Rubrik CDM v5.0 User Guide 755-0086-01 Reva6 PDF

Rubrik CDM User Guide
Version 5.0
755-0086-01 Rev A6
Rubrik Headquarters: Palo Alto, California 94304

1-844-4RUBRIK www.rubrik.com
Rubrik CDM Version 5.0 User Guide - Copyright © 2015-2019 Rubrik Inc.
All rights reserved. This document may be used free of charge. Selling without prior written consent is prohib-
ited. Obtain permission before redistributing. In all cases, this copyright notice and disclaimer must remain
intact.
Published February, 2019
THE CONTENTS OF THIS DOCUMENT ARE PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR
TITLE; THAT THE CONTENTS OF THE DOCUMENT ARE SUITABLE FOR ANY PURPOSE; THAT THE
IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS.
COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF ANY USE OF THE DOCUMENT OR THE PERFORMANCE OR IMPLEMENTATION OF
THE CONTENTS THEREOF.
Registered in the U.S. Trademark Office

Rubrik, the Rubrik graphic, Rubrik Polaris, Polaris GPS, Polaris Radar, Rubrik Envision, Rubrik Edge, and Datos
IO are trademarks or registered trademarks of Rubrik, Inc. in the U.S. and/or other countries. All other
trademarks are the property of their respective owners.
Rubrik CDM Version 5.0 User Guide 2

Contents
Tables 33
Figures 38
Examples 39
Preface 40
Document purpose ............................................................................................ 40
Revision history ................................................................................................ 40
Support ............................................................................................................ 44
Related documentation ..................................................................................... 45
Comments and suggestions ............................................................................... 45
Product ............................................................................................................ 45
Product documentation ..................................................................................... 45
Chapter 1 Configuration 46
Logging in to the Rubrik CDM web UI ....................................................................... 47
Logging in with a local account .......................................................................... 47
Logging in with an LDAP account ....................................................................... 48
Settings menu ........................................................................................................ 48
Opening the Settings menu ............................................................................... 48
Settings and tasks available through the Settings menu ....................................... 49
Adaptive Backup ..................................................................................................... 51
On-demand snapshots ...................................................................................... 52
Limit types ....................................................................................................... 52
Enabling Adaptive Backup settings ..................................................................... 53
Configuring IPMI .................................................................................................... 53
Configuring iSCSI .................................................................................................... 54
Notification settings ................................................................................................ 56
Rubrik MIB file .................................................................................................. 57

Configuring outgoing email settings ................................................................... 58
Modifying the outgoing email settings ................................................................ 59
Deleting the outgoing email settings .................................................................. 59
Enabling polling via SNMP ................................................................................. 60
Adding trap receivers ........................................................................................ 61
Downloading the Rubrik MIB file ........................................................................ 61
Configuring email settings for notifications ......................................................... 62
Manage hosts ......................................................................................................... 63
Adding a physical host ...................................................................................... 63
Editing a physical host ...................................................................................... 64
Removing a physical host .................................................................................. 64
Manage storage arrays ........................................................................................... 65
Adding a storage array ...................................................................................... 65
Editing a storage array ...................................................................................... 66
Deleting a storage array .................................................................................... 66
Proxy settings ........................................................................................................ 67
Functions that use Internet access ..................................................................... 67
Proxy implementations ...................................................................................... 68
Configuring proxy server support ....................................................................... 68
Network settings .................................................................................................... 69
Providing network settings ................................................................................ 69
Editing network settings .................................................................................... 70
Network Throttling ................................................................................................. 70
Enabling and configuring replication throttling .................................................... 71
Scheduling replication throttling overrides .......................................................... 71
Enabling and configuring archival throttling ........................................................ 72
Scheduling archival throttling overrides .............................................................. 73
Guest OS settings ................................................................................................... 73
Guest OS credentials ......................................................................................... 74
Providing credentials for a Windows guest .......................................................... 75
Providing credentials for a Linux guest ............................................................... 76
Editing guest OS credentials .............................................................................. 76
Deleting guest OS credentials ............................................................................ 77

Secure SMB settings ............................................................................................... 78
Enabling Kerberos authentication for SMB shares ................................................ 79
Deleting an AD domain ..................................................................................... 79
Syslog settings ....................................................................................................... 80
Setting up syslog support .................................................................................. 80
Support bundle ...................................................................................................... 81
Creating and downloading a support bundle ....................................................... 81
Time zone setting ................................................................................................... 82
Default time zone ............................................................................................. 82
Time zone setting changes ................................................................................ 82
Setting the cluster time zone ............................................................................. 83
Security banner and classification settings ................................................................ 83
Setting the login banner text ............................................................................. 84
Setting the security classification color and text .................................................. 84
Data sources setting ............................................................................................... 85
Setting data sources ......................................................................................... 85
Opening and closing a Support tunnel ...................................................................... 85
Opening the Support tunnel .............................................................................. 86
Editing the Timeout window .............................................................................. 86
Closing the Support Tunnel ............................................................................... 87
Pause and resume protection activity ....................................................................... 87
Pausing protection activity ................................................................................. 88
Resuming protection activity .............................................................................. 88
Chapter 2 VLAN Tagging 89

Overview ............................................................................................................... 90
Trunk port requirement ..................................................................................... 90
Management Network and Data Network ........................................................... 90
Adding special network VLANs after system setup ..................................................... 92
Managing VLANs .................................................................................................... 93
Adding VLANs from the command line ............................................................... 93
Adding VLANs from the Rubrik CDM web UI ....................................................... 94
Viewing VLANs from the Rubrik CLI ................................................................... 95

Viewing VLANs through the Rubrik CDM web UI ................................................. 95
Removing a VLAN from the Rubrik CLI ............................................................... 95
Removing a VLAN from the Rubrik CDM web UI .................................................. 96
Chapter 3 User Accounts 98

Overview ............................................................................................................... 99
Authentication .................................................................................................. 99
Roles ..............................................................................................................101
Viewing the Users and Groups page ..................................................................101
Local Authentication ..............................................................................................102
Adding a local user account ..............................................................................102
Editing local user account information ...............................................................103
Changing the role of a local user account ..........................................................104
Removing a local user account .........................................................................104
LDAP authentication ..............................................................................................105
Credentials ......................................................................................................105
Servers ...........................................................................................................106
User and Group settings ...................................................................................107
Adding LDAP servers ........................................................................................108
Specifying credentials for an LDAP server ..........................................................108
Specifying servers, user settings, and group settings ..........................................109
Enabling multifactor authentication ...................................................................109
Viewing LDAP server information ......................................................................110
Deleting an LDAP server ..................................................................................110
User account and group account authorization ...................................................111
Activating a user account or group account .......................................................111
Changing the role of an LDAP account ..............................................................112
Deactivating a user account or group account ...................................................113
Privileges for End User accounts .............................................................................114
Inheritance of privileges ...................................................................................115
End User ability to overwrite original data during restores ..................................116
Assigning virtual machines, folders, and clusters to an End User account .............116
Assigning SQL Server databases to an End User account ....................................117

Assigning Linux and Unix hosts and host filesets to an End User account .............118
Assigning Windows hosts and host filesets to an End User account .....................119
Assigning NAS hosts to an End User account .....................................................120
Multifactor authentication .......................................................................................120
Multifactor authentication with RSA SecurID ......................................................121
Configuring an RSA Authentication Manager connection .....................................121
Configuring an RSA Cloud Authentication Service connection ..............................122
API tokens ............................................................................................................123
Generating an API token ..................................................................................123
Deleting an API token ......................................................................................124
Chapter 4 Multitenant Organizations 125

