Skip to main content

Veeam Backup and Replication Standards

FieldDetails
CategoryServer Migration / Networking / Backup & DR
AuthorZachary Boogher (revised by Scott Leister, April 2026)
DateFebruary 10, 2026 (revised April 23, 2026)
Version1.2
AudienceTier 1/2 Engineers, Helpdesk Technicians
PlatformVeeam Backup & Replication 13.x (Enterprise Edition)

1. Overview

This SOP defines the standard configuration for all Veeam backup and replication jobs across DTC Inc. managed dental practice environments. It covers three areas:

  1. Server Backups — Hyper-V host-level backups to local BDR repository and S3
  2. Workstation Backups — Agent-based daily backups via protection groups
  3. Cross-Site Replication — Hourly VM replication between sites for DR failover

All backups target the local BDR appliance (DTCBSURE series) as the primary repository. Replication targets the opposing site's Hyper-V host for manual failover capability.

Standard Advanced Job Settings (Apply to All Backup and Replication Jobs)

All backup and replication jobs must be configured with these Advanced Job Settings, accessed via the Advanced button on the Storage / Job Settings step of the job wizard. These are DTC standards — deviation requires T3 approval.

TabSettingStandard ValueApplies To
BackupCreate synthetic full backupsDisabled (unchecked)Server backup, Workstation backup
MaintenancePerform backup files health checkEnabled (checked)Server backup, Workstation backup
StorageBackup file encryptionEnabled — password stored in IT Glue as Veeam Backup Encryption – <Site Abbrev>Server backup, Workstation backup
TrafficEnable replica traffic encryptionEnabledReplication only
TrafficUse multiple upload streams per jobEnabled, 5 streamsReplication only

⚠️ Encryption password management is critical. If encryption is enabled without the password documented in IT Glue, restores from these backup files will be impossible if the BDR is lost. Always create the IT Glue password entry before completing the job wizard. One encryption password per client (shared across server and workstation jobs for that client) is acceptable.

2. Server Backup Standards

Architecture

Servers are backed up at the Hyper-V host level, not as individual VMs. This captures all VMs on the host in a single job and ensures consistency.

Job Configuration

SettingStandard
Job TypeHyper-V Backup
SourceHyper-V host (e.g., HV01, hv0)
TargetLocal BDR backup repository
Secondary TargetS3 bucket (object storage copy)
SchedulePeriodically every 1 hour
Retention14 restore points
Automatic RetryEnabled — 3 retries, 10 minutes between attempts
Backup WindowNot enforced (no termination outside window)
Synthetic Full BackupsDisabled (unchecked in Advanced → Backup tab)
Backup Files Health CheckEnabled (Advanced → Maintenance tab)
Backup File EncryptionEnabled — password in IT Glue as Veeam Backup Encryption – <Site Abbrev>

Setup Steps

  1. Open Veeam Console → HomeBackup JobVirtual machineMicrosoft Hyper-V
  2. Name: Use naming convention <Site Abbreviation> Hyper-V (e.g., "NB Hyper-V", "SS Hyper-V")
  3. Virtual Machines: Click Add → select the Hyper-V host (not individual VMs). This automatically includes all VMs on that host.
  4. Storage: Select the local BDR repository. Set restore points to 14.
  5. Secondary Target: Configure backup copy to S3 bucket per site requirements.
  6. Guest Processing: Enable application-aware processing if the host contains domain controllers (ensures AD/DNS consistency via VSS).
  7. Schedule:
    • Select Run the job automatically
    • Select Periodically every: 1 Hours
    • Enable Retry failed items processing: 3 times
    • Set Wait before each retry attempt for: 10 minutes
  8. Review summary and click Finish.

Advanced Job Settings (on the Storage step)

Before leaving the Storage step, click Advanced to open Advanced Job Settings and configure:

  • Backup tab → uncheck Create synthetic full backups (use forever-forward incremental chain).
  • Maintenance tab → check Perform backup files health check (periodic integrity verification of restore points).
  • Storage tab → enable Backup file encryption. Generate a strong password and store it in the client's IT Glue as a new password entry named Veeam Backup Encryption – <Site Abbrev>. Attach the password record to the BDR configuration in IT Glue.

⚠️ If encryption is enabled and the password is not stored in IT Glue, restores from these backup files will be impossible if the BDR is lost. Document the key in IT Glue before completing the wizard.

Key Notes

Cloud retention: S3 backup copy jobs must retain 30 days of daily restore points per the Backup & Data Protection Standards. Local BDR retains 14 restore points; cloud retains 30.

