Veeam BDR Deployment SOP

Veeam BDR Deployment SOP

Field	Details
Category	Backup & Disaster Recovery
Author	IT Support Engineering
Date	March 2026
Version	1.0
Audience	T2/T3
Platform	Veeam Backup & Replication 13.x (Enterprise Edition)

---

1. Purpose

This SOP covers the end-to-end deployment of a Veeam BDR appliance for new or onboarding DTC clients. It walks through hardware setup, Veeam installation, job configuration, S3 offsite setup, and VSPC registration — from unboxing the Equus to the first successful backup.

What this document is: The Day 1 deployment checklist for standing up a client's backup infrastructure. Follow this start to finish during onboarding.

What this document is NOT: This is not the job configuration reference (see Veeam B&R Standards, page 1004) or the VSPC portal setup guide (see VSPC Client Onboarding SOP, page 710). This SOP references both — it does not duplicate them.

Related Documents

Document	When to Reference	Page
Veeam B&R Standards	Job configuration details (schedules, retention, traffic rules, naming)	1004
VSPC Client Onboarding SOP	VSPC company creation, user setup, service configuration	710
Daily Operations & Verification SOP	Handoff to monitoring after deployment	1093
DR Runbook	Disaster recovery procedures this BDR enables	1034

---

2. Prerequisites Checklist

Complete all items before arriving on-site or beginning remote deployment.

#	Item	Source	Status
1	Client confirmed for Veeam BDR (HALO recurring invoice has BDR-MSP line item)	Account Manager / HALO	☐
2	Equus hardware procured and received	Procurement	☐
3	Windows 11 Pro license (OEM pre-installed on Equus)	Hardware vendor	☐
4	Veeam B&R 13.x Enterprise license key obtained	Veeam license portal	☐
5	S3 bucket provisioned for this client	DTC cloud infrastructure team	☐
6	S3 access credentials (access key + secret key) documented	1Password / IT Glue	☐
7	VSPC company created per VSPC Onboarding SOP (page 710)	VSPC admin	☐
8	Client network information gathered (IP scheme, VLAN, subnet, gateway, DNS)	Network Assessment / onboarding docs	☐
9	Static IP address reserved for BDR appliance	Network planning	☐
10	Hyper-V host credentials available (for managed server registration)	Client documentation / IT Glue	☐
11	HALO onboarding ticket open and assigned	Project management	☐
12	Physical access coordinated (server room/closet access, power, network drop)	Account Manager / client contact	☐

⚠️ Do not begin deployment without items 1-6 confirmed. Missing a license key or S3 bucket mid-deployment wastes the maintenance window.

---

3. Hardware Setup — Equus BDR Appliance

3.1 Physical Installation

1. Placement: Position the Equus box in the client's server room/closet near the primary switch. Ensure adequate ventilation — do not stack equipment on top of it.
2. Power: Connect to a UPS-backed outlet if available. Connect power cable and verify POST.
3. Network: Connect at minimum one Ethernet cable to the client's primary switch. Use the port designated for the BDR's static IP / VLAN.
4. Labeling: Label the unit with the machine name (see naming convention below) and DTC asset tag.

3.2 Windows 11 Initial Configuration

Windows 11 Pro comes pre-installed on Equus hardware. Complete the OOBE (Out of Box Experience) and configure:

Setting	Value	Notes
Computer Name	DTCBSURE-[SiteAbbrev]	Example: DTCBSURE-NB for North Bethesda. Match site abbreviation from HALO.
Domain/Workgroup	Workgroup (do NOT domain-join)	BDR stays in workgroup. See Section 5 for LocalAccountTokenFilterPolicy.
Local Admin Account	DTCADMIN	Password per DTC standard — store in IT Glue under client.
Static IP	Per client network plan	Set via Network adapter settings. Do NOT use DHCP.
DNS	Client's UDM gateway IP	Per DTC standard — UDM as sole DNS server.
Default Gateway	Client's UDM gateway IP	Standard network configuration.
Time Zone	Client's local time zone	Critical for backup scheduling accuracy.
Power Plan	High Performance	powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Sleep / Hibernation	Disabled	powercfg /change standby-timeout-ac 0 and powercfg /hibernate off
Windows Update	Fully patched before Veeam install	Run Windows Update through all available updates. Reboot as needed.
Remote Desktop	Enabled	System Properties → Remote → Allow remote connections

3.3 Architecture Decision — Why Windows 11

DTC deploys Veeam B&R directly on Windows 11. This is a deliberate architecture decision for the dental office workload — not an oversight.

