PowerProtect Data Manager 19.13 Virtual Machine User Guide

Add a protection policy for virtual machine protection

A protection policy enables you to select a specific group of assets that you want to back up and replicate. Perform the following steps to create a virtual machine protection policy in the PowerProtect Data Manager UI.

1. From the left navigation pane, select Protection > Protection Policies.
   The Protection Policies window appears.
2. In the Protection Policies window, click Add.
   The Add Policy wizard appears.
3. On the Type page, specify the following fields, and then click Next:
   • Name—Type a descriptive name for the protection policy.
   • Description—Type a description for the policy.
   • Type—Select Virtual Machine, which includes protection for SQL application-aware virtual machines.
4. On the Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click Next:
   • Crash Consistent—Select this type for point-in-time backup of virtual machines.
   • Application Aware—For virtual machines with a SQL application installed, select this type to quiesce the application to perform the SQL database and transaction log backup. When you select this type, you must provide Windows account credentials for the virtual machine. You can provide the credentials at the protection-policy level or the virtual machine asset level. When you provide the credentials at both levels, the virtual machine asset credentials override the policy credentials.
   • Exclusion—Select this type if there are assets within the protection policy that you plan to exclude from data protection operations.

   By default, quiescing is automatically performed for the guest file system on the virtual machine. Quiescing ensures that the data within the guest file system is in a state that is appropriate for backups. If the file system cannot be quiesced on the first attempt, the snapshot and backup are performed without quiescing.

   VMware Tools is used to quiesce the file system in the guest operating system. The VMware documentation provides more information.

5. On the Assets page, select the assets for inclusion in this policy by choosing one of the following options from the list:
   • View by Host—This option enables you to view all assets within a specific host, and then select individual assets or a group of assets at a host or container level for policy inclusion. For example:
     • Select a stand-alone host to include all assets under this host.
       NOTE: If you select a host in a cluster, no assets are selected. For a host in a cluster, ensure that you select the cluster or other containers (for example, a resource pool or vApp) under the cluster host.
     • Expand the tree and select a container level in the vCenter hierarchy (for example, the data center, cluster, host, or resource pool) to include all assets under that level. If assets at any level are protected by another policy, a label with the name of that policy appears next to the level.

       The following types of virtual assets are saved in PowerProtect Data Manager but excluded from protection:

       • VMProductType.DDVE - DD Virtual Edition
       • VMProductType.VPROXY - VM Direct protection engine
       • VMProductType.ECDM
       • VMProductType.VIRTUAL_HOST - Nested_ESXi appliance
       • VMProductType.DDMC - DD Management Center
       • VMProductType.REPORT - PowerProtect Data Manager Reporting appliance
       • VMProductType.SEARCH - PowerProtect Data Manager Search appliance
       • VMProductType.VRPA - RecoverPoint for VMs

       When you select a container level in the View by Host view, a protection rule is automatically created to ensure that these container level selections will be retained, even if changes occur from movements within the vSphere environment or the names of resource pools or folders change. This rule is managed by the PowerProtect Data Manager system, and cannot be modified. The rule will also be updated automatically if you make changes to container selections when editing the policy, or when assets are moved into or out of a selected container.

       To view this rule after policy creation, go to Protection > Protection Rules. The name in the  Protection Rule Name column for this new rule matches the policy name.

       If this new rule results in an overlap of protection with an existing rule, you can resolve these conflicts by changing the policy protection rule priority in the Selection Overlap page. Step 7 provides more information.

       NOTE: The behavior of automatic rule creation that allows assets to move into or out of policies can only be modified in the REST API. After updating from a previous release, if View by Host is not visible you can enable this view by manually changing the /api/v2/common-settings/DYNAMIC_FILTER_SETTING. The PowerProtect Data Manager Public REST API documentation provides instructions.
     • Expand the tree and select individual assets within containers.

       When you select individual assets within this view, these selections are considered static, and no protection rule is automatically created. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

   • View Asset Table—This option enables you to view all unprotected assets in the vCenter server within a table, and then select individual unprotected assets that you want to back up as part of this protection policy. In cases where protection rules result in assets moving from one policy to another, any assets that are manually selected for inclusion in the policy will not be moved to a different policy.