  • Always back up at the host level. Individual VM backups create unnecessary job sprawl and miss newly created VMs.
  • The hourly schedule ensures an RPO of approximately 1 hour for all server workloads.
  • S3 copy provides offsite protection beyond the local BDR.

3. Workstation Backup Standards

Architecture

Workstations are backed up using the Veeam Agent deployed through a protection group. All workstations at a site are added to a single protection group called "Workstations" and a single agent backup job applies the policy.

Job Configuration

SettingStandard
Job TypeWindows Agent Policy
Protection Group"Workstations"
ScheduleDaily at 1:00 AM, Everyday
Retention14 days
If powered offBackup once powered on
After backupKeep running
Event triggersNone (Lock, Log off, Backup target connected — all unchecked)
Synthetic Full BackupsDisabled (Advanced → Backup tab)
Backup Files Health CheckEnabled (Advanced → Maintenance tab)
Backup File EncryptionEnabled — shares encryption password with server backup for this client

Setup Steps

Creating the Protection Group

  1. Open Veeam Console → InventoryPhysical Infrastructure
  2. Right-click → Add Protection Group
  3. Name: "Workstations"
  4. Type: Individual computers (or Active Directory if domain-joined)
  5. Add all workstation hostnames or IPs
  6. Configure discovery schedule as needed
  7. Finish the wizard

Creating the Backup Job

  1. Open Veeam Console → HomeBackup JobWindows computer
  2. Job Mode: Select managed by backup server
  3. Name: "Workstations"
  4. Computers: Select the "Workstations" protection group
  5. Backup Mode: Entire computer (recommended) or Volume-level as needed
  6. Destination: Local BDR backup repository
  7. Backup Server: Local BDR
  8. Storage: Set retention to 14 days
  9. Schedule:
    • Select Daily at: 1:00 AM, Everyday
    • If computer is powered off at this time: Backup once powered on
    • Once backup is taken, computer should: Keep running
    • Leave all event triggers (Lock, Log off, Backup target connected) unchecked
  10. Review summary and click Finish.

Advanced Job Settings (on the Storage step)

Before leaving the Storage step, click Advanced to open Advanced Job Settings and configure:

  • Backup tab → uncheck Create synthetic full backups (use forever-forward incremental chain).
  • Maintenance tab → check Perform backup files health check (periodic integrity verification of restore points).
  • Storage tab → enable Backup file encryption. Use the same encryption password documented in IT Glue as Veeam Backup Encryption – <Site Abbrev> (shared across all Veeam jobs for this client).

⚠️ If encryption is enabled and the password is not stored in IT Glue, restores from these backup files will be impossible if the BDR is lost.

Key Notes

  • Workstation backups run after hours (1:00 AM) to avoid impacting users during the workday.
  • "Backup once powered on" ensures machines that were off at 1:00 AM still get backed up when the user turns them on.
  • All new workstations at a site must be added to the "Workstations" protection group — the backup job will automatically pick them up.

4. Cross-Site Replication Standards

Architecture

Each site maintains a replica of the other site's server VM on its local Hyper-V host. This provides manual failover capability if either site goes down. This is a non-clustered configuration — failover requires manual intervention and network reconfiguration.

DirectionSourceTarget HostPurpose
Site A → Site BServer VM on Site A hostSite B Hyper-V hostDR failover if Site A goes down
Site B → Site AServer VM on Site B hostSite A Hyper-V hostDR failover if Site B goes down

Job Configuration

SettingStandard
Job TypeHyper-V Replication
SchedulePeriodically every 1 hour
Restore Points6
Replica Name Suffix_replica
Replica SeedingEnabled (seed from existing backup on BDR)
Data Transfer ModeDirect
Network ThrottlingGlobal rule — 20% of client WAN during business hours, 80% after hours
Replica Traffic EncryptionEnabled (Advanced → Traffic tab)
Multiple Upload StreamsEnabled, 5 streams (Advanced → Traffic tab)