Do not rebuild BDR appliances on Windows Server unless explicitly directed by T3 engineering. If someone questions this, the rationale is: Windows 11 Pro is pre-licensed on the Equus hardware, Veeam B&R 13.x fully supports client OS installation, and the BDR workload (local backup repository + S3 copy + optional replication) does not require Server-specific features like Hyper-V hosting or AD DS on the BDR itself.

---

4. Veeam B&R Installation

4.1 Pre-Installation

1. Verify Windows 11 is fully patched and rebooted
2. Verify .NET Framework 4.7.2+ is installed (Windows 11 ships with 4.8+, so this should already be satisfied)
3. Download Veeam B&R 13.x ISO from the Veeam portal, or use the installer from DTC's standard deployment media
4. Mount the ISO or extract the installer

4.2 Installation Walkthrough

Run the Veeam installer as Administrator. Key decisions at each step:

Step	Selection	Notes
Install Type	Veeam Backup & Replication	Full B&R server install — not just console
License	Apply Enterprise license key	Browse to license file or enter key
SQL Instance	Install SQL Express (bundled)	Use the default local SQL Express instance. Do not point to an external SQL server.
Service Account	LOCAL SYSTEM	Default. No need for a domain service account since BDR is workgroup.
Catalog Folder	Default (C:\VBRCatalog)	Unless BDR has a dedicated data drive, use default
Ports	Accept defaults (9392, 9393, 9401)	Do not change unless there's a port conflict
Installation Path	Default (C:\Program Files\Veeam)	Use default path

4.3 Post-Installation Configuration

After Veeam B&R console opens for the first time:

License verification:

1. Open Veeam B&R console
2. Go to Menu → License
3. Verify: Edition shows "Enterprise", expiration date is valid, socket/instance count is sufficient

Backup repository setup:

1. Navigate to Backup Infrastructure → Backup Repositories
2. The default repository points to C:\Backup. If the Equus has a dedicated data drive (D:\ or similar):
   • Add a new repository: Add Backup Repository → Direct Attached Storage → Microsoft Windows
   • Name: Local-[SiteAbbrev] (e.g., Local-NB)
   • Path: Point to the data drive (e.g., D:\Backups)
   • Set as default repository
3. If no dedicated data drive exists, use the default C:\Backup repository (verify sufficient space)

Network traffic rules:

Per Veeam B&R Standards (page 1004):

1. Navigate to Menu → Network Traffic Rules
2. Add rule for internet/WAN: throttle to 10-15 Mbps during business hours (7 AM - 6 PM)
3. LAN traffic: 750 Mbps (effectively unlimited on GigE)
4. These rules prevent backup traffic from saturating the client's internet during business hours

Notification settings:

1. Navigate to Menu → General Options → Notifications
2. Configure email notifications to route to HALO's inbound email address for automatic ticket creation
3. Set notification level: On failure and warning
4. This enables the alert → HALO ticket flow documented in the Daily Operations SOP (page 1093)

---

5. Managed Server Registration

The BDR needs to connect to the client's Hyper-V host(s) to perform backups. This is where most deployment issues occur.

5.1 Prerequisites for Server Registration

Before adding the Hyper-V host as a managed server, verify these items on the target Hyper-V server (not the BDR):

LocalAccountTokenFilterPolicy (workgroup hosts only):

If the Hyper-V host is in a workgroup (not domain-joined), this registry value MUST be set on the host. Without it, Veeam cannot authenticate remotely.

# Run on the HYPER-V HOST (not the BDR)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
  -Name "LocalAccountTokenFilterPolicy" -Value 1 -Type DWord

Reference: Veeam B&R Standards (page 1004), Section 5.

