Create firewall rules for Veeam Backup & Replication server via PowerShell

Today I received a message from a customer asking for a way to restore the firewall rules created during the installation. Somehow he managed to reset the Windows firewall back to default which wiped all custom rules including the Veeam ones.

After doing a little research, I stumbled across a post on the Veeam R&D forum. James Wilmoth (TitaniumCoder477) faced a similar problem and wrote a PowerShell script to recreate the required firewall rules alongside some other custom rules. His script is based on a standard Installation for Veeam Backup & Replication Version 10 and can be found here. Credit for most of the coding work belongs to him!

Even though I had already exported the rules from another installation, I decided against restoring the rules individually and by hand. So I invested some time and created a script for version 11 based on the script for version 10. First the script populates an array with a lot of firewall rules. Find a sample rule definition outlined below.

$rule = @{
    DisplayName = "Veeam Backup UI Server (In)";
    Description = "Inbound rule for Veeam  Backup UI Server";
    Group = "Veeam Networking";
    Direction = "Inbound";
    Profile = "Any";
    Enabled = "True";
    Action = "Allow";
    Program = "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.UIServer.exe";
    Protocol = "TCP";
    LocalPort = "9396";
}
$rules.Add($rule) > $null

After filling up the array with all the inbound and outbound firewall rules the individual rules are generated in a loop, using the New-NetFirewallRule cmdlet.

$rules | ForEach-Object {
	New-NetFirewallRule @_
}

The script is quite fast, runs only for a few seconds and creates all the rules including description etc. You can find the final script in my public VBR GitHub repository right here.

Wrap-Up

I have not written much code lately, so I was happy to take an already existing script as a starting point. Thanks and credit for the code and the logic behind it go, as already mentioned, to James Wilmoth (TitaniumCoder477)!
If you have any suggestions or ideas for improvement, don’t hesitate to contact me.

Networking problems after starting a Advanced Multi-Host Virtual Lab in Veeam Backup & Replication

Today’s Homelab session dealt with the creation of a short customer demo of the Veeam Backup & Replication functionality SureBackup. As I have already implemented several SureBackup jobs for other customers, I was confident that I could quickly finish configuring the environment. For those who have not worked with SureBackup before, Veeam provides an excellent guide in their Help Center. You can find this guide here. Unfortunately the whole thing did not work out as expected. Already at the beginning I made a crucial mistake which made the creation of the demo a nerve-wracking adventure. More on this in a moment. First of all, for those of you who have no idea how the creation of a SureBackup job works, I would like to give a short outline.

Continue reading „Networking problems after starting a Advanced Multi-Host Virtual Lab in Veeam Backup & Replication“

NTP settings on host is different from the desired settings

To get some more flexibility in my Homelab I added another domain controller (Active Directory, DNS and DHCP). Unlike my first domain controller, which runs directly on the physical ESXi host (details can be found here), I installed the second domain controller inside the nested vSAN cluster. After configuring all services I wanted to use the new domain controller as an additional DNS server in my VMware vSphere environment. So I quickly adjusted the network and NTP settings of the vCenter Server appliance and the ESXi hosts and then everything should be fine. So far so good. No problem until then. Shortly after I added the additional domain controller in all locations a warning message appeared in my vSphere cluster.

Host compliance check for hyperconverged cluster configuration warning
Continue reading „NTP settings on host is different from the desired settings“

Failed to create persistent connection to ADMIN$ shared folder on host

Recently I got the chance to redesign the existing backup environment of a customer. The customer has been successfully using Veeam Backup & Replication for years, but the environment has been growing over the years and therefore the backup environment has been adjusted from time to time. After an unpleasant data loss mid-year, the customer decided to give us the task of revising his backup environment.

As part of the design, we decided to leave all components of the backup environment outside the customer’s productive Active Directory domain and only connect where absolutely necessary. In general this works without problems, only the installation and configuration of additional, Windows-based Managed Servers to use them for example as remote backup repository requires some additional attention. If we try to add the Managed Server in the Veeam Backup & Replication Console and do not use the default Account Administrator (UID 500), the installation of the necessary Veeam Services fails due to Remote UAC being enabled by default.

Failed to create persistent connection to ADMIN$ shared folder on host.

The problem can be solved in two ways:

  1. Use the default Administrator user (UID 500).
  2. Create a registry entry as described in this Microsoft KB article.

As we do not want to use a standard account in our design (a general recommendation), we use dedicated service accounts and therefore rely on the second solution. For those of you who don’t want to read the Microsoft article here are the steps you need to perform on the managed server.

Resolution

  1. Launch regedit (Click Start, type regedit and press ENTER).
  2. Navigate to the following register entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Create a new DWORD value (32-Bit) with the following name:
    LocalAccountTokenFilterPolicy
  4. Assign the new DWORD the value 1.

After creating the registry entry, adding the Managed Server and installing the Veeam Services works without any problems.

Configure the vCenter Server Login message

As a solution provider, my company often installs VMware vSphere environments for customers who do not administer the solution themselves. In addition to restricting user permissions, we have been working with individual login messages in the vCenter Server for some time now. We usually use the login message to remind the customer that the environment is managed by our company and that any changes must be approved in advance.

This post gives you a short overview on how to configure the login message using the vCenter Server administration interface.

Continue reading „Configure the vCenter Server Login message“