Overview ..............................................................................................................126
Tenant organizations and reports ......................................................................126
Tenant organizations and SLA Domains .............................................................127
Tenant organizations and Active Directory domains ............................................127
Tenant organizations and users ........................................................................127
Multitenancy and Rubrik Envoy .........................................................................127
Rubrik Envoy Configuration Workflow ...............................................................128
Create a new tenant organization ...........................................................................129
Naming the organization and adding users or AD groups ....................................129
Protecting objects in an organization .................................................................131
Assigning protection resources to a tenant organization .....................................131
Configuring Rubrik Envoy .................................................................................132
Connecting Rubrik Envoy .................................................................................134
Modifying an existing tenant organization ................................................................135
Deleting a tenant organization ................................................................................136
Effects of deleting a tenant organization ............................................................136
Chapter 5 Protection Policies 137

SLA Domain overview ............................................................................................138
Default SLA Domains .............................................................................................139
Custom SLA Domains .............................................................................................140

Service Level Agreement ..................................................................................140
Base Frequency ...............................................................................................142
Local retention period ......................................................................................142
SLA Domain name ...........................................................................................142
Creating a custom SLA Domain .........................................................................143
Snapshot window ..................................................................................................146
Configuring a snapshot window ........................................................................146
First full backup .....................................................................................................147
Configuring a first full time ...............................................................................148
SLA Domain changes .............................................................................................149
Editing an SLA Domain .....................................................................................149
Base Frequency changes ..................................................................................149
Base Frequency increased ................................................................................150
Base Frequency decreased ...............................................................................150
Retention Changes ..........................................................................................151
Snapshot retention period increased .................................................................151
Snapshot retention decreased ..........................................................................152
Impact of retention changes on archival policy and replication policy ...................152
Snapshot window changes ...............................................................................152
Take first full changes ......................................................................................153
Delete an SLA Domain ...........................................................................................153
Deleting an SLA Domain ...................................................................................153
Local SLA Domain management .............................................................................154
Viewing all local SLA Domains ..........................................................................154
Information on the Local SLA Domains page ......................................................154
Searching for a local SLA Domain .....................................................................155
Local SLA Domain page .........................................................................................155
Viewing a local SLA Domain page .....................................................................155
Information provided for a local SLA Domain .....................................................156
Chapter 6 Replication 158

Replication overview ..............................................................................................159
Replication policy workflow ..............................................................................159

Replication target setup .........................................................................................160
Replication using NAT ......................................................................................160
Address mapping .............................................................................................163
Setting up replication using NAT .......................................................................164
Replication using a private network ...................................................................165
Setting up replication using a private network ....................................................165
Removing a replication target ...........................................................................166
Replication policy ...................................................................................................166
Configuring replication policy for an SLA Domain ...............................................167
Replication policy changes ......................................................................................168
Replication policy disabled ................................................................................168
Replication policy re-enabled ............................................................................169
Replication retention period increased ...............................................................169
Replication retention period decreased ..............................................................169
Manage Replications page ......................................................................................170
Viewing the Manage Replication page ...............................................................170
For Replication section .....................................................................................170
Replication Clusters section ..............................................................................170
Replication monitoring and reporting ......................................................................171
Replication tasks in the Activity Log ..................................................................171
Replication tasks in the Protection Tasks Summary report ..................................172
Remote SLA Domains ............................................................................................172
Viewing all remote SLA Domains .......................................................................172
Information on the Remote SLA Domains page ..................................................172
Searching for a remote SLA Domain ..................................................................173
Individual remote SLA domain pages ................................................................173
Viewing the page of a remote SLA Domain ........................................................173
Information provided for a remote SLA Domain .................................................173
Remote data sources .............................................................................................175
Viewing a remote data source page ..................................................................175
Snapshots card or Recovery Points card ............................................................176
Working with a replica .....................................................................................177

Chapter 7 Archiving 179
Overview ..............................................................................................................180
Archival data security .......................................................................................180
Archival location encryption keys ......................................................................181
Archival workflow ............................................................................................181
Upload of a full archival snapshot .....................................................................182
Multiple archival locations ................................................................................183
Archival bucket exclusivity ................................................................................183
Archival policy .......................................................................................................183
Instant Archive ................................................................................................184
Configuring archival policy for an SLA Domain without Instant Archive ................184
Configuring archival policy for an SLA Domain with Instant Archive .....................186
Archival policy changes ..........................................................................................187
Archival policy disabled ....................................................................................188
Archival policy re-enabled ................................................................................188
Retention on Brik period increased ....................................................................188
Retention on Brik period decreased ...................................................................188
Maximum Retention Period increased ................................................................189
Maximum Retention Period decreased ...............................................................189
Archival Locations page .........................................................................................189
Viewing the Archival Locations page .................................................................189
For Active Archive section ...............................................................................189
Archival Locations section ................................................................................190
Archival location configuration ................................................................................190
Archival location display name ..........................................................................191
Amazon S3 ...........................................................................................................191
Adding an Amazon S3 archival location .............................................................192
Editing the Amazon S3 Archive Location Configuration or Settings .......................194
Amazon Glacier .....................................................................................................196
Amazon Glacier as an Archival Target ...............................................................197
Glacier upload operations .................................................................................197
Glacier retrieval/download operations ...............................................................198

Glacier Vault Lock operations ............................................................................198
Adding Amazon Glacier as an archival location ...................................................199
Google Cloud Platform ...........................................................................................201
Google Cloud Platform as an Archival Target .....................................................201
Adding Google Cloud Platform as an archival location .........................................202
Microsoft Azure .....................................................................................................204
Adding Microsoft Azure as an archival location ...................................................204
Editing the Microsoft Azure account name and account key ................................206
Object storage system ...........................................................................................209
Host Name value .............................................................................................209
Adding an object storage system as an archival location .....................................210
Editing the object storage system access key and secret key ..............................212
NFS share .............................................................................................................213
Adding an NFS archival location ........................................................................213
Editing an NFS archival location ........................................................................215
QStar tape archive .................................................................................................216
Shared Integral Volume set ..............................................................................216
QStar Host Name value ....................................................................................216
Adding a QStar tape archive as an archival location ...........................................217
Editing the tape archival location ......................................................................218
Reader-writer archival model ..................................................................................219
Creating a reader archival location ....................................................................220
Refreshing a reader archival location .................................................................220
Promoting a reader archival location to an owner archival location ......................221
Pausing an archive ..........................................................................................222
Resuming a paused archive ..............................................................................222
Disaster recovery using an archival location .............................................................223
Source vCenters available for recovery ..............................................................223
Source vCenters unavailable for recovery ..........................................................224
Connecting an Amazon S3 archival location for disaster recovery ........................224
Connecting an Amazon Glacier archival location for disaster recovery ..................225
Connecting a Google Cloud Platform archival location for disaster recovery ..........227
Connecting a Microsoft Azure archival location for disaster recovery ....................228

