- Notes, cautions, and warnings
- Preface
- Getting started
- PowerProtect Data Manager for virtual machines overview
- Additional information and context
- Terminology
- PowerProtect Data Manager new deployment overview
- Security configuration
- Access the PowerProtect Data Manager UI
- Roadmap for virtual machine asset protection
- Supported Internet Protocol versions
- Root certificate authority expiration
- Encryption in-flight
- Enabling virtual machine protection
- About asset sources, assets, and protection storage
- About vCenter server asset sources and virtual assets
- Prerequisites for discovering asset sources
- Enable an asset source
- Adding a vCenter Server asset source
- Protecting virtual machines in a VMware Site Recovery Manager environment
- VM Direct protection engine overview
- Requirements for an external VM Direct Engine
- Protection engine limitations
- Add a VM Direct Engine for virtual machine, Kubernetes cluster, or NAS protection
- Additional VM Direct actions
- Transparent Snapshots Data Mover protection mechanism
- vSphere Installation Bundle for Transparent Snapshots Data Mover protection
- Install or update the vSphere Installation Bundle
- Disable or re-enable the vSphere Installation Bundle
- Supported versions of VIB and installing PowerProtect Data Manager update packages
- Migrating assets to use the Transparent Snapshots Data Mover
- Prerequisites for backups
- Managing virtual machine assets and protection
- Protection policies for virtual machine protection
- Supported protection policy purposes
- Supported protection policy objectives
- Replication triggers
- Roadmap for planning a protection policy
- Before you add a protection policy for virtual machine protection
- Add a protection policy for virtual machine protection
- Add a service-level agreement
- Managing virtual machine backups
- View available backup copies
- Copy Management
- Add and remove the credentials for virtual machine assets
- Add or remove assets in a protection policy
- Enable or disable Changed Block Tracking (CBT)
- Edit the retention period for asset copies
- Delete virtual machine backup copies
- Snapshot freeze scripts and thaw scripts for virtual machine backups
- Extended retention for protection policies
- Protection rules
- Creating tags in the vSphere Client for virtual machine protection policy rules
- Add a protection rule
- Manually run a protection rule
- Edit or delete a protection rule
- View assets applied to a protection rule
- Change the priority of an existing protection rule
- Move assets across policies using protection rules
- Configure protection rule behavior
- Protection policies for virtual machine protection
- Restoring virtual machine data and assets
- Prerequisites to restore a virtual machine
- Self-service restores
- View available backup copies for restore
- Restoring a virtual machine or virtual machine disk
- Restoring a virtual machine backup with the storage policy association
- Image-level restores
- Instant Access virtual machine restore
- File-level restores
- File-level restore to the original virtual machine
- File-level restore to alternate virtual machine
- Virtual machine file-level restore from a search
- File level restore as a domain user
- Manually install the VM Direct agent on Linux as a root user from the command line
- Manually install the VM Direct agent on Linux as a nonroot user from the command line
- Manually install the VM Direct agent on Windows from the command line
- Restore an application-aware virtual machine backup
- Quick recovery
- Restore plans
- Protecting virtual machines using the Transparent Snapshots Data Mover
- Overview of Transparent Snapshots Data Mover
- vSphere Installation Bundle monitoring and management
- Transparent snapshots data mover system requirements
- Prerequisites to virtual machine protection with the Transparent Snapshots Data Mover
- Transparent Snapshots Data Mover unsupported features and limitations
- Transparent Snapshots Data Mover performance and scalability
- PowerProtect functionality within the vSphere client
- PowerProtect functionality within the vSphere Client
- Overview of the PowerProtect plug-in for the vSphere Client
- vSphere Client PowerProtect plug-in requirements
- Monitor PowerProtect Data Manager virtual machine protection copies
- Perform a manual PowerProtect-policy backup in the vSphere Client
- Perform an image-level restore of a PowerProtect backup in the vSphere Client
- File-level restores of a PowerProtect backup in the vSphere Client
- Overview of VASA and VMware Storage Policy Based Management
- VMware Cloud (VMC) on Amazon Web Services (AWS)
- PowerProtect Data Manager image backup and recovery
- VMware Cloud on Dell
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the VMC-on-AWS portal
- Interoperability with PowerProtect Data Manager features
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Azure VMware Solution (AVS) on Microsoft Azure
