!! The new integration is only available on Windows leveraging the VSS Writer interface !!
Starting with Domino 12.0.2 the new VSS Writer implementation is the recommended backup integration.
Backup no integration scripts are required for applications supporting VSS snapshots on Windows.
Restore operations still require to mount snapshots to the Domino server.
The following document describes a simplified restore integration for Domino in combination with Veeam.
This integration is a reference implementation, which might be adopted for other integrations.
For VSS Writer backup integration the only requirement is to ensure the new
backupvss server task is always running.
It should be added to the
servertasks= notes.ini entry or added to a start-up only program document.
For troubleshooting start the task with the debug option
This document mainly focuses on restore integration. For more details about the backup VSS Writer integration check Domino 12.0.2 Admin documentation.
- Copy the backup script on Veeam server
- Install OpenSSH on Veeam server
- Create “notes” user on Veeam server
Configure dominobackup.cfg for your Domino server
- Copy the restore script on Domino Windows server
- Create SSH key and configured it for accessing the Veeam server
- Test the SSH connection from Domino server to Veeam server
Copy the configuration files from the
veeam_server directory to
The directory contains the following files
- PowerShell script to search and mount Veeam Restore Points (separate subdirectories)
- JSON configuration file
The integration uses a SSH connection between the Domino and the Veeam server.
The following documentation describes the setup setups for a basic OpenSSH server configuration to allow SSH key authentication.
Consult your system administrator for further configuration steps required in your environment.
The minimum required version for the OpenSSH server is OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 (first included in Windows 2022).
The OpensSSH server was first shipped with Windows 2019, but needs to be updated at least to version 8.1 manually (Windows update does not update OpenSSH).
In general, it is recommended to use the latest stable version provided by Microsoft in their official GitHub repository.
- Download and install via MSI installer from OpenSSH PowerShell release page.
- Example file name: OpenSSH-Win64-v184.108.40.206.msi
- Verify you are running at least version OpenSSH 8.1 by running
sshd -?(there is no official option but an invalid option prints help including the version).
After installing the OpenSSH server make sure the OpenSSH server configuration is updated with the following configuration, start the OpenSSH service and ensure it is set to start automatically.
C:\ProgramData\ssh\sshd_config to check and enable the following settings:
The following information is important for setting up SSH user access:
- The user for requesting restore operations is required to be listed in the Windows administrator group
- To allow individual keys for the account make sure to disable the following default configuration
- Even the user is an administrator, the user will not be able to log-in interactively if you don’t set a password
- The user is only running the restore command invoking the PowerShell script. No interactive login is required
- Ensure the following settings are not enabled to allow individual SSH keys for each admin account needed
# Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
After the configuration change is saved, restart the OpenSSH server:
powershell -command "Restart-Service sshd"
Create a local administrator account
notes and log in with the new user.
To create an user account on the command-line the following PowerShell commands might be helpful.
New-LocalUser -Name notes -Description "Notes Veeam integration user"
Add-LocalGroupMember -Group Administrators -Member "notes"
Get-LocalGroupMember -Group "Administrators"
Run the following command as the user to create home dir. The home directory is important to add the
.ssh directory for the
authorized_keys file later.
runas /user:notes "cmd.exe /c quit"
In the Veeam Backup and Replication client, open
User and Rolesfrom the menu in the upper left corner.
notesuser and grand access with at least
Veeam Restore Operatorrole.
Switch to the user’s home and create a new directory for SSH
The public key added in this configuration step will be created in a configuration step on a Windows based Domino server.
Refer to the section Domino Server on Windows Veeam configuration.
Add the public key of the SSH key created on your Domino server to the file
Multiple Domino servers could share the same key. In case multiple keys are used, each key requires a separate configuration line.
The line also needs to contain the PowerShell command to restrict OpenSSH access to the PowerShell script used for integration.
The resulting line starts with the command and ends with the public key:
command="powershell.exe c:/dominobackup/DominoRestore.ps1" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ
Note: In case your Windows server does not allow execution of unsinged scripts, either sign the script according to Microsoft documentation or explicitly run the script bypassing the execution policy. It is not recommended to generally change the policy to allow the execution of all unsigned scripts.
To allow a single script to bypass the policy change the invoked command to a line similar to the following:
command="powershell.exe -noprofile -executionpolicy bypass -file c:/dominobackup/DominoRestore.ps1" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ
Each Domino server requires a configuration entry in the JSON configuration file to authorize the Domino server to request mount operations.