Connecting an object storage system archival location for disaster recovery ........230
Connecting an NFS archival location for disaster recovery ...................................231
Connecting a tape archival location for disaster recovery ....................................233
Tests for disaster recovery using an archival location ...............................................234
Cascading archival .................................................................................................235
Data retention settings .....................................................................................235
Potential retention issue ...................................................................................236
Using cascading archival ..................................................................................237
Archival consolidation ............................................................................................238
Archival consolidation for AWS S3 and Azure .....................................................239
Archival consolidation for NFS and S3 Compatible Object Stores .........................239
Enabling archival consolidation .........................................................................239
Archival location proxy ...........................................................................................240
Configuring an S3 archival location proxy ..........................................................240
Configuring an Azure archival location proxy ......................................................241
Archival lifecycle best practices ...............................................................................243
Archival location removal .......................................................................................243
Disconnecting an archival location ....................................................................244
Deleting an archival location .............................................................................245
Chapter 8 Hyper-V Virtual Machines 246

Overview ..............................................................................................................247
Virtual machine protection .....................................................................................247
Automatic protection .......................................................................................248
Rubrik Backup Service software for SCVMM .............................................................248
Prerequisites ...................................................................................................249
Obtaining the Rubrik Backup Service software through the Rubrik CDM web UI ...249
Obtaining the Rubrik Backup Service software by URL ........................................249
Installing the Rubrik Backup Service software on a SCVMM host .........................250
Removing the Rubrik Backup Service from a Windows host ................................251
Hyper-V host management ...............................................................................251
Adding a Windows host ....................................................................................252
Hyper-V host configuration ...............................................................................252

Rubrik Backup Service software for non SCVMM ......................................................253
Prerequisites ...................................................................................................253
Account used to run the Rubrik Backup Service on a Windows host .....................254
Installing the Rubrik Backup Service software on a Windows host .......................255
Hyper-V host management ...............................................................................256
Adding a Windows host ....................................................................................257
Hyper-V host configuration ...............................................................................257
SLA Domain assignment .........................................................................................258
Assigning an SLA Domain setting to a virtual machine ........................................258
Assigning an SLA Domain setting to a Hyper-V cluster or server ..........................259
Manage Protection options ...............................................................................260
Removing an SLA Domain setting .....................................................................261
Finding protection objects ......................................................................................262
Displaying all discovered virtual machines .........................................................262
Displaying unprotected virtual machines from the Dashboard .............................262
Displaying unprotected virtual machines from the Hyper-V VMs page ..................262
Sorting virtual machines by using the SLA filter ..................................................263
Finding virtual machines by using the Search field .............................................263
Finding entities by using the object tab .............................................................263
Selecting data sources .....................................................................................264
Protected warning ...........................................................................................264
Protection consequences ........................................................................................265
Protecting a new virtual machine ......................................................................265
Changing the assigned SLA Domain ..................................................................266
Removing protection from a virtual machine ......................................................266
Re-protecting a virtual machine ........................................................................266
Local host page .....................................................................................................267
Viewing a local host page .................................................................................267
Action bar .......................................................................................................268
Overview card .................................................................................................268

Snapshots card ................................................................................................269
Information available on the day view for a local virtual machine ........................270
Actions available on the day view for a local virtual machine ...............................270
Virtual machine snapshots ......................................................................................272
Performance and scalability ..............................................................................272
Back up processes ...........................................................................................273
Snapshot window ............................................................................................273
Protection exceptions .......................................................................................274
Backup consistency levels ................................................................................274
Application consistency ....................................................................................274
Linux guest OS ................................................................................................274
On-demand snapshots .....................................................................................274
Creating an on-demand snapshot .....................................................................275
Archival snapshots .................................................................................................275
Archival location storage ..................................................................................275
Retention ........................................................................................................275
Recovery and restore of virtual machine data ..........................................................276
Recovery of virtual machines ..................................................................................276
Selecting a snapshot or an archival snapshot .....................................................277
Selecting a replica ...........................................................................................278
Virtual machine recovery ..................................................................................279
Live migration .................................................................................................279
Performing an Instant Recovery ........................................................................279
Performing a Live Mount ..................................................................................280
Performing an Export .......................................................................................281
Powering off after Instant Recovery or Live Mount .............................................282
Unmounting after Instant Recovery or Live Mount .............................................282
Removing a virtual machine entry after live migration ........................................283
Recovery of folders and files ..................................................................................284
Searching for a file or folder .............................................................................284
Browsing for a file or folder ..............................................................................285
Restore files and folders directly to a guest file system .......................................285
Restoring files and folders directly to a guest file system ....................................286

Restore files and folders by download ...............................................................288
Restoring files or folders by download from notification message ........................288
Restoring files or folders by download from Activity Detail ..................................289
Configuring Chrome to ask for download location ..............................................289
Unmanaged data ...................................................................................................290
Chapter 9 AHV Virtual Machines 291

Overview ..............................................................................................................292
Nutanix cluster management ..................................................................................293
Prerequisites .........................................................................................................293
Nutanix limitations .................................................................................................294
Configuring Nutanix support ...................................................................................294
Installing the Rubrik Backup Service .......................................................................295
RBS on a Windows guest .................................................................................295
Obtaining the RBS software through the Rubrik CDM web UI ..............................295
Obtaining the RBS software by URL ..................................................................296
Account used to run the RBS on a Windows host ...............................................296
Installing the RBS software on a Windows guest ................................................297
Registering a guest ..........................................................................................298
Removing the RBS from a Windows host ...........................................................298
Automatic protection rules ...............................................................................299
Unprotected virtual machines ...........................................................................300
Assigning an SLA Domain setting to a Nutanix cluster ........................................301
Displaying unprotected virtual machines from the AHV VMs page ........................304

Protected warning ...........................................................................................306
Local host page .....................................................................................................309
Viewing a local virtual machine page .................................................................309
Action bar .......................................................................................................309
Overview card .................................................................................................310
Snapshots card ................................................................................................310
Virtual machine snapshots ......................................................................................313
Performance and scalability ..............................................................................313
Snapshot window ............................................................................................315
VSS Consistency ..............................................................................................316
Configuring snapshot consistency .....................................................................316
On-demand snapshots .....................................................................................317
Archival snapshots .................................................................................................318
Archival location storage ..................................................................................318
Retention ........................................................................................................318
Recovery and restore of virtual machine data ..........................................................318

Recovery of folders and files ..................................................................................321
Unmanaged data ...................................................................................................327
Chapter 10 vSphere Virtual Machines 328

Overview ..............................................................................................................329
Unprotected virtual machines ...........................................................................331
Virtual machine linking .....................................................................................331
Manage vCenters ...................................................................................................332
vCenter Server privilege requirements ...............................................................333
Adding vCenter Server connection information ...................................................333
Refreshing the metadata provided by a vCenter Server ......................................334
Editing vCenter Server connection information ...................................................334
Deleting vCenter Server connection information .................................................335
Assigning an SLA Domain setting to a vCenter Server folder ...............................337
Assigning an SLA Domain setting to a vCenter Server cluster or host ...................338
Resolving SLA conflicts .....................................................................................340

Virtual machine scripts ...........................................................................................341
Enabling scripts ...............................................................................................342
Storage array integration .......................................................................................343
Datastore requirements for storage array integration .........................................344
Enabling storage array integration for a virtual machine .....................................344
Disabling storage array integration ...................................................................345
Exclude VMDK files ................................................................................................345
Excluding VMDK files of a virtual machine .........................................................346
Displaying unprotected virtual machines from the VM Protection page .................347
Warning messages ..........................................................................................349
Assignment Conflicts ........................................................................................349
Protected VMs warning ....................................................................................350
VMware tools warning ......................................................................................350
Local host page .....................................................................................................353
Viewing a local host page .................................................................................353
Action bar .......................................................................................................353
Overview card .................................................................................................355
Snapshots card ................................................................................................356