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the AVS-on-Azure portal
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Google Cloud VMware Engine (GCVE) on Google Cloud Platform (GCP)
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- Configuring the GCVE-on-GCP portal
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Add a VM Direct Engine
- Unsupported operations
- Oracle VMware Cloud Solution (OCVS) on Oracle Cloud Infrastructure (OCI)
- PowerProtect Data Manager image backup and recovery
- Supported PowerProtect Data Manager and DDVE deployment configurations
- Deployment and configuration best practices and requirements
- vCenter server inventory requirements
- Creating a dedicated cloud-based vCenter user account
- Protection mechanisms
- Supported operations
- Unsupported operations
- Backing up and recovering a vCenter server
- Backing up and recovering a vCenter server
- vCenter deployments overview
- Protecting an embedded PSC
- Protecting external deployment models
- vCenter Server Appliance with one external PSC where PSC fails
- vCenter Server Appliance is lost but the PSC remains
- vCenter Server Appliance with multiple PSCs where one PSC is lost but one remains
- vCenter Server Appliance remains but all PSCs fail
- vCenter Server Appliance remains but multiple PSCs fail
- vCenter Server Appliance fails
- vCenter server restore workflow
- Platform Services Controller restore workflow
- Additional considerations
- Command reference
- Backing up VMware Cloud Foundation (VCF) on VxRail
- Backing up VCF on VxRail
- VCF and VxRail overview
- VCF components and backup methods
- Check VMware certification
- Backup prerequisites
- The backup script
- Quick protection
- Selective protection: SDDC and NSX-T Managers
- Selective protection: vCenter servers
- Selective protection: vRSLCM, VxRail Manager, Workspace ONE Access, and vRealize Suite virtual machines
- SFTP password change: SDDC and NSX-T Managers
- SFTP password change: vCenter servers
- Backup-script troubleshooting
- Best practices
- Software and hardware requirements
- Scalability limits for vCenter server, VM Direct Engine, and DD systems
- PowerProtect Data Manager resource requirements in a VMware environment
- Best practices and additional considerations for the VM Direct Engine
- VM Direct Engine performance and scalability
- Transport mode considerations
- Change the limit of instant access sessions
- Configuring a backup to support vSAN datastores
- Configuration checklist for common issues
- Adjust the VMDM connection timeout and read timeout default values when network latency issues occur
- Disable vCenter SSL certificate validation
- Uninstalling the VM Direct agent
- Updating the Microsoft Application Agent and VM Direct agent software
- Supported file-level restore platforms and OS versions
- File-level restore and SQL restore requirements and limitations
- Virtual disk types not supported
- Virtual machine data change rate
- VM Direct Engine data ingestion rate
- VM Direct Engine limitations and unsupported features
- VM Direct Engine selection with virtual networks (VLANs)
- Deploying a VM Direct Engine to a datastore cluster is unsupported
- Best practices for vCenter server backup and restore
- Changing the vCenter server FQDN
- Replacing security certificates
- Support for backup and restore of encrypted virtual machines
- Troubleshooting
- Troubleshooting installation and operation
- Troubleshooting network setup issues
- Troubleshooting virtual machine storage-policy changes
- Troubleshooting virtual machine backup issues
- Backup completes with a nonquiesced snapshot warning
- Backup fails when names include special characters
- Backup fails with an ABV0006 error
- Deleting vCenter asset sources or moving ESXi to another vCenter server
- Failed to lock virtual machine for backup: Another vProxy operation 'Backup' is active on VM
- Lock placed on virtual machine during backup and recovery operations continues for 24 hours if VM Direct Engine fails
- Managing command execution for VM Direct agent operations on Linux
- PowerProtect plug-in and portlet for vSphere display errors after replacing security certificates
- SQL Server application-consistent backups fail with error "Unable to find VSS metadata files in directory"
- TSDM backup fails with an ABV0016 error
- Troubleshooting virtual machine restore issues
- Troubleshoot virtual machine SQL application consistent policy issues
- Troubleshooting vSphere Plugin deployments
- VMware knowledge base articles and product documentation
- Glossary
PowerProtect Data Manager 19.17 Virtual Machine User Guide
Performing file-level restores as a domain user on Linux
Perform the following configuration steps before configuring a file-level restore on supported Linux platforms as a domain user. Completing this configuration will allow you the domain user to perform file-level restores of files and folders belonging to any domain user from any Linux virtual machine backup copy.