Specify the followiong information:
The configuration contains the following information:
- IP address
- Veeam admin credential description to find the right credential for mounting
- Operating system (Windows)
- Name of the operating system VM/host (the name used by Veeam to identify the virtual machine)
"VmHost" : "127.0.0.1",
"IpAddress" : "127.0.0.1",
"AccountName" : "Administrator",
"OS" : "Windows"
VmHost is the name configured in your Veeam Backup configuration. In the previous example, the local server is configured. For Veeam backup agent configurations it is usually the DNS name of the server. For VM backup integrations like VMware Vsphere it is usually a VM name. You need to make sure the
IpAddress matches the name referenced for the Domino instance. In case you are not sure which name to use, open a Powershell prompt on your Veeam server to find backups via
Get-VBRRestorePoint command. Depending on the size of your environment you might want to narrow down the search. Each backup references the name, leveraged by the PowerShell script mounting the snapshot.
Check the Veeam Powershell Command reference Get-VBRRestorePoint for details.
Switch back to your Domino server to test the connection and confirm the public key of the OpenSSH server.
The connection check needs to be executed in the context of the user running your Domino server.
For the system account open a shell via
PsExec.exe -ids cmd.exe
The following command connects to the server and tests the connection to the PowerShell script.
ssh firstname.lastname@example.org check
The first time you connect you are prompted to trust the certificate on the OpenSSH server.
Confirm the following prompt:
The authenticity of host 'veeam-server.acme.loc (veeam-server.acme.loc)' can't be established.
RSA key fingerprint is SHA256:DepsvLuZPubqRgGr1J6AXu9B4DdtUrrMjRqX7V77IZc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'veeam-server.acme.loc' (RSA) to the list of known hosts.
After confirming the connection check the output of the command. The output should show the environment variables and configuration found.
In preparation for the Veeam server Domino Restore configuration the following steps are required.
Log into the Domino server on Windows
Copy the backup scripts from the
domino\windows directory to the
cd \D c:\
copy veeam\domino\windows c:\dominobackup\veeam
The following files are required for restore configuration:
Restore script for requesting database restores from Veeam.
This script mounts the backup and copies over databases back to Domino as requested by the administrator.
Post restore script to unmount Veeam mounts used during restore operations.
Download the zip file for the ps-tools and extract the
psexec.exe binary to your server (e.g.
psexec.exe helper tool is used to configure the SSH connection for the system account later. It can be removed after the configuration is performed. But keeping the helper binary could be useful for troubleshooting.
The restore scripts require a connection to the Veeam server.
Edit the file
c:\dominobackup\veeam\restore_post.cmd configure to your Veeam server connection.
VEEAM_SERVER_SSH variable should point to the user-specified on the Veeam server-side ( usually
notes @ the DNS name of the Veeam server as shown in the following example).
# Veeam server ssh connection
Note: DNS entries are preferred. IP addresses should be avoided (but work in the same way).
For Domino servers using the Windows system account open a cmd.exe window in the following way.
In case the Domino server is running with an application user, perform the steps with the user assigned to the server.
To ensure the connection to the Veeam server also works when the server is started in the foreground instead of a service, the SSH key must be also copied to the account used to start the server!
Open an administrator cmd window and run the following command:
PsExec.exe -ids cmd.exe
Verify the user is the system account
Create a ED25519 key to be used for connecting to the OpenSSH server.
In case you want to use the same SSH key for multiple Domino servers, Copy the private key created previously to
ssh-keygen -t ed25519
Confirm the location of the key. The key should not have a passphrase.
The result looks like the following output:
ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Windows\system32\config\systemprofile/.ssh/id_ed25519):
Created directory 'C:\Windows\system32\config\systemprofile/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.
Your public key has been saved in C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:/x0wurKBnfe7KrILfttwHh6wkMOFx8Dk34McbciZ2hk nt authority\system@WIN-BS7M1PB2KQE
The key's randomart image is:
| oo |
| ..= = |
| o E o |
| . O B |
| * B S o |
| o = + . o |
| . + B + . |
| . .o*o= + . . |
| ..+==+o.=o. |
Your public file
C:\Windows\system32\config\systemprofile/.ssh/id_ed25519.pub should look similar to the following line:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFUAH/EaO7yK0QrRRLiAeOzAm+4gZVBFqUL37V4T9TQ nt authority\system@WIN-BS7M1PB2KQE
The public key is added in Veeam configuration step to the
notes user on your Veeam server.
Once the public key is added to the
authorized_keys file on the Veeam server, verify the connection from the Domino server to the Veeam server in the same context where the SSH key was created (usually the system account).