Snapshots .............................................................................................................359
Snapshot window ............................................................................................360
Protection exceptions .......................................................................................360
VMware Tools version ......................................................................................362
Specifying crash consistent backups ..................................................................363
Linux guest ...........................................................................................................363
Windows guest ......................................................................................................364
RBS on a Windows guest .................................................................................364
Automatically deploying the RBS .......................................................................365
Obtaining the RBS software through the Rubrik CDM web UI ..............................366
Obtaining the RBS software by URL ..................................................................366
Account used to run the RBS on a Windows host ...............................................367
Installing the RBS software on a Windows guest ................................................367
Registering a guest ..........................................................................................368
Removing the RBS from a Windows host ...........................................................368
Preserving Windows access control list values ....................................................369
On-demand snapshots ...........................................................................................370
Recovering and restoring virtual machine data .........................................................371
Live migration .................................................................................................374
Virtual raw disk mappings ................................................................................374
Performing an Instant Recovery ........................................................................375
Creating a Live Mount of a virtual machine snapshot ..........................................376
Creating a Live Mount of a virtual disk snapshot ................................................377
IP address selection for Live Mounts .................................................................378

Exporting to a standalone host .........................................................................380
Powering off after Instant Recovery or Live Mount .............................................381
Unmounting after Instant Recovery or Live Mount .............................................382
Removing a virtual machine entry after live migration ........................................383
File and folder restore ............................................................................................383
Unmanaged data ...................................................................................................389
Chapter 11 vCloud Director vApps 390

Overview ..............................................................................................................391
Protection and management features ................................................................391
Metadata protection .........................................................................................393
Limitations ......................................................................................................393
Multitenancy and RBAC ....................................................................................393
Protection hierarchy ...............................................................................................394
Interaction with vSphere protection hierarchy ....................................................395
Migration from virtual machine level protection ..................................................395
vCloud Director instances .......................................................................................396
Adding a vCloud Director instance .....................................................................396
Refreshing vCloud Director instances ................................................................397
Editing a vCloud Director instance .....................................................................398
Deleting a vCloud Director instance ...................................................................398
vApp management ................................................................................................399
Finding a vApp through global search ...............................................................399
Finding a vApp through vApp search .................................................................400
Finding a vApp through the vCD Organizations view ...........................................400

Opening the local page for a vApp ....................................................................400
Enabling synchronization ..................................................................................401
Excluding a virtual machine ..............................................................................401
Including an excluded virtual machine ...............................................................402
Performing tasks with a vApp virtual machine ....................................................402
Protecting a vApp through the vCloud Director hierarchy ....................................403
Protecting a vApp through the vApps tab ..........................................................404
Protecting a vApp through the local page ..........................................................404
Taking an on-demand snapshot of a vApp .........................................................405
Recovery and restore of vApp data .........................................................................405
Recovery workflow ..........................................................................................406
Performing an Instant Recovery of a full vApp ...................................................407
Performing an Instant Recovery of a partial vApp ..............................................408
Exporting a full vApp .......................................................................................409
Exporting a partial vApp ...................................................................................410
Recovering folders and files for download ..........................................................411
Recovering folders and files to overwrite originals ..............................................413
Recovering folders and files to a new location ....................................................414
Chapter 12 CloudOn for AWS 416

Overview ..............................................................................................................417
Prerequisites ...................................................................................................417
AWS AMI tags .................................................................................................420
Configuration and setup workflow ...........................................................................422
Permissions ...........................................................................................................422
Creating an S3 bucket for archiving and cloud instantiation ................................423
Creating a security policy for AWS CloudOn .......................................................423
Creating a user account with access to the bucket .............................................428
VM Import service role ...........................................................................................429
Security group .......................................................................................................429
Security group requirements ............................................................................430
Creating a security group for AWS CloudOn .......................................................430
Configuring S3 Endpoints .................................................................................431

Cloud conversion settings .......................................................................................431
Incremental snapshot conversion ......................................................................432
Configuring cloud conversion ............................................................................433
Cloud instance management ..................................................................................435
Instantiating a virtual machine on the cloud ......................................................435
Powering off a cloud instance ...........................................................................436
Removing entry ...............................................................................................437
Launching AMIs ...............................................................................................437
Removing cloud instances ................................................................................437
Removing AMIs ...............................................................................................438
Chapter 13 CloudOn for Azure 439

Azure CloudOn overview ........................................................................................440
Prerequisites ...................................................................................................440
Azure CloudOn configuration and setup workflow ....................................................444
Downloading the Rubrik Cloud-On for Azure zip file ..................................................444
Setting up and configuring the PowerShell in Cloud Shell ..........................................445
Configuring Azure Objects ......................................................................................446
Configuring the subnet ..........................................................................................447
Setting up permissions on Azure .............................................................................448
Creating a custom role .....................................................................................450
Adding an Azure CloudOn configuration ..................................................................453
Editing a location to add Azure CloudOn ..................................................................453
Configuring cloud conversion ............................................................................455
Cloud instance management ..................................................................................457
Instantiating a virtual machine on the cloud using managed snapshots ...............457
Instantiating a virtual machine on the cloud using VHDs .....................................458
Powering off a cloud instance ...........................................................................460
Terminating cloud instances .............................................................................460
Removing entry ...............................................................................................460
Launching virtual machines images ...................................................................461
Removing VHDs ..............................................................................................461

Creating a resource group ................................................................................462
Removing a resource group ..............................................................................463
Chapter 14 Amazon EC2 Instance Backup 464

Overview ..............................................................................................................465
Amazon EC2 instance protection .............................................................................465
Configuring an AWS account and user .....................................................................467
Configuring the AWS account security policy ......................................................467
Configuring the Rubrik CDM user ......................................................................469
Adding an AWS account .........................................................................................470
Managing an existing AWS account .........................................................................472
Assigning an SLA to an Amazon EC2 instance ..........................................................473
Excluding EBS volumes ..........................................................................................473
Excluding EBS volumes from the protection assigned to an instance ....................473
Taking an on-demand snapshot ..............................................................................474
Restoring Amazon EC2 instance snapshots ..............................................................475
Downloading files or folders from snapshots ............................................................476
Chapter 15 File Systems 477

Overview ..............................................................................................................478
Hosts and shares combined with filesets ...........................................................479
Protection work flow for host filesets .................................................................479
Protection work flow for storage array filesets ...................................................479
Protection work flow for share filesets ...............................................................479
File system metadata .......................................................................................480
Symbolic links and junctions .............................................................................480
Open files .......................................................................................................481
Direct Archive ..................................................................................................481
Rubrik Backup Service software ..............................................................................481