Setup Steps

  1. Open Veeam Console → HomeReplication JobVirtual machineMicrosoft Hyper-V
  2. Name: Use naming convention <Source Site> > <Target Site> Replication (e.g., "SS > NB Replication")
  3. Advanced Controls: Check Replica seeding (for low bandwidth DR sites) — this is best practice and seeds the initial replica from the local BDR backup instead of pushing the full VM over WAN.
  4. Virtual Machines: Click Add → select the source server VM
  5. Destination:
    • Host or cluster: Select the target Hyper-V host at the opposing site
    • Path: Set to the data drive on the target host (e.g., Z:\Replicas, D:\Replicas)
  6. Job Settings:
    • Repository for replica metadata: Local BDR repository
    • Replica name suffix: _replica
    • Restore points to keep: 6
  7. Data Transfer: Select Direct (WAN accelerators require Enterprise Plus)
  8. Seeding: Check Get seed from the following backup repository and select the BDR repository containing the source VM's backups. Leave replica mapping as "no mapping" for new replicas.
  9. Guest Processing: Enable application-aware processing for domain controllers.
  10. Schedule: Set to run Periodically every 1 hour.
  11. Review summary and click Finish.

Advanced Job Settings (on the Storage / Job Settings step)

Before leaving the Job Settings step, click Advanced to open Advanced Job Settings and configure:

  • Traffic tab → enable Enable replica traffic encryption (encrypt replication data over the WAN).
  • Traffic tab → enable Use multiple upload streams per job and set to 5 (improves WAN utilization — also mirrored in global network rules).
  • Notifications tab → configure email notifications to route to HALO's inbound address if per-job overrides are needed (otherwise the global setting applies).

ℹ️ Replication does not produce .vbk/.vib backup files, so the Create synthetic full backups and Perform backup files health check options do not apply here. Those belong to backup jobs only.

Network Throttling (Global Setting)

Throttling is configured globally, not per-job. Per the Backup & Data Protection Standards, backup traffic must be limited to 20% of client bandwidth during business hours and 80% of client bandwidth outside business hours.

  1. Click the hamburger menu (top-left of Veeam console) → Network Traffic Rules
  2. Configure rules:
Rule NameEncryptionThrottlingTime Period
Internet (Business Hours)Enabled20% of client WAN bandwidthPeriodic (business hours, typically 7 AM – 6 PM)
Internet (After Hours)Enabled80% of client WAN bandwidthPeriodic (outside business hours)
Class C LANDisabled750 MbpsAnytime

Calculating the values: Determine the client's ISP upload bandwidth. A 100 Mbps symmetric connection gets 20 Mbps during business hours and 80 Mbps after hours. A 50/10 asymmetric connection (10 Mbps upload) gets 2 Mbps during business hours and 8 Mbps after hours. Use the upload speed since backup/replication pushes data outbound.

  1. Use multiple upload streams per job: Enabled, set to 5 (improves WAN utilization)

Note: If Veeam's global throttling only supports a single Internet rule without time-of-day splitting, configure the business hours (20%) value as the default and rely on the backup schedule to handle after-hours jobs running at higher throughput by scheduling them outside the throttle window. Document the per-client bandwidth values in the client's IT Glue or BookStack documentation.

Post-Replication Validation

Once the initial replication completes for both directions:

  1. Boot test the replica VM on the opposing host — verify it powers on and is accessible
  2. Do not leave test VMs running — power down immediately after validation
  3. Document boot test results
  4. Note: Full production failover requires network reconfiguration (~10 min per VM) as no VXLAN is available

5. Prerequisites for New Sites / Server Rebuilds

Before Veeam can back up or replicate to a Hyper-V host, the following must be in place:

Managed Server Registration

Both Hyper-V hosts must be added to Veeam as managed servers:

  1. Open Veeam Console → Backup InfrastructureManaged Servers
  2. Right-click → Add ServerMicrosoft Hyper-VHyper-V host
  3. Enter hostname or IP and credentials (local admin)
  4. Complete the wizard

LocalAccountTokenFilterPolicy (Workgroup Hosts Only)

If the Hyper-V host is not domain-joined (workgroup machine), UAC remote filtering will block Veeam's admin share access. This must be set on the host:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy' -Value 1 -Type DWord -Force

What this does: Windows strips administrative privileges from network logins for local accounts by default. This registry key disables that filtering, allowing Veeam to authenticate with full admin rights over the network.

Static DNS Records (Workgroup Hosts)

If the Hyper-V host is not domain-joined, it will not automatically register in DNS. You must manually create a static A record on the domain controller's DNS server so other devices on the network can resolve the host by name.

On the DC/DNS server (e.g., SERVERRV):

  1. Open DNS Manager → expand the server → Forward Lookup Zonesdental.local
  2. Right-click → New Host (A or AAAA)
  3. Name: HV01
  4. IP Address: 192.168.16.200
  5. Click Add Host

Or via PowerShell:

Add-DnsServerResourceRecordA -Name "HV01" -ZoneName "dental.local" -IPv4Address "192.168.16.200"

This is the preferred long-term solution over hosts file entries because it's centrally managed and works for every device on the network.

