making whatever changes you see fit.
We’ll look at the basic parameters seen in creating a policy; the same principles apply when editing Basic_bcp_policy.
- Enter a policy name and description (optional).
- Choose an operation mode—server or workstation, depending on the computer the policy applies to.
Server offers more functions, supports data consistency on the application layer, and can flexibly configure backup schedules.
- Choose a backup mode — entire computer, volume level backup, or file level backup. The first two options work on the block level.
Computer backups let you restore individual volumes or the entire computer (all volumes). Volume backups let you restore the given volume. Both modes let you restore files or folders from the given volume.
Backups on the file level are significantly slower than the block level, which is why we do not recommend using them for backing up large amounts of data.
For example, it may be significantly faster to back up a whole volume (100 GB) than individual files from that volume (40-60 GB).
Choose a backup repository—the main option is the VCC repository from Selectel.
Configure a retention policy. Assign the number of restore points to keep saved, and then open advanced settings.
The recommended minimum is 7 restore points with Forever Forward Incremental. To apply this, the Advanced SettingsBackup window should look as follows:
When using these settings, we do not recommend more than 14 restore points. If you have to restore a lot of data from a long chain of increments, this will take a long time and raise the likelihood of errors.
7-14 increments is generally acceptable, but over 14 is risky.
We recommend capping backups over 7 GB at 7 increments.
If you have to save backups for at least two weeks (i.e. at least 14 restore points), enter the number of Restore points to keep on disk (14 or more). Configure weekly active full backups, specifying the day that’s most convenient for you.
These settings will create weekly chains of full backups and their increments. The retention policy will keep chains for 2-3 weeks in the repository.
After creating a third chain on the 21st day, a new increment will be created
The first and oldest chain will be deleted, leaving the 2 newer chains
- A new full backup will be created the next day, which servers as the start of the new third chain, repeating the cycle
If you have to retain more restore points with this approach, the number of points will increase in increments of 7. For example:
21 points — 3-4 week chains
28 points — 4-5 week chains; this option guarantees restoration for any day of the month (28-35 days)
To encrypt backups, check the Enable backup file encryption box and enter a password and hint (optional).
Enter a cloud repository account and quota. Recommended settings are shown below.
If you uncheck Unlimited quota, you can enter a User quota. This is a fixed quota (subquota) that applies to each agent, which collectively may not exceed the total repository quota. While this may be useful in certain situations, it removes flexibility; with no subquotas, each agent can take as much space as it needs.
The Use single tenant… option is not recommended for security reasons. In this case, each agent uses the same login and password to connect to the cloud. With the first option, logins are unique, automatically created when policies are assigned to agents, and can be changed manually in the VAC.
Leave the local cache disabled; it is not required in most cases.
- Configure OS processing.
When backing up any Windows computer using Veeam®, we recommend enabling application-aware processing.
This lets you create transactionally consistent backups for applications compatible with MS VSS (Volume Shadow Copy Service), such as Microsoft Active Directory, Microsoft SQL Server, Microsoft SharePoint, Microsoft Exchange, and Oracle.
If you click Customize application handing options…, a window will open where you can configure these applications.
More information about these settings can be found in the official documentation:
Even if these applications haven’t been installed on your Windows computers, we still recommend enabling application-aware processing, since modern Windows OSes have a number of other standard VSS writers that can work with the Veeam agent. This option reduces the risk of backup inconsistencies, even in typical file servers.
If none of the aforementioned applications have been installed on the local machine, then leave Customize application handing options… to their defaults. Since none of the applications they apply to are present, they won’t work anyway. Just check the box Enable application-aware processing and leave everything as it is.
Configure a backup schedule.
The best option in most cases is one-time daily backups at a specific time. To use this approach, check Run the job automatically and select the best time. If you don’t need daily backups, then instead of Everyday, choose On week-days (Mon-Fri) or On these days (user-defined days of the week).
Automatic retry lets you relaunch failed backup jobs (there is no sense in relaunching a job more than once). If you uncheck Run the job automatically, backup jobs can only be launched manually.
These are the main recommendations for scheduled server backups. More detailed settings for workstations and monitors can be found in the official documentation.
On this last step, we can view a summary of our policy settings and click Finish to create.
Assigning Policies to Backup Agents
After creating a policy, it has to be assigned to a given agent.
- Connect to the VAC.
- On the left-side menu, click Managed Computers.
- Open the Backup Agents tab and check the desired agents.
- Click Assign in the top-left corner (opposite Backup Policy).
- In the new window, select a policy and click Assign.
Links to Veeam® User Guides
Viewing and Exporting Veeam Backup Job Details (from VAC) — launch and halt backup jobs, enable and disable jobs, gather logs, and view details
Managing CBT Driver — accelerate incremental backups
Modifying User Profile — fill out a profile and change client passwords
Veeam Availability Console User Guide — the main user (client) documentation
Veeam Agent for Microsoft Windows User Guide — contains detailed information on managing Veeam® Agent for Microsoft Windows and how it works. This is useful for understanding the technology and choosing the best configurations
Restoring Data from the Veeam Agent for Microsoft Windows
The Veeam Availability Console (VAC) does not let you restore data from backups for backup agents, managed from the console. Restores are performed locally from the backup agent application. Detailed instructions for using different restore options can be found in the Veeam Agent for Microsoft Windows user guide.
To launch a restore, put the backup agent on the local machine in Full admin access mode (see Agent UI Mode Settings above). Restores cannot be performed in read-only UI mode.
On the target computer opening Start — Veeam gives you different restore options:
- File Level Restore — restore wizard on the file and folder level
- Volume Restore — restore windzard on the volume level
- Create Recovery Media — recover media creation wizard for performing restores
File Level Restore
Files and folders can be restored on the target computer with File Level Restore.
Launch the wizard (Start — Veeam — File Level Restore) and choose the desired restore point. Click Next.
A window will open with the catalog structure of the backup for the chosen restore point. Select the files or folders to be copied; these files can be moved to a specific location on the server or restored to their original location, while keeping or overwriting the existing data.
Restore volumes using Volume Restore.
Launch the wizard (Start — Veeam — Volume Restore) and choose a restore point. Click Next. A window will open where you can select volumes and configure the location to be restored to (Customize Disk Mapping — the original server location or a new volume).
Please note that system volumes cannot be restored to their original location on a working system; this requires a Veeam boot disk (Recovery Media).
Create Recovery Media
Veeam Recovery Media is useful for performing the following tasks:
- Full restore (all volumes)
- Restore system volumes
- Restore or migrate to a new platform (physical host or VM)
To create Veeam Recovery Media, launch the relevant master (Start — Veeam — Create Recovery Media).
Choose the media type (flash drive, optical disk, or ISO file) and enter additional settings. The recovery media will be created. For more information, see Creating Veeam Recovery Media.
To learn more about restoring data, see Restoring from Veeam Recovery Media.