Installing the Rubrik Backup Service software on a Linux or Unix host .................484
Account used to run the Rubrik Backup Service on a Windows host .....................485
Installing the Rubrik Backup Service software on a Windows host .......................485
Removing the Rubrik Backup Service from a Linux or Unix host ..........................486
Removing the Rubrik Backup Service from a Solaris host ....................................487
Host management .................................................................................................488
Adding a host ..................................................................................................489
Editing the stored information for a host ...........................................................489
Removing a host .............................................................................................490
NAS host management ..........................................................................................491
Required Isilon privileges .................................................................................491
Adding a NAS host ...........................................................................................492
Editing the stored information for a NAS host ....................................................493
Removing a NAS host ......................................................................................494
Filesets .................................................................................................................494
Fileset fields, rules, and value types ..................................................................494
Creating a fileset .............................................................................................499
Editing a fileset ...............................................................................................500
Deleting a fileset from a host or share ...............................................................501
Deleting a fileset globally .................................................................................502
Host filesets and share filesets ...............................................................................503
Protecting a host fileset or share fileset .............................................................503
Starting an on-demand backup of a host fileset or share fileset ...........................504
Removing protection for a host fileset or share fileset ........................................505
Storage array integration .......................................................................................506
Adding an array-enabled fileset ........................................................................506
Backup scripts for Linux, Unix, or Windows hosts .....................................................507
Configure backup script behavior ......................................................................507
Enabling host scripts ........................................................................................508
Local host pages and local share pages ...................................................................509
Viewing the local page .....................................................................................509
Viewing a fileset page ......................................................................................510

Overview card in the local view ........................................................................510
Filesets card ....................................................................................................511
Snapshots card ................................................................................................511
Overview card in a fileset view .........................................................................512
Data recovery from a host fileset or share fileset .....................................................513
Searching for a file, a folder, or a fileset ............................................................513
Browsing for a file, a folder, or a fileset .............................................................514
Restoring a file, a folder, or a fileset .................................................................515
Export path .....................................................................................................516
Showing hidden files on Windows hosts ............................................................518
Exporting a file, a folder, or a fileset .................................................................519
Downloading files or a folder from a fileset snapshot ..........................................519
Full Volume Protection for Windows ........................................................................520
Protecting Windows volumes ............................................................................521
Installing the Rubrik Volume Filter Driver on a Windows host ..............................522
Taking an on-demand backup of a volume group ...............................................522
Restoring a Windows volume ............................................................................523
Live mounting a volume group on a host with Windows and the RBS installed .....523
Downloading the Windows recovery tools ..........................................................524
Restoring the volume group on a host with Windows installed without RBS .........525
Restoring the volume group on a host without Windows ....................................526
Unmanaged data ...................................................................................................528
Chapter 16 Oracle Databases 529

Overview ..............................................................................................................530
Requirements ..................................................................................................531
Migrating from Managed Volumes .....................................................................532
Upgrading to Oracle 12c database ....................................................................532
Auto-discovery of Oracle databases ..................................................................532
SLA Domain managed protection ......................................................................534
Backups of databases and logs .........................................................................534
Database backup .............................................................................................535
Archived redo log backup .................................................................................535

Point-in-time recovery of Oracle databases ........................................................536
Replication and archival ...................................................................................536
Expiry of database and archived redo log backups .............................................537
Live mount of Oracle databases ........................................................................537
Export of Oracle databases ...............................................................................538
Tablespace recovery ........................................................................................539
Instant recovery of Oracle database ..................................................................540
RMAN channels ...............................................................................................541
Configuration workflow ..........................................................................................542
Adding Oracle hosts and discovering Oracle databases .......................................542
Assigning an SLA Domain to a host or database .................................................543
Assigning RMAN channels to nodes ...................................................................544
Backing up databases ......................................................................................545
Backing up logs ...............................................................................................546
Exporting databases ........................................................................................547
Exporting tablespaces ......................................................................................548
Live mounting an Oracle database ....................................................................549
Performing an instant recovery .........................................................................552
Chapter 17 SQL Server Databases 553

Overview ..............................................................................................................554
Point in time recovery ......................................................................................555
Live Mount ......................................................................................................556
Requirements ..................................................................................................556
Supported SQL Server cross version exports ......................................................557
Rubrik Backup Service software ..............................................................................557
Account used to run the Rubrik Backup Service .................................................557
SQL Server role and permissions requirements ..................................................558
Obtaining the Rubrik Backup Service software ...................................................560
Installing the Rubrik Backup Service software ....................................................561
Windows Server hosts ............................................................................................562

Adding a Windows Server host .........................................................................562
Removing a Windows Server host .....................................................................563
SQL Server databases ............................................................................................564
Setting the default log backup frequency ...........................................................564
Managing and protecting databases through a parent object ..............................565
Managing and protecting individual databases ...................................................566
Removing an SLA Domain assignment ...............................................................567
Creating a group on demand snapshot task .......................................................569
Creating a tail-log backup ................................................................................570
SQL Change Block Tracking ....................................................................................570
Configuring default CBT settings .......................................................................571
Enabling or disabling CBT on a Windows host ....................................................571
Recovery Points card page .....................................................................................572
Overview card .................................................................................................572
Recovery Points card .......................................................................................573
Database recovery .................................................................................................573
Recovering a database .....................................................................................574
Live mounting a SQL Server database ...............................................................575
Force Unmount ...............................................................................................577
Unmounting a Live Mount database ..................................................................577
Exporting a database .......................................................................................578
Windows Server Failover Clustering ........................................................................580
Automatic detection and display .......................................................................580
Failover events ................................................................................................580
Adding failover clusters ....................................................................................581
Viewing failover clusters and databases .............................................................582
Managing and protecting FCI databases through a parent object ........................582
Managing and protecting individual FCI databases .............................................584
Removing an SLA Domain assignment ...............................................................585
Recover or export from FCI database recovery points ........................................586
Always On Availability Groups .................................................................................587

Exporting or restoring an availability database recovery point .............................588
Workflow to restore a database into an Always On Availability Group ..................589
Unmanaged data ...................................................................................................589
Chapter 18 SAP HANA Databases 590

Overview ..............................................................................................................591
SAP HANA backup retention ...................................................................................591
Rubrik Backup Service ...........................................................................................592
Obtaining the Rubrik Backup Service software ...................................................592
Installing the Rubrik Backup Service software ....................................................593
Requirements for using sap_hana_bootstrap_main ..................................................594
Registering SAP HANA database .............................................................................595
Configuring Rubrik backup for SAP HANA databases ................................................596
Deleting the Rubrik Backup Service software ...........................................................597
Backing up a SAP HANA database ...........................................................................598
Viewing the backup catalog ..............................................................................598
Restoring a SAP HANA database .............................................................................599
Copying a database from an external host ...............................................................600
Restoring a database from a managed volume snapshot ..........................................601
Pausing Backint backups ........................................................................................603
Resuming Backint backups .....................................................................................603
Chapter 19 Managed Volumes 605

Overview ..............................................................................................................606
Configuration workflow ....................................................................................606
Floating IP addresses .............................................................................................606
Setting up floating IP addresses .......................................................................607
Creating a managed volume ...................................................................................608
Editing a managed volume .....................................................................................610
Deleting a managed volume ...................................................................................611
Managing protection with SLA Domains ...................................................................612
Assigning a managed volume to an SLA Domain ................................................612

Snapshot-level protection .......................................................................................613
Specifying managed volume snapshot assignment .............................................613
Live mounting a managed volume snapshot ......................................................614
Deleting an unmanaged on-demand snapshot ...................................................615
Creating user accounts for managed volumes ..........................................................615
The managed volume local page ............................................................................617
Viewing a managed volume local page ..............................................................617
Action bar .......................................................................................................618
Overview card .................................................................................................618
Snapshots card ................................................................................................619
Chapter 20 Retention Management 620