     When you select a virtual machine asset in this view, a dialog displays indicating that you can exclude virtual disks (VMDKs) from protection of these assets. To dismiss the dialog for other selections, select the check box and click OK.

   Both views provide additional information about the virtual machines, such as any currently associated tags, protection rules, and whether the virtual machine is already assigned to another policy, to help you identify which assets you want to add. If the virtual machines that you want to protect are not listed, use the Search box to search by asset name.

   NOTE: When you configure a virtual machine application-aware protection policy to protect a Microsoft SQL Server Always On availability group (AAG), you must add all the virtual machines for that AAG to the same policy, to ensure proper protection. Failure to do so might result in missed transaction log backups.

   For the virtual machine application-aware case, the Assets page displays a warning about the AAG policy configuration requirement.

6. Optionally, if you want to exclude nonproduction VMDKs such as network shares or test disks from a protection policy:
   1. Select the virtual machine asset from the list, and then click Manage Exclusions in the Disk Excluded column.
      The Exclude Disks dialog box appears. By default, the slider next to each VMDK is set to Included.
   2. For each disk that you want to exclude, move the slider to the right. The status updates to Excluded.
   3. Click Save. The Assets page updates to indicate the number of disks for that particular asset that will be excluded from the protection policy.
7. Click Next.
   If any virtual objects or assets that were selected in the previous page overlap with assets that are already protected by another policy, the Selection Overlap page appears. Overlap can occur, for example, when two policies (the new policy and an existing policy) use the View by Host view for asset selection by container level.
   1. To switch protection of any virtual objects listed in the Protection Priority Overlap table from an existing policy, update the Policy Priority field to a level equal to or higher than the other policy currently protecting these objects. The lower the value, the higher the priority. For example, 1 is the highest priority. When you change this value, the priority of the rule that is associated with this policy is also changed.
   2. To switch protection of any assets that are listed in the Asset Protection Overlap table to this policy, select the check box next to one or more assets. Selecting these assets for inclusion in this policy removes the assets from the other policy.
   When you change the priority or the selected assets, the protection rule is updated automatically.
8. Click Next.
   The Objectives page appears.
9. On the Objectives page, select a policy-level Service Level Agreement (SLA) from the Set Policy Level SLA list, or select Add to open the Add Service Level Agreement wizard and create a policy-level SLA.
   Add a service-level agreement provides instructions.
10. Click Add under Primary Backup.
    The Add Primary Backup dialog appears.
11. On the Schedules pane of the Add Primary Backup dialog:
    1. Specify the following fields to schedule the synthetic full backup of this protection policy:
       • Create a Synthetic Full...—Specify how often to create a synthetic full backup. A Synthetic Full backs up only the changed blocks since the last backup to create a new full backup.
       • Retain For—Specify the retention period for the synthetic full backup.
         NOTE: For database backups, PowerProtect Data Manager chains the dependent backups together. For example, the synthetic full or transaction log backups are chained to their base full backup. The backups do not expire until the last backup in the chain expires. This ensures that all synthetic full and transaction log backups are recoverable until they have all expired.
       • Start and End—For the activity window, specify a time of day to start the synthetic full backup, and a time of day after which backups cannot be started.
         NOTE: Any backups started before the End Time occurs continue until completion.
       • Click Save to save and collapse the backup schedule.
    2. Click Add Backup if you want to periodically force one or more full (level 0) backups, and then specify the following fields to schedule the full backups of this protection policy:
       NOTE: When you select this option, the backup chain is reset.