DNS resolution:

The BDR must be able to resolve the Hyper-V host by hostname. For workgroup environments:

• Add a static DNS entry on the UDM for the Hyper-V host, OR
• Add a hosts file entry on the BDR: C:\Windows\System32\drivers\etc\hosts
• Also configure the DNS suffix on the BDR if the Hyper-V host uses FQDN

Firewall ports:

The following ports must be open between the BDR and the Hyper-V host:

Port	Protocol	Service
6162	TCP	Veeam Data Mover
9392	TCP	Veeam Backup Service
2500-3300	TCP	Data transfer channels
445	TCP	SMB (for file-level operations)
135, 137-139	TCP/UDP	WMI/DCOM (initial discovery)

Check Windows Firewall on both the BDR and the Hyper-V host. If using VLANs, verify UDM firewall rules allow inter-VLAN traffic on these ports.

5.2 Adding the Managed Server

1. Open Veeam B&R console on the BDR
2. Navigate to Backup Infrastructure → Managed Servers
3. Click Add Server → Microsoft Windows
4. Enter the Hyper-V host's hostname or IP address
5. Credentials: Click Add to create a new credential entry
   • For workgroup hosts: HOSTNAME\Administrator or HOSTNAME\DTCADMIN
   • For domain-joined hosts: DOMAIN\DTCADMIN or domain admin credentials
   • Store these credentials in IT Glue
6. Click Next — Veeam will attempt to connect and install/update the Veeam Data Mover service on the host
7. If successful: the server appears in Managed Servers with a green status
8. Click Rescan to refresh the host inventory (VMs, datastores)

5.3 Troubleshooting Registration Failures

If the managed server add fails, reference the Veeam Troubleshooting Runbook for detailed procedures. Common quick checks:

Symptom	Quick Fix
"Failed to perform handshake"	Check firewall ports 6162/9392. Check Veeam services on host. Check for stale certificates.
"Access denied"	Verify LocalAccountTokenFilterPolicy. Check credentials.
"Cannot resolve hostname"	Add hosts file entry or DNS record. Check DNS suffix.
"RPC server is unavailable"	Check port 135, WMI service on host. Check Windows Firewall.

---

6. Backup Job Configuration

Do not configure jobs from memory. Reference the Veeam B&R Standards (page 1004) for all settings. This section provides a deployment checklist — not the configuration details.

6.1 Server Backup Job

Setting	Standard Value	Configured	Verified
Job name	[Site Abbrev] Hyper-V	☐	☐
Source	Hyper-V host (all VMs)	☐	☐
Target	Local BDR repository	☐	☐
Schedule	Every 1 hour	☐	☐
Restore points	14	☐	☐
Retry on failure	3 attempts, 10 min intervals	☐	☐
Application-aware processing	Enabled	☐	☐
Guest OS credentials	Configured for SQL, AD if applicable	☐	☐
First run initiated	Manual start after configuration	☐	☐
First run completed successfully	Verify green status	☐	☐
Advanced: Synthetic full backups	Disabled (unchecked)	☐	☐
Advanced: Backup files health check	Enabled	☐	☐
Advanced: Backup file encryption	Enabled — password in IT Glue as Veeam Backup Encryption – <Site Abbrev>	☐	☐

6.2 Workstation Backup (Agent Policy)

Setting	Standard Value	Configured	Verified
Protection group	"Workstations"	☐	☐
Discovery method	Per Standards page	☐	☐
Schedule	Daily at 1:00 AM	☐	☐
Retention	14 days	☐	☐
Backup if powered on after window	Enabled ("backup once powered on")	☐	☐
Target	Local BDR repository	☐	☐
Test agent deployment	Deploy to 1 test workstation, verify backup	☐	☐
Advanced: Synthetic full backups	Disabled (unchecked)	☐	☐
Advanced: Backup files health check	Enabled	☐	☐
Advanced: Backup file encryption	Enabled — same password as server backup (per client)	☐	☐

6.3 S3 Backup Copy Job

See Section 7 for S3 repository setup — complete that first, then configure the copy job.

Setting	Standard Value	Configured	Verified
Job name	[Site Abbrev] S3 Copy	☐	☐
Source	Server backup job	☐	☐
Target	S3 object storage repository	☐	☐
Schedule	Per backup copy job defaults	☐	☐
First copy completed successfully	Data visible in S3 repository	☐	☐

6.4 Cross-Site Replication (Multi-Site Clients Only)

Only configure if the client has multiple sites with BDR appliances at each.

