jump to navigation

DD510 and Backup Exec cross-domain backup June 29, 2009

Posted by jamesisaac in Uncategorized.
add a comment

We purchased one Data Domain DD510 appliance, which I intend to use as a target for backing up our data at the data center. This will replace three separate servers using BackupExec and Ultrium tape drives. I ran into a snag because there are two separate domains in our environment.

I initially installed the DD510 in “Active Directory” mode, which used the LDAP connector to authenticate into our AD. No problems there – everything worked fine and I could set security and map shares from any server in the joined domain. However, BackupExec in the other domain refused to allow me to create a “backup-to-disk” folder on the DD510. Apparently this is aknown issue, as googling for “Backup Exec backup to disk access denied” returns many links.

I tried changing the Backup Exec services accounts to use pass-thru authentication and even tinkered with trusting across domains, but had no luck until I removed the DD510 from our domain and put it back into Workgroup authentication. After that, BE worked like a charm.

The key is to create a backup user on the DD510, create local users on whatever servers BE is running on with the same username and password, and then set BE to use that username and password for the services. So now the DD510 is back to being a backup appliance instead of a general-purpose file server repository – which is a little less flexible, but probably more controllable.

After running backups for a week onto the device, I am suitably impressed. Backup-to-disk is much faster than even the local Ultrium tape drive that I was using, and the dedupe reduces each additional full backup by 95% as promised. YMMV, of course – what remains is the delta between the two backups, which the on-disk compression reduces even further.

One remaining issue is that we have several folders full of many small files (like hundreds of thousands of small files), and performance is abysmal when backing up those files. I suppose it’s due to the overhead of all the security descriptors and other metadata that each file carries with it. I’m going to investigate doing an image backup instead of a file-by-file backup and see if that gives us the necessary performance.

Bits and Pieces June 18, 2009

Posted by jamesisaac in Uncategorized.
Tags: , , ,
add a comment

The datacenter-in-waiting is starting to take shape in the corner of the server room. I’ve got the Cisco routers set up so they talk to each other over ethernet, and our new data center network is logically separated from the rest of the network.

  • Configured the Belkin KVM-over-IP. It has a very simple interface; you connect to the web page and *bam*, you’re looking at the server switcher. Nothing extraneous here. Mouse tracking is a little finicky and seems to depend mostly on the “enhanced pointer” control inside the remote OS.
  • Looks like I will have to figure out how to trunk VLANs across the fiber to the DC for our phone integration. The Cisco guy was talking about a Layer 3 VLAN, or virtual interface, or something like that. Time to do some research.
  • Received one of our modem servers from www.siliconmechanics.com; they’re a systems integrator. Great to do business with. Problem of the day, though, is this: the new server has an Intel SATA controller. XP doesn’t have a native driver (and yes, we’re using XP on the server). With no floppy drive, how do you load XP? Check out www.nliteos.com if you haven’t yet – it’s amazingly easy to build a bootable Windows XP or 2003 CD with your text-mode drivers pre-installed. I’m making a few for each of our custom servers with the RAID controller, NIC, and video drivers pre-loaded. Had the same problem with an HP DL320 G5p server – I stuck in the SmartStart CD and it said, “Sorry, this disk controller is not supported.” What? What a monumental error HP made on that deal. How can they ship a server that doesn’t run SmartStart? Anyway, nLite to the rescue. I downloaded the SATA drivers from HP and built a new W2k3 installer CD and away we went.

Parts and issues June 14, 2009

Posted by jamesisaac in Uncategorized.
add a comment

A month in, and the parts are starting to show up.

Received so far:

  • 2 Cisco 2800 routers, one for main office, one for DC.
  • 1 Data Domain DD510 disk appliance, for use as a backup-to-disk target.
  • 4 Netgear switches, 2 7224R 24-port and 2 7248R 48-port.
  • Belkin KVM with ip
  • Box o’ ethernet cables. Unfortunately my color requests didn’t get through purchasing so I have a box of 7 foot grey cables.

Issues identified to far:

  1. Installing the Cisco switches between the main office and the DC means re-addressing the ip space already in use at the DC. So far I’ve provisioned several devices at the DC (including our firewall) using our main office ip space and just bridging across the fiber. This will become unusable as we move more servers over and eventually move our voice lines, as I won’t be able to set QoS across the bridge. So I’m going to have to bite the bullet and actually route traffic to the DC. I should have done this from the beginning but didn’t have the routers until now.
  2. The Data Domain DD510 is a nice box, but I have two problems with it already – not it’s fault, just the architecture. First, I want to backup-to-disk using Veritas BackupExec. That’s fine, BE supports backup-to-disk folders. The problem is that I have servers in two domains. BE doesn’t provide any method of authentication the backup-to-disk folders. So if I put the DD510 in one domain, then I can’t backup from the BE instance in the other domain. Sux0rs. I think I will have to reach across from one domain to the other with a single instance of BE so I can write to the DD510. Second problem is that all of this traffic may put too high a load on the network. I think I may get another Netgear switch just for the backup network and dedicate a NIC on each server and VMWare host for the backup network.
  3. The Netgear switches were an interesting exercise in configuration. They’re clearly trying to look like Cisco IOS, but not quite exactly the same – probably due to legal reasons. If all you are doing is plugging things in – they work great with no configuration hassles. But for configuring VLANs, it’s a whole different ball of wax. I had an “a-ha!” moment when I figured out how they do VLAN trunks – essentially all traffic is tagged on the trunk port (i.e., your uplink port) and then the other ports are members of your vlan but not tagged. That means they will get traffic from the desired vlan and not have to deal with tagging and untagging the frames on the server. It makes sense once you see what Netgear is doing.
  4. Potential future issue: the vSphere licensing is coming, but I have now found out that the SAN software is not yet vSphere (4.0) certified. We’re using Open-E DSS version 5, which is certified for ESX 3.5. Supposedly DSS version 6 will be vSphere-compatible, but it’s in beta. I also believe there will be a charge to upgrade from 5 to 6. Shoulda waited another two months and just bought version 6 – but then we’d be two months behind. It will probably be released by the time we’re done testing, and then we’ll get to test how the production SAN deals with a software upgrade. That should be fun.