       • Create a Full...—Specify whether you want to create an hourly, daily, weekly, monthly, or yearly full backup.
       • Repeat on—Depending on the frequency of the full backup schedule, specify the hour of the day, the day of the week, or the date of the month for the full backup.
       • Retain For—Specify the retention period for the full backup. This can be the same value as the synthetic full backup schedule, or a different value.
       • Start and End—For the activity window, specify a time of day to start the full backup, and a time of day after which backups cannot be started.
         NOTE: Any backups started before the End Time occurs continue until completion.
       • Click Save to save and collapse the backup schedule.
    3. Click Add Backup and repeat the procedure for creating full backups if you want to create additional backup copies at different intervals with different retention periods.
       Within this protection policy, when a full schedule conflicts with another full backup schedule, a message appears, indicating that there is a conflict. Schedule occurrences can conflict with each other when the activity windows are identical or occur entirely within the same time range. To avoid full schedule conflicts in a policy, edit the activity windows.

       If you proceed with conflicting schedules, the backup of the lower priority schedule will be skipped. Schedule priority is ranked according to the following criteria:

       • Full schedules have a higher priority than Synthetic Full schedules.
       • For schedules of the same backup type, the schedules that run less frequently have a higher priority than schedules that run more frequently.
       • For schedules with the same backup type and frequency, the schedule with the longest activity window has the higher priority. If the activity windows are also identical, only one of these schedules will run.

       NOTE: When a schedule conflict between full backups occurs, PowerProtect Data Manager runs the full backup with the longest retention period.
    4. To create a log backup for virtual machine application-aware protection policies, click Add Backup again, and then specify the following fields:
       • Create a Log...—For application-aware protection policies, specify the interval in minutes for log generation.
         NOTE: For SQL Server AAG configurations, the database administrator can specify the AAG backup preferences for a transaction log backup in the Microsoft SQL Server Management Studio.
       • Retain For—Specify the retention period for the log backup. This can be the same retention value that is specified for the synthetic full or full schedule, or a different value.
         NOTE: Setting a shorter retention period for log backups than the full backup can result in data loss and the inability to restore point-in-time copies.
       • Start and End—For the activity window, specify a time of day to start the log backup, and a time of day after which log backups cannot be started.
         NOTE: Any backups started before the End Time occurs continue until completion.
       • Click Save to save and collapse the backup schedule.
12. On the Target pane of the Add Primary Backup dialog, specify the following fields:
    1. Storage Name—Select a backup destination from the list of existing protection storage systems, or select Add to add a system and complete the details in the Storage Target window.
       NOTE: The Space field indicates the total amount of space, and the percentage of available space, on the protection storage system.
    2. Storage Unit—Select whether this protection policy should use a New storage unit on the selected protection storage system, or select an existing storage unit from the list. Hover over a storage unit to view the full name and statistics for available capacity and total capacity, for example, testvmplc-ppdm-daily-123ab (300 GB/1 TB)
       When you select New, a new storage unit in the format policy namehost nameunique identifier is created in the storage system after policy completion. For example, testvmplc-ppdm-daily-123cd.
    3. Network Interface—Select a network interface from the list, if applicable.
    4. Retention Lock—Move the Retention Lock slider to the right to enable retention locking for these backups.

       The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.

       Setting a retention lock applies to the current backup copy only, and does not impact the retention lock setting for existing backup copies.

       NOTE: Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not assigned a default retention lock period. If you enable Retention Lock for a replicated backup, ensure that you set the Retain for field in the Add Replication dialog to a minimum number of 14 days so that the replicated backup does not expire before the primary backup.
    5. SLA—Select an existing service level agreement that you want to apply to this objective from the list, or select Add to create an SLA within the Add Service Level Agreement wizard.
       Add a service-level agreement provides instructions.
13. Click Save to save your changes and return to the Objectives page.

    The Objectives page updates to display the name and location of the target storage system under Primary Backup.

    After completing the objective, you can change any details by clicking Edit next to the objective.

14. Optionally, replicate the backups:
    NOTE:

    To enable replication, ensure that you add remote protection storage as the replication location. The PowerProtect Data Manager Administration and User Guide provides detailed instructions about adding remote protection storage.

    When creating multiple replicas for the same protection policy, it is recommended to select a different storage system for each copy. If you select a storage unit that is the target of another objective for the same policy, the UI issues a warning. The PowerProtect Data Manager Administration and User Guide provides information about replicating to shared protection storage to support PowerProtect Cyber Recovery. Verify the storage targets and the use case before you continue.