Overview ..............................................................................................................621
Snapshot Retention page .......................................................................................622
Opening the Snapshot Retention page ..............................................................622
Information available at the data source level of the Snapshot Retention page .....622
Filters available at the data source level of the Snapshot Retention page .............624
Viewing the object level of the Snapshot Retention page ....................................624
Information available at the object level of the Snapshot Retention page .............624
Filters available at the object level of the Snapshot Retention page .....................625
Relic data sources ...........................................................................................626
Working with a data source ....................................................................................627
Unprotecting a data source ....................................................................................628
Changing the retention policy on an on-demand snapshot ........................................628
Changing the retention policy on a scheduled snapshot ............................................629
Deleting snapshots for a data source ......................................................................629
Removing individual snapshots for a data source .....................................................630
Removing retrieved content for a database .............................................................630
Chapter 21 Reports 632

Overview ..............................................................................................................633
Default reports and the Summary view .............................................................633
Viewing summary information from a default report ...........................................634

Displaying a report ..........................................................................................634
Creating a custom report .................................................................................634
Report customization elements .........................................................................635
Editing an existing report .................................................................................646
Filtering and searching in a report data table .....................................................646
Exporting a report data table ............................................................................647
Scheduling a report .........................................................................................647
Changing ownership of a scheduled report email subscription .............................648
Changing a report schedule ..............................................................................649
Removing a report schedule .............................................................................649
SLA Compliance Summary report ............................................................................650
Viewing the SLA Compliance Summary report ....................................................650
Object Backup Task Summary report ......................................................................650
Viewing the Object Backup Task Summary report ..............................................650
Protection Tasks Summary report ...........................................................................651
Viewing the Protection Tasks Summary report ...................................................651
Protection Tasks Details report ...............................................................................651
Viewing the Protection Tasks Details report .......................................................651
Recovery Tasks Details report ................................................................................652
Viewing the Recovery Tasks Details report ........................................................652
Object Protection Summary report ..........................................................................652
Viewing the Object Protection Summary report ..................................................652
Capacity Over Time report .....................................................................................653
Viewing the Capacity Over Time report .............................................................653
System Capacity report ..........................................................................................653
Viewing the System Capacity report ..................................................................653
Chapter 22 System and Task Information 654

Overview ..............................................................................................................655
Data measurements .........................................................................................655
Dashboards ...........................................................................................................656
Viewing the main dashboard ............................................................................657
Information provided by the main dashboard ....................................................658

Viewing the System Overview dashboard ..........................................................659
Storage graphic ...............................................................................................660
Information provided by the System Overview dashboard ..................................660
Viewing the Nodes page and node dashboards ..................................................661
Viewing the Reports Overview dashboard ..........................................................661
Information provided by the Reports Overview dashboard ..................................661
Activity Log ...........................................................................................................663
Viewing Activity Log messages .........................................................................663
Filtering messages ...........................................................................................664
Viewing activity details .....................................................................................664
Information provided by Activity Log messages .................................................665
Activity Log filters ............................................................................................666
Specifying a custom date range ..............................................................................666
Appendix A Ports 668

All Rubrik port requirements ...................................................................................669
Additional network requirement ..............................................................................674
Rubrik cluster inbound ports ...................................................................................674
Rubrik cluster outbound ports ................................................................................676
Ports used for communication between nodes in a cluster ........................................678
Archiving ports ......................................................................................................678
Cloud ports ...........................................................................................................679
Replication port .....................................................................................................681
Appendix B Minimum vCenter Server Privileges 682

Minimum required privileges ...................................................................................683
Appendix C Archive Preparation 689

Generating an RSA key ..........................................................................................690
Preparing to use Amazon S3 as an archival location .................................................690
Creating an S3 bucket ......................................................................................690
Creating a security policy for the bucket ............................................................691
Creating a user account with access to the bucket .............................................693
Preparing to use Amazon Glacier as an archival location ...........................................694

Creating a Glacier vault ....................................................................................695
Creating a security policy for the vault ..............................................................696
Creating a user account with access to the vault ................................................697
Preparing to use GCP as an archival location ...........................................................698
Preparing Microsoft Azure as an archival location .....................................................699
Preparing Cleversafe as an archival location ............................................................700
Preparing Scality as an archival location ..................................................................703
Preparing to use an NFS share as an archival location ..............................................704
Preparing an Isilon NFS share as an archival location ...............................................705
Preparing a QStar Integral Volume as an archival location ........................................706
Determine the cache size .................................................................................706
Initial requirements .........................................................................................707
Setting up the QStar Integral Volume set ..........................................................707
Appendix D Active Directory Account 710

Overview ..............................................................................................................711
Permissions required for the initialization account ....................................................711
Delegating the permissions to the initialization account ............................................712
Confirming the delegation of permissions ................................................................713

Tables
Documentation revision history ................................................................................ 40

Settings and tasks .................................................................................................. 49
Limit types considered by Adaptive Backup settings .................................................. 52
Traps in the Rubrik MIB file ..................................................................................... 57
Required outgoing email settings ............................................................................. 58
Storage array integration requirements .................................................................... 65
Functions that require Internet access ...................................................................... 67
Network information ............................................................................................... 69
Impact of changes between two time zone settings ................................................... 83
Impact of using the pause feature ........................................................................... 87
Special network VLAN requirements ......................................................................... 91
Comparison of Local and LDAP authentication ........................................................... 99
LDAP credentials ................................................................................................... 105
User settings ........................................................................................................ 107
Group settings ...................................................................................................... 107
End User role privileges ......................................................................................... 115
Rubrik Envoy features ........................................................................................... 128
Data protection policies available through the SLA Domain feature ........................... 138
Data protection objects created by SLA Domain policies .......................................... 139
SLA rules for the default SLA Domains .................................................................... 139
Rule types in the Service Level Agreement section .................................................. 141
Rule types in the advanced Service Level Agreement section ................................... 141
Columns on the Local SLA Domains page ............................................................... 154
Information on the page for a local SLA Domain ..................................................... 156
Requirements for replication using NAT .................................................................. 163
Replication retention slider settings ........................................................................ 167
Information provided by the Replication Clusters information card ............................ 171
Columns on the Remote SLA Domains page ............................................................ 172
Information provided for a remote SLA Domain ...................................................... 173

Status colors used on the Snapshots card calendar views .........................................176
Calendar views on the Snapshots card ....................................................................177
Factors that require upload of a full archival snapshot ..............................................182
Information provided on an archival location card ....................................................190
Glacier archival parameters ....................................................................................197
Google Cloud Platform archival parameters .............................................................201
Object storage system vendor choices ....................................................................209
Archival location states ..........................................................................................219
Supported operations for archival states ..................................................................219
Data retention settings ..........................................................................................235
Archival Lifecycle Management ...............................................................................243
Options available through the Manage Protection dialog box .....................................260
Impact of SLA Domain properties on snapshots .......................................................265
Actions available from the action bar ......................................................................268
Information available on the Overview card .............................................................268
Status colors used on the calendar views ................................................................269
Additional snapshot information in the day view ......................................................270
Actions available for snapshots on the local Rubrik cluster ........................................271
Actions available for snapshots that reside on an archival location .............................272
Differences between recovery actions ....................................................................276
Recovery actions available for data protection objects ..............................................277
Nutanix limitations .................................................................................................294
Unprotected virtual machines in the Rubrik CDM web UI ..........................................300
Actions available for snapshots that reside on the local Rubrik cluster .......................313