Setting	Standard Value	Configured	Verified
Job name	[Source] > [Target] Replication	☐	☐
Source	Individual server VM	☐	☐
Target	Opposing site Hyper-V host	☐	☐
Schedule	Every 1 hour	☐	☐
Restore points	6	☐	☐
WAN throttling	10-15 Mbps during business hours	☐	☐
Seed from backup	If initial data > 100 GB, seed from local backup to avoid WAN transfer	☐	☐
Advanced: Replica traffic encryption	Enabled (Traffic tab)	☐	☐
Advanced: Multiple upload streams per job	Enabled, 5 streams (Traffic tab)	☐	☐

---

7. S3 Offsite Configuration

7.1 Prerequisites

Before configuring S3 in Veeam:

• S3 bucket must be provisioned (prerequisite #5)
• Access key and secret key documented in 1Password / IT Glue (prerequisite #6)
• Bucket region, name, and endpoint URL confirmed

7.2 Adding S3 Object Storage Repository

1. Open Veeam B&R console
2. Navigate to Backup Infrastructure → Backup Repositories
3. Click Add Backup Repository → Object Storage → S3 Compatible
4. Configuration:

Setting	Value
Name	S3-[SiteAbbrev] (e.g., S3-NB )
Service endpoint	Per DTC cloud infrastructure
Region	Per S3 bucket configuration
Credentials	Add new → enter access key + secret key
Bucket	Select the client's provisioned bucket
Folder	Create: veeam-backups/

5. Immutability: If the S3 bucket supports object lock, enable immutability with DTC's standard retention. Consult T3 if unsure about immutability settings.
6. Click Finish and verify the repository appears healthy in the repository list

7.3 Configuring the Backup Copy Job

1. Navigate to Home → Jobs → Backup Copy
2. Create new backup copy job
3. Source: select the server backup job created in Section 6.1
4. Target: select the S3 object storage repository
5. Schedule and retention: per Veeam B&R Standards
6. Start the first copy and monitor — initial copy will be large and may take hours depending on data size and upload bandwidth

⚠️ Initial S3 copy can take a long time. A 500 GB server backup on a 50 Mbps upload link takes approximately 22 hours. Set expectations with the client and do not block on this completing during the deployment window. Monitor via VSPC.

---

8. Post-Deployment Validation Checklist

Do not close the deployment HALO ticket until every item is verified.

#	Check	Expected Result	Status
1	Server backup job runs successfully	Green in Veeam console, restore points visible	☐
2	Workstation agent deploys to test workstation	Agent reporting in protection group, first backup completes	☐
3	S3 backup copy job initiates	Data transferring to S3 (may not complete during window — verify later)	☐
4	Cross-site replication running (if applicable)	Initial sync started, restore points building	☐
5	VSPC shows BDR and all jobs	Healthy status in VSPC dashboard	☐
6	Veeam alerts flowing to HALO	Test: trigger a manual failure or confirm notification settings route to HALO	☐
7	BDR remote access verified	Remote Desktop works from DTC's management network	☐
8	Veeam Recovery Media created	USB recovery media created and stored on-site or documented in IT Glue	☐
9	HALO ticket updated with deployment details	Job names, schedules, repo paths, BDR IP, credentials location documented	☐
10	IT Glue updated	BDR credentials, IP, configuration, S3 bucket info documented	☐
11	Microsoft Defender exclusions configured	Veeam processes and repository paths excluded (see Troubleshooting Runbook)	☐
12	NinjaRMM agent installed on BDR	BDR visible in NinjaRMM for monitoring	☐
13	Veeam backup encryption password stored in IT Glue	Password entry Veeam Backup Encryption – <Site Abbrev> exists and is attached to BDR configuration	☐
14	Test restore from encrypted backup completed	Restore a single file from the server backup job using the IT Glue password — confirms encryption + password are valid	☐

9. Microsoft Defender Exclusions

Configure these exclusions on the BDR to prevent Defender from interfering with backup operations. This is a deployment task, not a troubleshooting afterthought.

