Domino 12.0.2 Backup Veeam restore integration step by step installation
!! The new integration is only available on Windows leveraging the VSS Writer interface !!
Starting with Domino 12.0.2 the new VSS Writer implementation is the recommended backup integration.
Backup no integration scripts are required for applications supporting VSS snapshots on Windows.
Restore operations still require to mount snapshots to the Domino server.
The following document describes a simplified restore integration for Domino in combination with Veeam.
This integration is a reference implementation, which might be adopted for other integrations.
Backup configuration on Domino server
For VSS Writer backup integration the only requirement is to ensure the new backupvss server task is always running.
It should be added to the servertasks= notes.ini entry or added to a start-up only program document.
For troubleshooting start the task with the debug option backupvss -d.
This document mainly focuses on restore integration. For more details about the backup VSS Writer integration check Domino 12.0.2 Admin documentation.
Summary of required steps
- Copy the backup script on Veeam server
- Install OpenSSH on Veeam server
- Create “notes” user on Veeam server
-
Configure dominobackup.cfg for your Domino server
- Copy the restore script on Domino Windows server
- Create SSH key and configured it for accessing the Veeam server
- Test the SSH connection from Domino server to Veeam server
Veeam Backup & Replication server configuration
Copy configuration and script files
Copy the configuration files from the veeam_server directory to c:\dominobackup directory.
The directory contains the following files
- PowerShell script to search and mount Veeam Restore Points (separate subdirectories)
- JSON configuration file
Setup OpenSSH server on Veeam server
The integration uses a SSH connection between the Domino and the Veeam server.
The following documentation describes the setup setups for a basic OpenSSH server configuration to allow SSH key authentication.
Consult your system administrator for further configuration steps required in your environment.
The minimum required version for the OpenSSH server is OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 (first included in Windows 2022).
The OpensSSH server was first shipped with Windows 2019, but needs to be updated at least to version 8.1 manually (Windows update does not update OpenSSH).
In general, it is recommended to use the latest stable version provided by Microsoft in their official GitHub repository.
- Download and install via MSI installer from OpenSSH PowerShell release page.
- Example file name: OpenSSH-Win64-v8.9.1.0.msi
- Verify you are running at least version OpenSSH 8.1 by running
sshd -Vandsshd -?(there is no official option but an invalid option prints help including the version).
After installing the OpenSSH server make sure the OpenSSH server configuration is updated with the following configuration, start the OpenSSH service and ensure it is set to start automatically.
Edit C:\ProgramData\ssh\sshd_config to check and enable the following settings:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
StrictModes no
PermitEmptyPasswords no
GSSAPIAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
The following information is important for setting up SSH user access:
- The user for requesting restore operations is required to be listed in the Windows administrator group
- To allow individual keys for the account make sure to disable the following default configuration
- Even the user is an administrator, the user will not be able to log-in interactively if you don’t set a password
- The user is only running the restore command invoking the PowerShell script. No interactive login is required
- Ensure the following settings are not enabled to allow individual SSH keys for each admin account needed
# Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Restart OpenSSH server
After the configuration change is saved, restart the OpenSSH server:
powershell -command "Restart-Service sshd"
Create a local user “notes” for Domino server requests over SSH
Create a local administrator account notes and log in with the new user.
Additional Info: PowerShell operations for command-line configuration
To create an user account on the command-line the following PowerShell commands might be helpful.
New-LocalUser -Name notes -Description "Notes Veeam integration user"
Add-LocalGroupMember -Group Administrators -Member "notes"
Get-LocalGroupMember -Group "Administrators"
Run the following command as the user to create home dir. The home directory is important to add the .ssh directory for the authorized_keys file later.
runas /user:notes "cmd.exe /c quit"
Add notes user to Veeam as restore operator
-
In the Veeam Backup and Replication client, open
User and Rolesfrom the menu in the upper left corner. -
Add the
notesuser and grand access with at leastVeeam Restore Operatorrole.
Add account to OpenSSH configuration on Veeam server
Switch to the user’s home and create a new directory for SSH .ssh
c:
cd c:/users/notes
mkdir .ssh
Configure SSH connection for the “notes” user on the Veeam server
The public key added in this configuration step will be created in a configuration step on a Windows based Domino server.
Refer to the section Domino Server on Windows Veeam configuration.
Add the public key of the SSH key created on your Domino server to the file C:\Users\notes\.ssh\authorized_keys
Multiple Domino servers could share the same key. In case multiple keys are used, each key requires a separate configuration line.
The line also needs to contain the PowerShell command to restrict OpenSSH access to the PowerShell script used for integration.
The resulting line starts with the command and ends with the public key:
command="powershell.exe c:/dominobackup/DominoRestore.ps1" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ
Note: In case your Windows server does not allow execution of unsinged scripts, either sign the script according to Microsoft documentation or explicitly run the script bypassing the execution policy. It is not recommended to generally change the policy to allow the execution of all unsigned scripts.
To allow a single script to bypass the policy change the invoked command to a line similar to the following:
command="powershell.exe -noprofile -executionpolicy bypass -file c:/dominobackup/DominoRestore.ps1" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ
Add Domino server to JSON configuration on the Veeam server
Each Domino server requires a configuration entry in the JSON configuration file to authorize the Domino server to request mount operations.
