- Notes, cautions, and warnings
- Preface
- Getting Started
- Managing Users
- Managing Storage
- Using the PowerProtect Search Engine
- Managing Assets
- Managing Protection Policies
- Protection policies
- Before you create a protection policy
- Supported enhanced VMware topologies for virtual-machine protection
- Add a protection policy for virtual-machine protection
- Add a Cloud Tier schedule to a protection policy
- Manual backups of protected assets
- Manual replication of protected assets
- Manual Cloud Tiering of protected assets
- Editing a protection policy
- View assets assigned to a protection policy
- Extended retention
- Edit the retention period for backup copies
- Delete backup copies
- Removing expired backup copies
- Removing assets from PowerProtect Data Manager
- Export protection
- Disable a protection policy
- Delete a protection policy
- Add a Service Level Agreement
- Export Asset Compliance
- Protection rules
- Restoring Data and Assets
- View backup copies available for restore
- Restoring a virtual machine or VMDK
- Restoring a virtual machine backup with the storage policy association
- Prerequisites to restore a virtual machine
- Restore to the original virtual machine
- Restore individual virtual disks
- Restore to a new virtual machine
- Instant access virtual machine restore
- File level restore to original virtual machine
- File level restore to alternate virtual machine
- Direct restore to ESXi
- Restore an application-aware virtual machine backup
- Restore the PowerProtect Data Manager server
- Restore Cloud Tier backups to protection storage
- Preparing for and Recovering From a Disaster
- Managing system backups for server disaster recovery
- Prepare the DD system recovery target (NFS)
- Configure PowerProtect Data Manager server DR backups
- Record settings for server DR
- Manage PowerProtect Data Manager server DR backups
- Restore PowerProtect Data Manager from server DR backups
- Troubleshooting NFS backup configuration issues
- Troubleshoot recovery of PowerProtect Data Manager
- Quick recovery
- Recover a failed PowerProtect Data Manager backup
- Managing Alerts, Jobs, and Tasks
- Modifying the System Settings
- System settings
- System Support
- Configuring SupportAssist for PowerProtect Data Manager
- Telemetry Collector
- CloudIQ reporting
- Set up the email server
- Add AutoSupport
- Enabling automatic update package checks and downloads
- Add a log bundle
- Audit logging and monitoring system activity
- Monitor system state and system health
- Access the open source software package information
- Security certificates
- Modifying the PowerProtect Data Manager virtual machine disk settings
- Memory optimization
- Configure the DD system
- Virtual networks (VLANs)
- Protecting Virtual Machines using the Transparent Snapshot Data Mover
- Overview of transparent snapshots for virtual machine protection
- VIB installation monitoring and management
- Transparent snapshot data mover system requirements
- Prerequisites to virtual machine protection with the Transparent Snapshot Data Mover
- Virtual machine transparent snapshot unsupported features and limitations
- Transparent Snapshot Performance and Scalability
- PowerProtect Functionality Within the vSphere Client
- PowerProtect functionality within the vSphere Client
- Overview of the PowerProtect plug-in for the vSphere Client
- Prerequisites for enabling the vSphere Client PowerProtect plug-in
- Monitor PowerProtect Data Manager virtual machine protection copies
- Manual PowerProtect policy backup in the vSphere Client
- Image-level restore of a PowerProtect backup in the vSphere Client
- File-level restore of a PowerProtect backup in the vSphere Client
- Overview of VASA and VMware Storage Policy Based Management
- VMware Cloud (VMC) on Amazon Web Services (AWS)
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the VMC-on-AWS portal
- Interoperability with PowerProtect Data Manager features
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Azure VMware Solution (AVS) on Microsoft Azure
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the AVS-on-Azure portal
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Google Cloud VMware Engine (GCVE) on Google Cloud Product (GCP)
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the GCVE-on-GCP portal
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Performing Updates
- Configuring and Managing the PowerProtect Agent Service
- Backing Up and Recovering a vCenter Server
- Backing up and recovering a vCenter server
- vCenter deployments overview
- Protecting an embedded PSC
- Protecting external deployment models
- vCenter server appliance(s) with one external PSC where PSC fails
- vCenter server appliance is lost but the PSC remains
- vCenter server appliance with multiple PSCs where one PSC is lost, one remains
- vCenter server appliance remains but all PSCs fail