Process exclusions:

• C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe
• C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Manager.exe
• C:\Program Files\Veeam\Backup and Replication\Backup Catalog\Veeam.Backup.CatalogDataService.exe
• VeeamAgent.exe
• VeeamDeploymentSvc.exe

Folder exclusions:

• C:\Program Files\Veeam\
• BDR repository path (e.g., D:\Backups\)
• C:\VBRCatalog\
• C:\Windows\Veeam\

File type exclusions:

• .vbk, .vib, .vrb, .vsb, .vlb

Deploy via PowerShell:

# Process exclusions
Add-MpPreference -ExclusionProcess "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Manager.exe"
Add-MpPreference -ExclusionProcess "VeeamAgent.exe"
Add-MpPreference -ExclusionProcess "VeeamDeploymentSvc.exe"

# Folder exclusions
Add-MpPreference -ExclusionPath "C:\Program Files\Veeam\"
Add-MpPreference -ExclusionPath "D:\Backups\"  # Adjust to actual repo path
Add-MpPreference -ExclusionPath "C:\VBRCatalog\"
Add-MpPreference -ExclusionPath "C:\Windows\Veeam\"

# File type exclusions
Add-MpPreference -ExclusionExtension ".vbk"
Add-MpPreference -ExclusionExtension ".vib"
Add-MpPreference -ExclusionExtension ".vrb"
Add-MpPreference -ExclusionExtension ".vsb"
Add-MpPreference -ExclusionExtension ".vlb"

Reference: Veeam Troubleshooting Runbook, Section 5 — Microsoft Defender Interference.

10. Handoff to Daily Operations

Deployment is not complete until the BDR is integrated into DTC's monitoring workflow.

Handoff Task	Owner	Status
Confirm alerts are routing to HALO	T2/T3 (deployer)	☐
Add client to VSPC monitoring rotation	T2 (deployer) + T1 (daily ops)	☐
Brief T1 on new client's backup jobs (job names, schedule, any special considerations)	T2/T3 (deployer)	☐
Add to weekly backup review rotation	T2	☐
Update the client's HALO recurring BDR-MSP invoice line item if not already present	Account Manager	☐

Reference: Daily Operations & Verification SOP (page 1093) for the monitoring procedures this deployment feeds into.

11. Deployment Timeline — What to Expect

For field planning and maintenance window scheduling:

Phase	Estimated Time	Notes
Physical hardware setup	15-30 min	Unbox, rack/place, cable, power on
Windows 11 configuration	30-45 min	OOBE, static IP, updates, reboots
Veeam installation	20-30 min	Including SQL Express
Post-install configuration (repos, traffic rules, notifications)	15-20 min
Managed server registration	10-30 min	Longer if troubleshooting firewall/credentials
Backup job configuration	15-20 min	Per Standards page
S3 repository setup + copy job	15-20 min	Initial copy runs in background
First server backup run	30-120 min	Depends on data size — can run unattended
Validation and documentation	20-30 min
Total on-site time	3-5 hours	Excludes initial backup completion

Plan for a 4-hour maintenance window minimum. The first full backup will likely complete after you leave — monitor remotely via VSPC. The S3 initial copy may take 12-24+ hours depending on data volume and upload bandwidth.

12. Document Control

Version	Date	Author	Changes
1.0	March 2026	IT Support Engineering	Initial release. Covers Equus BDR hardware setup, Windows 11 configuration, Veeam B&R 13.x installation, managed server registration, backup job configuration checklists, S3 offsite setup, Defender exclusions, and deployment validation.
1.1	March 2026	IT Support Engineering	Removed Section 8 (VSPC Registration) — no longer required. Renumbered subsequent sections.
1.2	April 2026	Scott Leister (Security & Compliance Engineering)	Added Advanced Job Settings standards to checklists in Sections 6.1, 6.2, and 6.4 (synthetic full backups disabled, backup files health check enabled, backup file encryption enabled with password stored in IT Glue; replica traffic encryption and multiple upload streams for replication). Added validation items #13 (encryption password in IT Glue) and #14 (test restore from encrypted backup) to Section 8. Aligns with Veeam B&R Standards page 1004 v1.2.

---

Confidential — Internal Use Only