Specify the followiong information:
c:/dominobackup/dominobackup.cfg
The configuration contains the following information:
- IP address
- Veeam admin credential description to find the right credential for mounting
- Operating system (Windows)
- Name of the operating system VM/host (the name used by Veeam to identify the virtual machine)
[
{
"VmHost" : "127.0.0.1",
"IpAddress" : "127.0.0.1",
"AccountName" : "Administrator",
"OS" : "Windows"
}
]
Tip finding VmHost names
The VmHost is the name configured in your Veeam Backup configuration. In the previous example, the local server is configured. For Veeam backup agent configurations it is usually the DNS name of the server. For VM backup integrations like VMware Vsphere it is usually a VM name. You need to make sure the IpAddress matches the name referenced for the Domino instance. In case you are not sure which name to use, open a Powershell prompt on your Veeam server to find backups via Get-VBRRestorePoint command. Depending on the size of your environment you might want to narrow down the search. Each backup references the name, leveraged by the PowerShell script mounting the snapshot.
Check the Veeam Powershell Command reference Get-VBRRestorePoint for details.
Account Name configuration
The AccontName in the Veeam configuration is actually the description of the user specified, because the name of the user is the user name on the target OS. Those user names are not unique. Therefore ensure the description of the account can be used as an unique mapping.
Check the Veeam Powershell Command reference Get-VBRCredentials for details.
Test server OpenSSH connection from Domino server to Veeam server
Switch back to your Domino server to test the connection and confirm the public key of the OpenSSH server.
The connection check needs to be executed in the context of the user running your Domino server.
For the system account open a shell via
PsExec.exe -ids cmd.exe
The following command connects to the server and tests the connection to the PowerShell script.
ssh notes@veeam-server.acme.loc check
The first time you connect you are prompted to trust the certificate on the OpenSSH server.
Confirm the following prompt:
The authenticity of host 'veeam-server.acme.loc (veeam-server.acme.loc)' can't be established.
RSA key fingerprint is SHA256:DepsvLuZPubqRgGr1J6AXu9B4DdtUrrMjRqX7V77IZc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'veeam-server.acme.loc' (RSA) to the list of known hosts.
After confirming the connection check the output of the command. The output should show the environment variables and configuration found.
Domino Server on Windows Veeam configuration
In preparation for the Veeam server Domino Restore configuration the following steps are required.
Copy and configure integration scripts to Domino on Windows server
Log into the Domino server on Windows
Copy the backup scripts from the domino\windows directory to the c:\dominobackup\veeam directory.
cd \D c:\
mkdir c:\dominobackup\veeam
copy veeam\domino\windows c:\dominobackup\veeam
The following files are required for restore configuration:
-
restore_db.cmd
Restore script for requesting database restores from Veeam.
This script mounts the backup and copies over databases back to Domino as requested by the administrator. -
restore_post.cmd
Post restore script to unmount Veeam mounts used during restore operations.
Download Microsoft psexec.exe to Veeam server
Download the zip file for the ps-tools and extract the psexec.exe binary to your server (e.g. c:\psexec.exe).
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
The psexec.exe helper tool is used to configure the SSH connection for the system account later. It can be removed after the configuration is performed. But keeping the helper binary could be useful for troubleshooting.
Configure the restore scripts on Domino Window server
The restore scripts require a connection to the Veeam server.
Edit the file c:\dominobackup\veeam\restore_db.cmd and c:\dominobackup\veeam\restore_post.cmd configure to your Veeam server connection.
The VEEAM_SERVER_SSH variable should point to the user-specified on the Veeam server-side ( usually notes @ the DNS name of the Veeam server as shown in the following example).
# Veeam server ssh connection
VEEAM_SERVER_SSH=notes@veeam-server.acme.loc
Note: DNS entries are preferred. IP addresses should be avoided (but work in the same way).
Create SSH key for the system account on Domino server
For Domino servers using the Windows system account open a cmd.exe window in the following way.
In case the Domino server is running with an application user, perform the steps with the user assigned to the server.
To ensure the connection to the Veeam server also works when the server is started in the foreground instead of a service, the SSH key must be also copied to the account used to start the server!
Open an administrator cmd window and run the following command:
PsExec.exe -ids cmd.exe
Verify the user is the system account
whoami
nt authority\system
Create a new SSH key
Create a ED25519 key to be used for connecting to the OpenSSH server.
In case you want to use the same SSH key for multiple Domino servers, Copy the private key created previously to C:\Windows\system32\config\systemprofile\.ssh\id_ed25519
ssh-keygen -t ed25519
Confirm the location of the key. The key should not have a passphrase.
The result looks like the following output:
ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Windows\system32\config\systemprofile/.ssh/id_ed25519):
Created directory 'C:\Windows\system32\config\systemprofile/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.
Your public key has been saved in C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:/x0wurKBnfe7KrILfttwHh6wkMOFx8Dk34McbciZ2hk nt authority\system@WIN-BS7M1PB2KQE
The key's randomart image is:
+--[ED25519 256]--+
| oo |
| ..= = |
| o E o |
| . O B |
| * B S o |
| o = + . o |
| . + B + . |
| . .o*o= + . . |
| ..+==+o.=o. |
+----[SHA256]-----+
Your public file C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.pub should look similar to the following line:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ nt authority\system@WIN-BS7M1PB2KQE
The public key is added in Veeam configuration step to the notes user on your Veeam server.
Once the public key is added to the authorized_keys file on the Veeam server, verify the connection from the Domino server to the Veeam server in the same context where the SSH key was created (usually the system account).