    When you create a replication objective, you can specify either scheduled replication or replication after backup completion.

    NOTE: For replication after backup completion, it is recommended that you update the application agents to the latest version. Depending on the type of backup, the following versions are required to ensure that replication occurs immediately after the backups complete:

    • For self-service primary backups, update all application agents to PowerProtect Data Manager version 19.12 or later.
    • For centralized primary backups, update all application agents to PowerProtect Data Manager version 19.11 or later.

    If you want to replicate only specific backups, perform a manual replication of these backups in advance.

    For replicas of centralized backups, when you set retention periods for different backup types, any undefined types use the full backup retention period. For example, if you do not define a log backup in the primary objective, the log backup for the replication objective is also undefined. After you run a manual log backup, replicas of that log backup use the same retention period as the full backup.

    1. Click Replicate next to Primary Backup. An entry for Replicate is created to the right of the primary backup objective.
    2. Under Replicate, click Add.
       The Add Replication dialog appears, with information in the left pane for each schedule that has been added for the primary backup objective of this protection policy.

       NOTE: Backups for all of the listed schedules will be replicated. You cannot select individual schedules for replication.
    3. Select a storage target:
       • Storage Name—Select a destination from the list of protection storage. Or, select Add to add a protection storage system and complete the details in the Storage Target window.
       • Storage Unit—Select an existing storage unit on the protection storage system. Or, select New to automatically create a storage unit.
       • Network Interface—Select a network interface from the list, if applicable.

       • Retention Lock—Move the Retention Lock slider to the right to enable retention locking for these replicas.

         The retention lock mode setting comes from the configuration of the selected storage unit. When you enable retention locking, the Retention Lock Mode field displays the corresponding storage unit setting.

       • SLA—Select an existing replication service level agreement that you want to apply to this schedule from the list. Or, select Add to create a replication SLA within the Add Service Level Agreement wizard.

       The PowerProtect Data Manager Administration and User Guide provides more information about replication targets, such as SLAs.

    4. Select when to replicate the backups:

       Replication triggers provides more information.

       • To replicate after the backup finishes, move the Replicate immediately upon backup completion slider to on.

       • For scheduled replication, move the Replicate immediately upon backup completion slider to off, and then complete the schedule details in the Add Replication dialog.

         For replication of the primary backup, the schedule frequency can be every day, week, month, or x hours.

         For daily, weekly, and monthly schedules, the numeric value cannot be modified. For hourly, however, you can edit the numeric value. For example, if you set Create a Full backup every 4 hours, you can set a value of anywhere from 1 to 12 hours.

       By default, all replicas of the primary backup objective inherit the retention period from the Retain For value of the synthetic full and full backup schedules.