DNS Suffix for Workgroup Hosts

Since the Hyper-V host is statically assigned and not domain-joined, it will not know to append the domain suffix (e.g., dental.local) when resolving short hostnames. Without this, the host can resolve SERVERRV.dental.local but not SERVERRV.

On the workgroup Hyper-V host (e.g., HV01):

  1. Open Network adapter TCP/IP propertiesAdvancedDNS tab
  2. Under DNS suffix for this connection, enter dental.local
  3. Check Register this connection's addresses in DNS
  4. Under Append these DNS suffixes, add dental.local

Or via PowerShell:

Set-DnsClient -InterfaceAlias "SET1" -ConnectionSpecificSuffix "dental.local"

⚠️ This must be done on every workgroup Hyper-V host. Without the DNS suffix, short name resolution will fail and Veeam jobs referencing hostnames without the FQDN will not connect.

Hosts File Entries (When DNS is Unavailable)

If the domain controller / DNS server is offline (e.g., during a server migration or restore), Veeam jobs referencing hostnames will fail. Add static entries to the hosts file on the BDR and any relevant machines:

File location: C:\Windows\System32\drivers\etc\hosts

# Example entries during DC restore
192.168.16.200    HV01
192.168.16.5      SERVERRV

Open Notepad as Administrator → File → Open → navigate to the path above → change filter to All Files (*.*) → add entries → save.

⚠️ Remove hosts file entries once DNS is restored. Stale entries will cause connectivity issues if IPs change.

See full SOP: SOP: Windows Hosts File Configuration in BookStack under Server Migration / Networking.

Firewall Rules

If Windows Firewall is enabled on the Hyper-V host, add exceptions for Veeam:

netsh advfirewall firewall add rule name="Veeam Data Mover" dir=in action=allow protocol=TCP localport=6162
netsh advfirewall firewall add rule name="Veeam Backup Service" dir=in action=allow protocol=TCP localport=9392
netsh advfirewall firewall add rule name="Veeam Data Transfer" dir=in action=allow protocol=TCP localport=2500-3300

6. Troubleshooting

"Failed to perform handshake"

Symptoms: Replication or backup job fails immediately with "Failed to perform handshake" or "Failed to connect to Installer service."

Common Causes and Fixes:

1. Stale certificates after server rebuild. If the target Hyper-V host was recently rebuilt or reimaged, Veeam's cached certificates no longer match.

  • Fix: Go to Backup Infrastructure → Managed Servers → right-click the host → Rescan. This forces Veeam to re-establish the deployer connection and refresh certificates.

2. Firewall blocking Veeam ports. Windows Firewall on the target host is blocking inbound connections on ports 6162, 9392, or 2500-3300.

Quick test — temporarily disable firewall on the target host:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

If the job succeeds, re-enable firewall and add the Veeam exceptions listed in Section 5.

Verify port access from BDR:

Test-NetConnection -ComputerName <HostnameOrIP> -Port 6162

3. LocalAccountTokenFilterPolicy not set. On workgroup hosts, Veeam cannot authenticate with admin rights.

Verify:

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy'

Value should be 1. If missing or 0, set it per Section 5.

4. Veeam services not running on target host.

Check:

Get-Service -Name "*veeam*"

All Veeam services (Installer, Transport, Guest Interaction, Hyper-V Integration) should be Running. Restart if needed:

Get-Service -Name "*veeam*" | Restart-Service -Force

DNS Resolution Failures

Symptoms: Job fails to connect to host by hostname. Error may reference inability to resolve the server name.

Fixes:

  1. Use IP address directly in the Veeam job as a temporary workaround.
  2. Add hosts file entries on the BDR for the target host (see Section 5).
  3. Verify DNS is running if the DC is online: 
    Get-Service DNS
nslookup <hostname>
  4. Flush DNS cache if entries were recently changed: 
    ipconfig /flushdns

VM Shows "Unidentified Network" After Restore

Symptoms: A restored VM has no network connectivity despite being assigned to the correct virtual switch.