Backup consistency levels ......................................................................................315
Unprotected virtual machines in the Rubrik CDM web UI ..........................................331
Virtual machine Pre/Post Scripts .............................................................................341
Actions available for snapshots that reside on the local Rubrik cluster .......................358
Backup consistency levels ......................................................................................360
Requirements for acquiring Windows guest ACL values ............................................369
Differences between recovery actions ....................................................................371
Recovery actions available for data protection objects ..............................................372
Protection and management features provided for vApps .........................................391
Protected vApp metadata .......................................................................................393
Limitations with vApp support ................................................................................393
Actions for vCloud Director instances ......................................................................396
Tasks available for vApps page ...............................................................................399
Recovery operations ..............................................................................................405
Network options during Instant Recovery and Export ...............................................406
Source virtual machine pre-configuration .................................................................419
Supported and unsupported virtual machine configuration ........................................419
AMI tags ...............................................................................................................420
Transient compute instance tags ............................................................................421
Transient compute properties .................................................................................433
Source virtual machine pre-configuration .................................................................443
Supported and unsupported virtual machine configuration ........................................443
Data management and protection provided for Amazon EC2 instances ......................465

Amazon EC2 Instance summary information ............................................................471
Data management and protection provided for file systems ......................................478
Metadata preserved and include in restores and exports ...........................................480
Isilon OneFS privileges ...........................................................................................491
Fileset fields common to all host types ....................................................................495
Fileset fields specific to some host types .................................................................495
Fileset description rules common to all host types ....................................................496
Fileset description rules specific to host types ..........................................................496
Value types ...........................................................................................................497
Overview card in the local view ..............................................................................510
Filesets card in the local view .................................................................................511
Overview card in a fileset view ...............................................................................512
Windows volume group recovery tools ....................................................................525
Data management provided for Oracle databases ....................................................530
System requirements for Oracle databases ..............................................................531
Oracle data source page details ..............................................................................533
Recommendations for Oracle database protection ....................................................541
Data management provided for SQL Server databases .............................................554
System requirements for SQL Server databases .......................................................556
Role requirements for the Rubrik Backup Service account .........................................558
Overview card on the Recovery Points card page .....................................................572
SQL Server database settings affecting availability group protection ..........................587
SAP HANA backup retention example ......................................................................591
Floating IP address requirements ............................................................................607
Recommendations for managed volume settings ......................................................608
Fields at the data source level on Unmanaged Snapshots .........................................623
Fields at the object level on the Snapshot Retention page ........................................624
Filters at the object level on snapshots ....................................................................625
Rubrik cluster actions for relic events ......................................................................626

Chart availability in reports .....................................................................................635
Filter availability in reports .....................................................................................636
Measure availability in reports ................................................................................637
Attribute availability in reports ................................................................................641
Table customizations available in reports .................................................................642
Information delivery methods .................................................................................655
Comparison of data prefix definitions ......................................................................656
Dashboards available through the Rubrik CDM web UI .............................................656
Information provided by the main dashboard ..........................................................658
Information provided by the system donut graph .....................................................659
Information provided by the System Overview dashboard ........................................660
Information on the Reports Overview dashboard .....................................................661
Information in the System Usage column ................................................................662
Information in the Local Overview column ...............................................................662
Information provided by Activity Log messages .......................................................665
Activity Log filters ..................................................................................................666
All required ports ...................................................................................................669
All uses of secure port 443 TCP ..............................................................................673
Rubrik cluster inbound ports ...................................................................................674
Rubrik cluster outbound ports ................................................................................676
Rubrik cluster node to node ports ...........................................................................678
Archiving ports ......................................................................................................678
Azure port requirements ........................................................................................679
AWS port requirements ..........................................................................................680
Replication ports ...................................................................................................681
Minimum vCenter Server privileges required by Rubrik .............................................683
Recommended and required export settings ............................................................704
Cache size factors ..................................................................................................706
Rubrik requirements for a QStar tape archival location .............................................707
Actions on the New Integral Volume Parameters dialog ............................................708
Permissions for the single-use initialization account ..................................................711

Figures
Create Organization wizard - Protectable Objects section ......................................... 130

Replication using NAT ........................................................................................... 162
Example of settings for NAT .................................................................................. 162
Protection hierarchy .............................................................................................. 394
Local host page for a virtual machine ..................................................................... 434
Azure Cloud Shell icon ........................................................................................... 445
PowerShell prompt in Cloud Shell window ............................................................... 446
Local host page for a virtual machine ..................................................................... 456
Domain user account in local Administrators group .................................................. 558
Assigning server-level roles and database-level roles ............................................... 559
Assigning additional permissions ............................................................................ 560
Filter By Custom Range dialog box ......................................................................... 667

Examples
Rescheduling caused by Adaptive Backup settings ..................................................... 51

Increasing Base Frequency .................................................................................... 150
Decreasing Base Frequency ................................................................................... 151
Increasing snapshot retention ................................................................................ 151
Decreasing snapshot retention ............................................................................... 152
Archival policy without Instant Archive ................................................................... 185
Archival policy with Instant Archive ........................................................................ 187
Cascading archival with early expiration of data ...................................................... 236
Assigning a protected virtual machine to another SLA Domain .................................. 266
Automatic protection rules applied ......................................................................... 330
Assigning a protected virtual machine to another SLA Domain .................................. 351
Re-protecting a virtual machine ............................................................................. 352
Creating a static route for a Live Mount .................................................................. 378
Automatic protection rules applied ......................................................................... 466
Linux or Unix fileset with Include, Exclude, and Do Not Exclude ............................... 498
Windows fileset with Include, Exclude and Do Not Exclude ...................................... 498
Exporting a file from a fileset backup of a Linux or Unix host ................................... 517
Exporting a file from a fileset backup of a Windows host ......................................... 517
Exporting a file from a fileset backup of a NAS share (SMB) ..................................... 518

Preface
Welcome to Rubrik. We appreciate your interest in our products. Rubrik is continually working to
improve its products and regularly releases revisions and new versions. Some information
provided by this guide may not apply to a particular revision or version of a product. Review the
release notes for the product to see the most up-to-date information about that product.
Document purpose
The purpose of this guide is to provide information about configuring, administering, and using
Rubrik clusters.
Revision history
Table 1 provides the revision history of this guide.
Table 1 Documentation revision history (page 1 of 5)
Revision Date Description
Rev. A0 October, 2018 Early Access release of Rubrik CDM version 5.0.
Rev. A1 October, 2018 • Added QStar port requirement to Ports.
• Added the ports required for Rubrik CloudOut and CloudOn to Ports.
• Added an additional vCenter Server privilege requirement in the
Resource category to support vCloud Director vApps, in Minimum
vCenter Server Privileges.
Rev. A2 November, 2018 • Added details on ports used by the SMB protocol for Volume Group
backups in Full Volume Protection for Windows.
• Added vCenter Server requirement to enable a Rubrik cluster to
unmount a virtual disk that is mounted during a Live Mount operation, in
Minimum vCenter Server Privileges.
• Removed port 7780 and added port 8077 to Ports.
• Documented UI additions to the system-configuration cluster settings in
Configuration.
• Added support for AIX 6.1 to File Systems.
• Temporarily excluded the User Accounts chapter to work on the
transition from Active Directory authentication to LDAP authentication.