Prerequisites
Before applying these settings on Linux platforms, note the following:
- The settings must be applied before performing the file-level restore, to the virtual machine that is the target for the restore.
- The target virtual machine must have network connectivity to the Active Directory (AD) server required for authentication.
- These settings assume that the VM Direct agent is not already installed on the target virtual machine.
Also, ensure that you join the Linux virtual machine to a domain. For example, if using realm, run the command join -U administrator domainname.com to join the virtual machine to the AD domain realm.
Steps
- If you are using an Active Directory authentication method, perform the following substeps:
NOTE:These substeps manage the System Security Services Daemon (SSSD) service.
- Edit
/etc/sssd/sssd.conf and add the following three lines under the appropriate
sssd.conf domain section:
use_fully_qualified_names = True default_shell = /bin/bash ad_gpo_map_permit = +vmtoolsd, +vproxyra
This is required to allow the vmtoolsd process to authenticate with AD. - Run systemctl restart sssd.service to apply the changes.
- Edit
/etc/sssd/sssd.conf and add the following three lines under the appropriate
sssd.conf domain section:
- Edit
/etc/sudoers.d/sudoers to include the following content
%<AD-groupname@domain-name.com> ALL=(ALL) NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/vflrcopy
Defaults:%<AD-groupname@domain-name.com> !requiretty
Defaults:%<AD-groupname@domain-name.com> !authenticate- The first line is for providing sudoer permission to the required AD-group and to the five binaries (rpm, postinstall.sh, preremove.sh, vflrbrowse, vflrcopy) required for file-level restore.
- The second line is required for sudo to work without a terminal session, which is necessary for file-level restore.
- The third line is required for sudo to work without needing password authentication, which is necessary for file-level restore.
For example, if your group name in AD is set to AD-group-sudoers and your domain name is set to tunga.com, the content would look similar to the following:
%AD-group-sudoers@tunga.com ALL=(ALL) NOPASSWD: /usr/bin/rpm, /opt/emc/vproxyra/bin/postinstall.sh, /opt/emc/vproxyra/bin/preremove.sh, /opt/emc/vproxyra/bin/vflrbrowse, /opt/emc/vproxyra/bin/vflrcopy
Defaults:%AD-group-sudoers@tunga.com !requiretty
Defaults:%AD-group-sudoers@tunga.com !authenticate - On Red Hat Enterprise Linux and CentOS, run the command
cat /etc/pam.d/vmtoolsd to verify that the
/etc/pam.d/vmtoolsd file contains the following four lines.
On Red Hat Enterprise Linux and CentOS:
auth substack password-auth
auth include postlogin
auth required pam_nologin.so
account include password-authNOTE:On Red Hat Enterprise Linux and CentOS, this content is often populated in the file by default if using open-vm-tools version 11.2.x.On SuSE Linux Enterprise Server (SLES) version 12 or 15:auth required pam_shells.so
auth requisite pam_nologin.so
auth include common-auth
account include common-accountNOTE:This content is often populated in the file by default if using open-vm-tools version 12.xAlternatively, on all Linux platforms, you can update the open-vm-tools package to the latest version, which will automatically update the /etc/pam.d/vmtoolsd content with these four lines, by following the instructions in this VMware article.
- Ensure the domain user has the required
sudoers group set as the Primary group in the AD domain user properties window, as shown in the following figure. If the Primary group if set to Domain Users, change this group to the required
sudoers group.
Figure 1. Set Primary Group to sudoers 
Next steps
Configure the file-level restore. When configuring the restore in the PowerProtect Data Manager UI, note the following:
- Run with Elevated Privileges must be selected on the Mount Copy page of the File Level Restore wizard to allow a designated domain user to restore files and folders belonging to any domain user to the target virtual machine.
- If you create a folder when restoring to an alternate folder, this new folder will only have permissions to the sudoer users group mentioned in the /etc/sudoers.d/sudoers file. It is therefore recommended that you select an existing folder that belongs to you. If you need to restore files for another user, for example, when another user needs to be able to read the restored files, then select an existing folder for which this user has read permissions.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\