- vCenter server appliance remains but multiple PSCs fail
- vCenter server appliance fails
- vCenter server restore workflow
- Platform Services Controller restore workfow
- Additional considerations
- Command reference
- Backing Up VMware Cloud Foundation (VCF) on VxRail
- Backing up VCF on VxRail
- VCF and VxRail overview
- VCF components and backup methods
- Check VMware certification
- Backup prerequisites
- The backup script
- Quick protection
- Selective protection: SDDC and NSX-T Managers
- Selective protection: vCenter servers
- Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines
- SFTP password change: SDDC and NSX-T Managers
- SFTP password change: vCenter servers
- Backup-script troubleshooting
- Best Practices and Troubleshooting
- Base 10 standard used for size calculations in the PowerProtect Data Manager UI
- Best practices and additional considerations for the VM Direct Engine
- Change the limit of instant access sessions
- Configuring a backup to support vSAN datastores
- Configuration checklist for common issues
- Disable vCenter SSL certificate validation
- File-level restore and SQL restore limitations
- FLR Agent for virtual machine file level restore
- FLR-supported platform and OS versions for virtual machine restores
- PowerProtect Data Manager resource requirements in a VMware environment
- Software and hardware requirements
- Support for backup and restore of encrypted virtual machines
- Transport mode considerations
- Virtual disk types supported
- Virtual machine data change rate
- VM Direct Engine data ingestion rate
- VM Direct Engine limitations and unsupported features
- VM Direct Engine performance and scalability
- VM Direct Engine selection with virtual networks (VLANs)
- Best practices for vCenter Server backup and restore
- Changing the vCenter server FQDN
- Monitoring storage capacity thresholds
- Replacing security certificates
- Restarting PowerProtect Data Manager
- Scalability limits for vCenter Server, VM Direct Engine and DD systems
- Troubleshooting network setup issues
- Troubleshooting PowerProtect agent service installations
- Troubleshooting PowerProtect agent service operations
- Troubleshooting PowerProtect Data Manager software updates
- Troubleshooting storage units
- Troubleshooting virtual machine backup issues
- Backup completes with a non-quiesced snapshot warning
- Backup fails when names include special characters
- Deleting vCenter asset sources or moving ESXi to another vCenter
- Failed to lock Virtual Machine for backup: Another EMC vProxy operation 'Backup' is active on VM
- Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct appliance fails
- Managing command execution for VM Proxy Agent operations on Linux
- PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates
- SQL databases skipped during virtual machine transaction log backup
- SQL Server application-aware backup displays an error about disk.EnableUUID variable
- SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"
- Trailing spaces not supported in SQL database names
- VMware knowledge base articles and product documentation
- Troubleshooting virtual machine restore issues
- Troubleshooting vSphere Plugin deployments
PowerProtect Data Manager 19.9 Administration and User Guide
Troubleshooting Search Engine issues
This section lists troubleshooting and Search Engine issues.
Error displays during node failure
The following error might display during a search when a node fails:
Not able to deploy search-node.com. Another session "<host_name>" is already configured with the same hostname. Would you like to redeploy search node or delete the node?
If this error occurs, delete the node, and then retry the operation. If you choose to edit, delete the node and the new mode modal appears with your previous input. The input that caused the error is marked as critical.Certificate issues
Issues with indexing backups and/or performing search queries might result when certificates that were deployed on the search node were corrupted.
Perform one of the following tests to determine certificate issues:
- Use the log bundle download utility in
PowerProtect Data Manager to examine the Backup VM logs in
VM Direct, and look for a log entry like the following:
ERROR: Failed to Upload File: /opt/emc/vproxy/runtime/tmp/vproxyd/ plugin/search/e6c356a1-fbaf-4231-9f6f-a0166b74909a/<search node>-e081fdea-3599-4a6c-abc4-1b5487cb9a32-e523a94c-2d01-5234-ab3c- 7771cfab3c58-7f16bcbb72d7b49ea073356f0d7388ac08461827.db.zip to https://<search node>:14251/upload, Error sending data chunk. Post https://<search node>:14251/upload: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "PPDM Root CA ID-d5ec56b8-69ec-4183-9c94-7c0230408765"
- Examine the rest-engine logs in the search node (/opt/emc/search/logs/rest-engine/*.log), and look for certificate verification errors.
