Note

You can download this article as a PDF

Sharepoint Plugin

Scope

Sharepoint plugin allows Bacula to backup Sharepoint site collections.

This documentation presents solutions for Bacula Enterprise 14.0.0 and higher, and is not applicable to prior versions of Bacula.

Features

  • Backup site collection(s) based on url name

  • Restore complete site collection(s) images

Installation

The Bacula File Daemon and the Sharepoint plugin need to be installed on the Sharepoint host server. The Sharepoint plugin windows installer will deploy required files within the Bacula File Daemon plugins directory.

../../../../_images/plugins-folder.png

To configure the Bacula File Daemon, refer to the general installation documentation.

Verify the correct installation of the FD and the Sharepoint plugin by running status client from the bconsole or from BWeb.

*status client=share1hyperv-fd
Connecting to Client share1hyperv-fd at 172.22.22.50:9102
share1hyperv-fd Version: 14.0.1 (21 January 2022)  VSS Linux Cross-compile Win64
Daemon started 26-Jan-22 07:40. Jobs: run=1 running=0 max=20.
Microsoft Windows Server 2012 Standard Edition (build 9200), 64-bit
Heap: heap=4,984,832 smbytes=44,624 max_bytes=4,886,808 bufs=142 max_bufs=307
Sizes: boffset_t=8 size_t=8 debug=0 trace=1 mode=0,2010 bwlimit=0kB/s
Crypto: fips=no crypto=OpenSSL
Plugin: alldrives(1.2) cdp(0.1) sharepoint(0.1) winbmr(3.1.0)

Verify sharepoint is in the Plugin line.

Configuration

Credentials Settings

Important

In order to access and backup Sharepoint site collections, the delegation of the User credentials must be enabled on the Sharepoint server and the Bacula file daemon must be logged as an authorized user within the Sharepoint server. Read access are sufficient to backup. Full read-write access is mandatory for restore.

Enable the delegation of the user credentials on the Hyper-V server

  1. Run gpedit.msc (normally in C:\Windows\System32) on the Hyper-V server and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials.

../../../../_images/gpedit.png

  1. Verify that it is enabled and configured with the WSMAN SPN appropriate for the target computer.

../../../../_images/gpedit2.png

For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN//myserver.domain.com or WSMAN//*.domain.com. Introduce it in the “Add servers to the list”: “Show” dialog box.

../../../../_images/gpedit3.png

  1. Finally run a powershell console on the Hyper-V server (normally in C:\Windows\Systeme32\WindowsPowerShellv1.0powershell.exe) and enter the following commands:

Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role "Client" -DelegateComputer myserver.domain.com -Force

Impersonification of the Sharepoint plugin

The impersonification of the Sharepoint plugin can be achieved in different ways.

  1. Specify the user name and password locally on the sharepoint server. This is the recommanded method. In a bacula-sharepoint.pwd file, located by the bacula-fd.conf config file (typically C:\Program Files\Bacula).

../../../../_images/bacula-sp.png

bacula-sharepoint.pwd contains the user name followed by the user password, separated by a colon.

name@domain.com:mypassword

or

DOMAIN\name:mypassword

  1. Impersonificate the Sharepoint plugin by passing user and password, as plugin options See Job Configuration for user_name and user_password options.

  2. Manually change the Bacula File Daemon default login account.

    Log on to the Sharepoint server with administrative privileges.

    From the Windows Start menu, type “Services” and press enter - this will show a list of the installed services.

    Find the Bacula File Backup Service and right-click on it. Choose Properties, select the Log On tab. By default it should look like this:

../../../../_images/FromService.png

Toggle the selection from “Local System account” to “This account”.

Enter the credentials of a Sharepoint administrator user (either read only or read-write). Click OK.

../../../../_images/toService.png

Right-click on the Bacula File Backup Service entry again, and click “Restart”, so the changes are applied.

  1. Add the default Bacula file daemon login as Sharepoint site Collection user

    By default the Bacula file daemon is logged as “NT Authority\System”.

    With Sharepoint administrator privilege, do the following:

    From the Windows start menu, launch the SharePoint Central Administration.

    Under Application Management, select “Manage web applications” and you should see the list of available site collections.

    For each backup target collection, select it, then choose User Policy from the ribbon menu.

../../../../_images/SharePoint_UserPolicy1.jpg

The Policy for Web Application windows is displayed. Click “Add Users”.

../../../../_images/SharePoint_UserPolicy2.jpg

Add “NT AUTHORITY\SYSTEM” in the Users box and check “Full Read” for backup only, or “Full Control” for backup and restore.

Press the finish button.

../../../../_images/SharePoint_UserPolicy3.jpg

In addition, you also need to grant access to the Sharepoint MSSQL databases to Bacula File Daemon.

From the Windows start menu, launch the SQL server Management Studio and log in with MSSQL administrator privileges.

../../../../_images/MSSQLMain.png

Under Security/Logins, find “NT AUTHORITY\SYSTEM”, right click on it and select properties. Select the Server Roles page, check sysadmin.

../../../../_images/MSSQLloginProperties.png

Job Configuration

Once the Bacula File Daemon and the Sharepoint plugin are correctly installed and configured, setting a backup job up is as simple as adding the job and the fileset within the Bacula Director configuration file.

Important

The Enable VSS parameter must be set to no in the FileSet (see examples below).