    5. To specify a different retention period for individual synthetic full and full replicas, clear Set the same retention time for all replicated copies, click Edit in the row of each schedule that you want to change, update the value in the Retain For field, and then click Save.
       CAUTION: Setting a retention period for the replicas of other backup types (such as log backups, incremental, and differential backups, where applicable) that is shorter than the retention period of the corresponding full backup may result in being unable to recover from those replicas.
    6. Click Save to save your changes and return to the Objectives page.
15. Optionally, to move backups from protection storage to Cloud Tier, add a Cloud objective for the primary or replication objective:
    NOTE: To move a backup or replica to Cloud Tier, objectives must have a retention time of 14 days or more. PowerProtect Data Manager also requires the discovery of protection storage with a configured Cloud unit.
    1. Click Cloud Tier next to Primary Backup. Or, if adding a Cloud objective for a replication objective that you have added, click Cloud Tier under Replicate.
       An entry for Cloud Tier is created to the right of the primary backup objective, or below the replication objective.
    2. Under the entry for Cloud Tier, click Add.
       The Add Cloud Tier Backup dialog appears, with summary information for the parent objective to indicate whether you are adding this Cloud Tierobjective for the primary backup objective or the replication objective.
    3. Keep the All applicable full backups slider to the right if you want to tier the backups from all of the full primary backup or replication schedules of this policy. Otherwise, move the slider to the left and select the full schedule(s) that you want to tier.
       NOTE: If the retention period of a schedule is less than the minimum 14 days required before tiering occurs, or is less than the value in the Tier After field, you can still select this schedule for tiering. However, if you do not edit the retention period of this schedule or its backup or replication copy to a value greater than the Tier After field before the retention period of the copy expires, the backup or replication copy of this schedule will not be cloud tiered.
    4. Complete the objective details in the Add Cloud Tier Backup dialog, and then click Save to save your changes and return to the Objectives page.
       The PowerProtect Data Manager Administration and User Guide provides detailed instructions for adding a Cloud objective for a primary or replication objective.
16. Optionally, if Cloud Disaster Recovery is configured in the Infrastructure > Storage window, you can add a Cloud DR objective for virtual machine protection policies:
    1. Click Cloud DR next to Primary Backup or, if adding a Cloud objective for a replication objective that you have added, click Cloud DR under Replicate. An entry for Cloud DR is created to the right of the primary objective, or below the replication objective.
    2. Under the entry for Cloud DR, click Add.
       The Add Cloud DR Backup dialog appears, with summary information for the parent node to indicate whether you are adding this Cloud DR objective for the primary backup objective or the replication objective.
    3. Complete the objective details in the Add Cloud DR Backup dialog, and then click Save to save your changes and return to the Objectives page.
       The PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide provides detailed instructions for adding a Cloud DR objective for a primary or replication objective.
17. Click Next.
    The Options page appears.
18. On the Options page:
    1. For Optimize For, select from one of the following backup optimization modes:
       • Performance—Optimize for backup and replication speed. Selecting this mode results in more storage consumption.
       • Capacity—Optimize for backup size. Selecting this mode results in less storage consumption, but backups take longer to complete.

       NOTE: Changing the optimization mode after the first backup of the protection policy forces the next backup to be a full backup, and results in increased storage capacity usage due to differences in how each mode uses data deduplication. This increase continues until all backups performed using the previous optimization mode expire and have been deleted.
    2. Exclude swap files from backup—Select to exclude the C:\swapfile.sys, C:\pagefile.sys, and C:\hiberfil.sys swap and memory files of Microsoft Windows virtual machines, in the virtual machine backup. By default, this check box is cleared.

       When using the Transparent Snapshot Data Mover protection mechanism, do not select the Exclude swap files from backup check box.

       NOTE: Including swap and memory files in a backup unnecessarily increases the size of the backup and the time to restore to original during recovery. These files are rebuilt by the Microsoft Windows operating system after restart, and not required for recovery.
    3. Enable indexing for file search and restore—Select to enable indexing. This option is visible only after activating the search cluster node.
    4. Enable guest file system quiescing—Select to enable VMware Tools to quiesce the file system during crash-consistent virtual machine backups.

       When using the Transparent Snapshot Data Mover protection mechanism, do not select the Enable guest file system quiescing check box.

19. Click Next.
    The Summary page appears.
20. Review the protection policy group configuration details. Except for the protection policy type, you can click Edit next to any details to change the protection policy information. When satisfied with the details, click Finish.
    An informational message appears to confirm that PowerProtect Data Manager has saved the protection policy.

    When the new protection policy is created and assets are added to the protection policy, PowerProtect Data Manager performs backups according to the backup schedule.

    For virtual machines, if you have not yet added a VM Direct Engine, the backup is performed using the embedded VM Direct Engine that is included with PowerProtect Data Manager. Subsequent backups are performed according to the schedule specified.

    NOTE: If the target virtual machine datastore for backup is running low on free space and the datastore free space threshold is configured in vCenter Settings, a warning message appears or a backup failure occurs. When the Datastore Free Space Warning Threshold is reached, the backup proceeds with a warning message in the logs. When the Datastore Free Space Failure Threshold is reached, the backup fails.

    To check the warning and failure threshold values, select Infrastructure > Asset Sources and click the vCenter tab. Click to the right of the search box to open the vCenter Settings dialog.

21. Click OK to exit the window, or click Go to Jobs to open the Jobs window to monitor the backup of the new protection policy group.