- Run a search either through the UI or through the API <PowerProtect Data Manager>/api/v2/file-instances and look for a certification verification error.
Examine the certificate files in the node(s) to investigate further. If necessary, regenerate the certificate files.
Access the Search Node to discover passwords
Use the following steps to discover the admin and root passwords for all deployed search nodes:
- Connect to the PowerProtect Data Manager console and change to the root user.
- Change directory to /opt/emc/vmdirect.
- Source unit/vmdirect.env.
- Run bin/infranodemgmt get -secret.
Verify certificates
Use this procedure to verify that certificates are valid and uncorrupted:
- Verify that the
rootca.pem file is the same in all the relevant nodes (search node,
PowerProtect Data Manager, and
VM Direct node).
NOTE The rootca.pem file name is different on each node:
- PowerProtect Data Manager— /etc/ssl/certificates/rootca/rootca.pem
- Search node— /var/lib/dellemc/vmboot/trust/thumbprint
- VM Direct— /var/lib/dellemc/vmboot/trust/thumbprint
- Run the following openssl command to find out whether the root certificate file is corrupt or invalid:
openssl verify
<rootca.pem>
Response:
/var/lib/dellemc/vmboot/trust/thumbprint: C = US, O = DELL Corporation, CN = PPDM Root CA ID-4c9de850-24ab-42ec-a9a7-6080849d0d24 error 18 at 0 depth lookup:self signed certificate OK
Ensure that the CN values match.
Certificate verification fails
If the certificate verification steps fail, you must re-create the certificates on the Search Node or VM Direct node:
- Connect to the PowerProtect Data Manager console and change to the root user.
- Use the Get command in the infranodemgmt utility to determine the search node FQDN.
- Run
/usr/local/brs/puppet/scripts/generate_certificates.sh -n -c -b
<search node FQDN>
A properties file is created in the /root directory called <search node FQDN>.properties.
- Open this file to determine the location of the generated certificates. They should be located in /etc/ssl/certificates/<search node FQDN>.
- From a separate terminal, SSH into the search node using the password that was revealed with the infranodemgmt Get call in step 2.
- Change directory to /var/lib/dellemc/vmboot/trust and move the key, cert, and thumbprint files over.
- Copy the certificate files that were generated in
PowerProtect Data Manager as follows:
- otca.pem to thumbprint
- <search node FQDN>key.pem to key
- <search node FQDN>.pem to cert
- Paste the files to /var/lib/dellemc/vmboot/trust.
- Set the permissions for the key, cert, and thumbprint files to 0644, and then set the ownership of these files to root:app
- Restart the rest-engine daemon or the vproxyd daemon) to pick up the new certificates: systemctl restart search-rest-engine.
- Check the rest-engine log file
(/opt/emc/search/logs/rest-engine/rest-engine-daemon-<fqdn>.log) to verify that the service started successfully.
Ensure that the following message appears:
A valid Root CA certificate of backup server was provided during deployment
Result: Backup with indexing executes successfully and search service is functional.
Search cluster is full
If the search cluster is full, you can deploy additional nodes by following the steps in Set up and manage indexing.
If the search cluster runs out of space and you do not want to deploy an additional node, you have the following options:
- Disable the service
- Shorten the expiration time to remove indexes sooner
- Remove indexes manually
To disable the service, complete the following steps:
- From the PowerProtect Data Manager UI, select .
- Select the cluster, and then click Configure Cluster.
- In the
Configure Search Cluster dialog box, switch the
Search Indexing button to turn it off, and then click
Save.
NOTE This setting applies to all indexes in all protection policies in the Search Cluster.
To shorten the expiration time to remove indexes sooner, complete the following steps:
- From the PowerProtect Data Manager UI, select .
- Select the cluster, and then click Configure Cluster.
- In the
Configure Search Cluster dialog box, modify the
Search Index Expiration and click
Save. A recommended formula to determine the expiration time is: Delete Index when Today = Backup-Date + Expiration Days + 1 day. That is, one day after the backup expires.
NOTE This setting applies to all indexes in all protection policies in the Search Cluster.
To remove indexes manually, complete the following steps:
- Use SSH to log in to the Search virtual machine.
