- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Full backup of vCenters in ELM?
Hi,
How are people taking fully recoverable backups of their vCenters (v7) that are in ELM? We currently just do file-based backups to an SFTP server but there's a limitation that this method doesn't backup the directory DB. So although for a single vCenter failure we could do the standard deploy fresh and restore the file-based backup to it (and resync with the other vCenters directory DB) if we had a directory DB issue and the vsphere.local SSO domain itself became corrupt (or someone maliciously deleted contents etc.) we would have no way to restore to a previous copy.
Obviously before certain config changes and upgrades you can/should cold snapshot all the vCenters in ELM but that doesn't help with protecting against routine issues with the directory DB (or even just deleted credentials within it). Granted, I've never seen the directory DB just corrupt but I'm guessing it's not an impossibility
My specific case is part of a VCF on VxRail deployment and there's a lot of hooks into the directory DB so I wouldn't want to try redeploying vCenters and trying to recreate all the vsphere.local users and roles created during VCF deployment. I guess we could look at doing an LDAP export but I'm not sure if that's supported as a restore option (and what exactly we can export when doing that)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you search in the communities space there are a couple of answers about shortcomings of ELM backups (or lack thereof).
- There is no API to backup the ELM DB, so enterprise backup clients can't handle in-flight synchronization!
- VMware did not include ELM DB synchronization of in-flight transactions in the basic VCSA Backup that is a part of vCenter, so if you restore, the ELM DB will be clobbered.
- Review https://kb.vmware.com/s/article/85662?lang=en_us which only barely covers limitations of backups of vCenters when using ELM. The only reliable backup is an offline backup. No provision for a disaster recovery scenario is available due to this limitation.
What we learned:
- If you really need a trust-worthy backup of your vCenter, you must shutdown ALL vCenters in the ELM domain and do a snapshot while they are all powered off.
- And, most importantly, if you need to restore a vCenter, you must restore ALL vCenters in the ELM domain from the same snapshots to the identical point-in-time.
- You cannot reliably restore only one of the vCenters. (If you do, it will likely break ELM replication).
- You cannot reliably restore from an online backup taken using the VMware built-in file backup utility or from an online quiesced system snapshot – this is the procedure employed by Commvault, our enterprise backup solution. (If you do, it will likely break ELM replication).
So the only solution we came up with is call VMware support if you ever do a restore, support can re-synchronize the ELM DB.
Useful:
Display the ELM replication status (all VCSAs in your ELM). Note that the password is for “administrator@vsphere.local” in this ELM domain.
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u administrator
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator
You didn't ask about this, and it isn't ELM, but is a necessary component for a single-pane-of-glass management: Content Library.
Content Library allows you to synchronize your VM templates and other files (ISO, OVA, etc.).
1. VMware Content Library has no API or even a basic backup mechanism to back up the data store location containing your precious templates, ISO, and OVA files!
2. Enterprise backup doesn't back up datastores directly. So no help there either.