The following plugin options are supported :

Name

Status

Default

Description

include

Optional

Include all (*)

a Unix shell-style wildcards pattern for including a site, bases on its URL

exclude

Optional

Exclude none

a Unix shell-style wildcards pattern for excluding a site, bases on its URL

tmp_dir

Optional

Working

locate the working folder for the Sharepoint plugin. Make sure there’s enough space in this location to create sites snapshots and exports.

user_name

Optional

None

the user name that will run the backup/restore operation. This is not the recommended method. The user name can be specified locally on the hyper-v node in a bacula-sp.usr file located in the FD plugins folder.

user_password

Optional

None

the user password that will run the backup/restore operation. This is not the recommended method. The user password can be specified locally on the hyper-v node in a bacula-sp.pwd file located in the fd plugins folder.

Examples

Example 1: Backup All Sites Using Bacula’s Default Working Directory

Job {
  Name = "SharepointBackupAll"
  Type = Backup
  Client= w2019-sp01-fd
  FileSet="SimplestSharepointFileSet"
  Storage = File
  Messages = Standard
  Pool = Default
}

FileSet {
  Name = "SimplestSharepointFileSet"
  Enable VSS = no
  Include {
    Options {
      signature=MD5
    }
    Plugin = "sharepoint:"
  }
}

Example 2: Backup Only Sites Which URLs Contain «Linux», Using Bacula’s Default Working Directory

Job {
  Name = "SharepointBackupOnlyLinux"
  Type = Backup
  Client= w2019-hv01-fd
  FileSet="LinuxSharepointFileSet"
  Storage = File
  Messages = Standard
  Pool = Default
}
FileSet {
  Name = "LinuxSharepointFileSet"
  Enable VSS = no
  Include {
    Options {
      signature=MD5
    }
    Plugin = "sharepoint: include=\"*Linux*\""
  }
}

Example 3: Backup Any Site Having «Windows» in Its Name, Using a Custom Working Directory

Job {
  Name = "SharepointBackupOnlyWindowsOnF"
  Type = Backup
  Client= w2019-hv01-fd
  FileSet="WindowsOnSiteFileSet"
  Storage = File
  Messages = Standard
  Pool = Default
}
FileSet {
  Name = "WindowsOnSiteFileSet"
  Enable VSS = no
  Include {
    Options {
      signature=MD5
    }
    Plugin = "sharepoint: include=\"*Windows*\" tmp_dir=\"F:/backup\""
  }
}

Operations

Backup

The Sharepoint server backed up files will appear in a bconsole or prefixed with /@SHAREPOINT/ .

Typically, a Site Collection backup data is organized as follows:

/@SHAREPOINT/a4d05f41-e9e0-43f6-9478-d8adb337cf6c_sharepoint_backup.2022-01-26_07.14.22_14.bak /@SHAREPOINT/a4d05f41-e9e0-43f6-9478-d8adb337cf6c_sharepoint_backup.2022-01-26_07.14.22_14.xml

Incremental-Differential backups: the Site Collection backup doesn’t support incremental-differential backup.

Restore

Although it’s possible to cherry pick the backed up files, it’s recommended to select the Site Collection UID folder for a single Site Collection in order.

When restoring a Site Collection on a server that already hosts a VM with the same name, the restored Site Collection name is post-fixed with “Restore.<date>_<time>”.

Best practices

While it is technically possible to backup multiple Site Collections in one Bacula Sharepoint plugin backup job, this is not necessarily the best way to perform backup. It is strongly recommended that one backup Job is created for each Site Collection being backed up for the following reasons:

  • If one of your Site Collection fails to backup in a “multi-SiteCollections” backup job, the main Bacula job will terminate Backup OK – with warnings. The catalog’s “JobStatus” for jobs that terminate Backup OK and Backup OK – with warnings are not differentiated. They are both ’T’ so this means that you will have to carefully monitor your backup jobs logs in case some Site Collections backups fail and pay attention to the “JobErrors” field.

  • There is a Sharepoint plugin option abort_on_error but, if you use this option, and Site Collection number 11 in a list of 50 Site Collections fails, then the whole job will fail, and VMs 12-50 will not be backed up during that job’s run.

  • A 1:1 (one VM per job) configuration means that the abort_on_error option will make more sense to enable in each job, so you will immediately know when a VM fails to backup since the Bacula job will terminate with a “Backup failed” message and ’f’ in the catalog for the job.

  • In the case describing the 50 Site Collections, without a 1:1 configuration, there is no way to easily re-run a backup of just the 1 Site Collection that failed to backup.

  • With a 1:1 configuration, re-running a specific Site Collections backup job is simple to do after the cause of the failure is investigated.

  • With a 1:1 configuration, job metrics will have more meaning because each Site Collection will be one job, and you will know to expect a specific number of jobs each night with each one representing one machine, or Site Collection.

  • With a “multi-Site Collections” configuration, each Site Collection will be backed up “serially”, one at a time, disk by disk, Site Collection by Site Collection. A 1:1 configuration will allow several Site Collection backups to be run concurrently which will reduce the overall time to perform the Site Collections backups (paying close attention to SD and Sharepoint resources of course, and adjusting the number of concurrent jobs accordingly).

Limitations

  • Sharepoint site collection(s) backup doesn’t support incremental and differential.

  • Single item restore is not supported.

  • It’s recommended to restore full site collection(s).

  • The restart command has limitations with plugins, as it initiates the Job from scratch rather than continuing it. Bacula determines whether a Job is restarted or continued, but using the restart command will result in a new Job.