- Create a snapshot of the Search cluster using the following format:
{ Command: "APP_SNAPSHOT", Title: "Initiate Index/Search Cluster Snapshot Process", AsyncCmd: false, Properties: { "Name": { Description: "Used to uniquely identify a particular snapshot", Type: STRING }, "Action": { Description: "Action to perform, 'Create', 'Delete', 'Restore' or 'Cancel' a Snapshot", Type: STRING }, "NFSHost": { Description: "NFS Host serving snapshot backup area.", Type: STRING }, "NFSExport": { Description: "NFS Export path to mount too.", Type: STRING }, "NFSDirPath": { Description: "NFS directory path to write too.", Type: STRING } } }For example:
{ "Command": "APP_SNAPSHOT", "Title": "", "AsyncCmd": false, "Properties": { "Action": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "Create", "Default": null }, "Name": { "Description": "", "Required": false, "Type": "string", "IsArray": false, "Value": "DataManager_Catalog_Cluster_snapshot_2019-10-16-12-57-16", "Default": null }, "NFSHost": { "Value": "10.25.87.88" }, "NFSExport": { "Value": "/mnt/shared" }, "NFSDirPath": { "Value": "" } } } - You can delete indexes by protection policy or by asset. If the JSON command is stored at
/home/admin/remove-plc.json, run the command,
./searchmgmt -I /home/admin/remove-plc.json.
- Use the following format to delete indexes by protection policy:
{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "PLCDelete", } "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e-a572-6daf-33689933456d", } } } - Use the following format to delete indexes by asset type:
{ "Command": "APP_REMOVE_ITEMS", "AsyncCmd": false, "Properties": { "Action": { "Description": "Action to perform, 'AssetDelete', 'PLCDelete'", "Required": true, "Value": "AssetDelete", }, "AssetID": { "Description": "Optional, Asset ID of item(s) to delete.", "Required": false, "Value": "503dd753-b57e-a572-6daf-44680033755f", }, "PLCID": { "Description": "PLC ID of item(s) to delete.", "Required": true, "Value": "7676d753-b57e-a572-6daf-33689933456d", } } }
NOTE- The time to complete the execution of these procedures depends on the number of backup copy asset indexes being deleted.
- This procedure does not impact regular operation of the cluster.
- Use the following format to delete indexes by protection policy:
Troubleshooting a locked Search Engine Node
The nodes on the PowerProtect Data Manager Search cluster are configured with IP addresses that can be accessed externally. These nodes are configured with admin or root user accounts, which are only used to log in to the Search nodes for troubleshooting software issues. The password management policies for these accounts are set to lock the admin user account if there are three wrong password attempts within a 5 minute time period. If you try to access the node while the admin user account is locked, the amount of time that the account remains locked increases.
There is no public interface available that enables you to access the search node by using admin credentials. All required information about the Search Engine nodes is obtained through the PowerProtect Data Manager UI.
A Search node might become locked for the following reasons:
- A user or program tries to SSH into the search node and makes three wrong attempts at entering the password.
- Running monitoring software that tries to log in to the Search node with the wrong admin credentials and locks the system.
- Running Penetration Testing (PEN) on the VMs in the vCenter.
The Search admin user account enables the PowerProtect Data Manager system to perform different operations on the Search node, such as obtaining the health status of the node. If the account is locked, the health status of the node is reported as "Failed." When one of the nodes in the Search cluster is in a failed state, the entire Search cluster becomes unavailable. As a result, the Search cluster is unable to perform any indexing or search operations.
Workaround
To work around this issue, first access the Search node to discover the admin and root credentials for the node. After you discover the node credentials, log in to the node through the vCenter console to reset the admin credentials.
Use the following steps to discover the admin and root passwords for all deployed Search nodes:
- Connect to the PowerProtect Data Manager console and change to the root user.
- Change directory to /opt/emc/vmdirect
- Run unit/vmdirect.env
- Run bin/infranodemgmt get -secret
Before you access the Search node through the vCenter console, determine why the admin account is locked.
Use the following steps to unlock the admin user account:
- Log in to the vCenter where the Search node is present.
- Select the Search node from the VMs and Templates view in the left pane of the vSphere Client home page.
- Launch a PowerProtect Data Manager VM vCenter console.
- Log in to the vCenter console with the root username and password.
- Run the following command to reset the admin user account credentials:
/sbin/pam_tally2 --user admin --reset
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\