Fixes:

  1. Check virtual switch assignment: Hyper-V Manager → right-click VM → Settings → Network Adapter → verify it's connected to the correct external virtual switch.
  2. Check VLAN tagging: If the VM was restored from a physical server or different host, it may have a VLAN ID enabled that doesn't match the new environment.
    • In VM Settings → Network Adapter → if Enable virtual LAN identification is checked, try unchecking it.
    • Physical switch ports in most dental practice environments are access ports — they handle VLAN tagging at the port level. The VM should not have an explicit VLAN tag.

Replication Job Runs But No Data Transfers

Symptoms: Job shows as running but processed/read/transferred all show N/A or 0 bytes.

Fixes:

  1. Verify source VM is powered on and accessible from the BDR.
  2. Check Changed Block Tracking (CBT): Job log should show "Changed block tracking is enabled." If not, the VM may need a full resync.
  3. Check available disk space on the target host's data drive — insufficient space will prevent replica creation.

General Diagnostic Commands

Run these from the BDR or target host as needed:

# Verify Veeam services
Get-Service -Name "*veeam*"

# Check listening ports
netstat -an | findstr "6162 2500 9392"

# Test connectivity to remote host
Test-NetConnection -ComputerName <HostnameOrIP> -Port 6162

# Check LocalAccountTokenFilterPolicy
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy'

# View recent Veeam job logs
Get-ChildItem "C:\ProgramData\Veeam\Backup" -Recurse -Filter "*.log" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddMinutes(-30) } | Sort-Object LastWriteTime -Descending | Select-Object -First 10 FullName, LastWriteTime

# Search logs for specific errors
Select-String -Path "<log file path>" -Pattern "handshake|error|fail" -CaseSensitive:$false | Select-Object -Last 20

7. Quick Reference

ItemServer BackupWorkstation BackupReplication
Job TypeHyper-V BackupWindows Agent PolicyHyper-V Replication
SourceHyper-V hostProtection group "Workstations"Individual server VM
TargetLocal BDR repo + S3Local BDR repoOpposing site Hyper-V host
ScheduleEvery 1 hourDaily at 1:00 AMEvery 1 hour
Retention14 restore points14 days6 restore points
Retry3x / 10 min intervalsN/AN/A
SeedingN/AN/AEnabled (from BDR backup)
ThrottlingN/AN/A20%/80% of client WAN (global rule)
Synthetic FullsDisabledDisabledN/A
Health CheckEnabledEnabledN/A
EncryptionEnabled (IT Glue password)Enabled (shared with server)Replica traffic encryption (Traffic tab)

8. Naming Conventions

Job TypeFormatExample
Server Backup<Site Abbrev> Hyper-VNB Hyper-V, SS Hyper-V
Workstation BackupWorkstationsWorkstations
Replication<Source> > <Target> ReplicationSS > NB Replication, NB > SS Replication
Protection GroupWorkstationsWorkstations
IT Glue Encryption Password EntryVeeam Backup Encryption – <Site Abbrev>Veeam Backup Encryption – NB

9. Document Control

VersionDateAuthorChanges
1.0February 10, 2026Zachary BoogherInitial release. Defines standards for server backups (Hyper-V host-level, hourly, 14 restore points), workstation backups (Windows Agent Policy, daily 1 AM, 14 days), and cross-site replication (hourly, 6 restore points, seeded from BDR). Covers job configuration, setup steps, network throttling (20%/80% global rule), prerequisites for new sites (LocalAccountTokenFilterPolicy, DNS suffix, static DNS records, firewall rules), and troubleshooting runbook.
1.1March 2026IT Support EngineeringMinor wording and reference cleanups.
1.2April 23, 2026Scott Leister (Security & Compliance Engineering)Added Standard Advanced Job Settings applicable to all backup and replication jobs: synthetic full backups disabled, backup files health check enabled, backup file encryption enabled (password stored in IT Glue as Veeam Backup Encryption – <Site Abbrev>), replica traffic encryption enabled, and multiple upload streams enabled (5 streams) for replication. New standards are reflected in the centralized table (Section 1), the per-section Job Configuration tables (Sections 2, 3, 4), the Advanced Job Settings subsections in each Setup Steps, the Quick Reference (Section 7), and the Naming Conventions (Section 8). Full render cleanup: removed duplicate H1 headings, fixed markdown-escape artifacts in the Field Details header, Section 2 / 3 / 4 Job Configuration tables, Section 4 Network Throttling table, and Section 7 Quick Reference table; restructured Section 6 troubleshooting code blocks for proper rendering; fixed broken Section 8 naming conventions format strings. Aligns with Veeam BDR Deployment SOP (page 1096) v1.2.

Confidential — Internal Use Only

Back to top