Rev. A3 December, 2018 • Included the User Accounts chapter, along with updated information on
LDAP authentication.
• Added a note that Backup Window settings for the SLA Domain of a
virtual machine do not apply to on-demand snapshots. The note is in AHV
Virtual Machines, Hyper-V Virtual Machines, and vSphere Virtual
Machines.
• Updated Live mounting a SQL Server database with limitations on live
mounting for SQL Server databases that use file-streams or in-memory
tables.
• Added a note that instantiating Windows virtual machines with
BitLocker-enabled volumes is not supported by CloudOn for either AWS
or Azure. The note is in CloudOn for AWS and CloudOn for Azure.
• Updated vSphere Virtual Machines with a section on exporting a
snapshot to a temporary, standalone ESXi host that is not protected
under vCenter.
• Added Oracle database data source feature to Oracle Databases.
• Added destination port for Pure Storage arrays in Ports.
• Updated SAP HANA Databases with feedback from EA2 reviews and
added new subsections.
• Updated ports used by SAP HANA databases in Ports.

Rev. A4 December, 2018 Directed Availability release of Rubrik CDM version 5.0.
• Added a note that network throttling is not supported for archiving to any
location that does not use port 443, such as NFS targets and QStar tape.
The note is in Configuration.
• Updated Managed Volumes with information that the maximum number
of managed volume channels is based on the resources available on the
node, ranging from 4 to 32.
• Port 12500 TCP is no longer used to allow an ESXi host to perform an
NFS Live Mount to acquire a virtual machine. It has been removed from
Ports.
• Added prerequisites for Windows Full Volume Protection in File Systems.
• Added steps to clarify IAM permissions in CloudOn for Azure.
• Added port 2074, which permits secure communication between the
Rubrik cluster and the Nutanix Guest Agent (NGA). The information is in
Ports.
• Added LDAP ports 389, 636, 3268 and 3269 to Ports.
• Updated description for Floating IPs in the Network information table in
Configuration.
• Updated AHV Virtual Machines to include command to determine the
Nutanix public key certificate.
• Explained where to generate CA Certificates for Isilon and NetApp hosts
in File Systems.
• Added information about trusted root certificates for vCenter Server
connections in vSphere Virtual Machines.
• Updated Configuration with changes to the section that describes using
the built-in tunnel utility. The utility permits Rubrik Support to connect
securely and remotely to the Rubrik cluster for troubleshooting.

Rev. A5 January, 2019 General Availability release of Rubrik CDM version 5.0.
• Added information about Solaris support to File Systems.
• In 5.0, the Notifications (bell) icon was removed and the information was
merged under the Activity Log (globe) icon. This was updated in System
and Task Information.
• Updated a local host page note regarding on-demand snapshot settings
for the SLA Domain of a virtual machine.This is in AHV Virtual Machines,
Hyper-V Virtual Machines, and vSphere Virtual Machines.
• Added a note describing how vCenter privileges also protect vCloud
Director accounts, but that vCloud Director accounts must be System
Administrator accounts. This update is in Minimum vCenter Server
Privileges.
• Updated Oracle database auto-discovery prerequisites with information
about what to do when no previous database exists on the Oracle
host.This is in Oracle Databases.
• Added information about the tablespace auxiliary destination directory to
Oracle Databases.
• Added ESXi host as a destination for TCP port 443 from Rubrik cluster in
Ports. This port assignment exists only in release 5.0.0.
• Added TCP ports for communication between Rubrik node and Isilon and
NetApp in Ports.
• Added the Bolt subnet as a destination for communication with Rubrik
cluster in Ports.
• Added a section on migrating from Managed Volumes in Oracle
Databases.
• Added ports required for communication between Rubrik Envoy
managed service provider and Rubrik cluster in Ports.
• Updated Cascading archival section in Archiving.
• Made general updates in Protection Policies.
• Added information on storage array integration using Pure Storage
FlashArray on an AIX host to the Filesets section of File Systems.
• Added note that Guest OS credentials are required in order to execute
pre-backup and post-backup scripts. The note appears in Configuration
and vSphere Virtual Machines.

Rev. A6 February, 2019 • Added sections for SAP HANA backup retention, Pausing Backint
backups, and Resuming Backint backups to SAP HANA Databases.
• Corrected information about how SLA settings are applied when creating
on-demand snapshots. Information is in AHV Virtual Machines, Hyper-V
Virtual Machines, and vSphere Virtual Machines.
• Updated security requirements in Hyper-V Virtual Machines.
• Updated Archival Consolidation in Archiving.
• Updated Solaris configuration information in File Systems.
• Added a note in Managed Volumes describing the behavior of a first
snapshot in a managed volume regarding data transfer values shown.
• Added a comment to the table on data management for SQL server
databases in SQL Server Databases explaining that snapshots in
snapshot groups are counted by group, rather than by individual
snapshot.
Support
Use one of the following methods to contact Rubrik Support:
Web https://support.rubrik.com
Phone 1-844-4RUBRIK, option 2

1-844-478-2745, option 2
Email support@rubrik.com

Related documentation
The following Rubrik publications provide additional information:
 Rubrik CDM Release Notes
 Rubrik CDM Install and Upgrade Guide
 Rubrik CDM Security Guide
 Rubrik CDM Cloud Cluster Setup Guide
 Rubrik CDM Rubrik Edge Setup Guide
 Rubrik CDM Hardware Guide
 Rubrik CDM CLI Reference Guide
 Rubrik CDM Compatibility Matrix
Comments and suggestions

We welcome your comments and suggestions about our products and our product documentation.
Product
To provide comments and suggestions about the product, contact Rubrik Support by using the
information provided in Support.
Product documentation
To provide comments and suggestions about the product documentation, please send your
message by email to:
techpubs@rubrik.com
To help us find the documentation content that is the subject of your comments, please include
the following information:
 Full title
 Part number
 Revision
 Relevant pages

Chapter 1
Configuration
This chapter describes how to configure a Rubrik cluster and perform other system tasks.
 Logging in to the Rubrik CDM web UI......................................................................... 47
 Settings menu .......................................................................................................... 48
 Adaptive Backup ....................................................................................................... 51
 Configuring IPMI ...................................................................................................... 53
 Configuring iSCSI...................................................................................................... 54
 Notification settings .................................................................................................. 56
 Enabling polling via SNMP ......................................................................................... 60
 Manage storage arrays.............................................................................................. 65
 Proxy settings........................................................................................................... 67
 Network settings....................................................................................................... 69
 Network Throttling.................................................................................................... 70
 Guest OS settings ..................................................................................................... 73
 Secure SMB settings ................................................................................................. 78
 Syslog settings ......................................................................................................... 80
 Support bundle......................................................................................................... 81
 Time zone setting ..................................................................................................... 82
 Security banner and classification settings .................................................................. 83
 Data sources setting ................................................................................................. 85
 Opening and closing a Support tunnel ........................................................................ 85
 Pause and resume protection activity ......................................................................... 87
Rubrik CDM Version 5.0 User Guide Configuration 46

Configuration
Logging in to the Rubrik CDM web UI

To log in to the Rubrik CDM web UI for the first time, use the default ‘admin’ account and
password.
1. On a computer with network access to the Rubrik cluster, start a web browser.
2. In the address field, type the following URL:
https://<RubrikCluster>
where <RubrikCluster> is the resolvable hostname or IP address of the Rubrik cluster.
The Welcome page appears.
3. In Username, type admin.
4. In Password, type the password for the admin account.
Use the password for the admin account that was created during system setup.
5. Click Sign In.
At the first login, the End User License Agreement appears.
6. Click I Agree to continue.
The Dashboard page for the web UI appears.
Note: When the Rubrik cluster has not been registered, a notification appears on each page of
the web UI. The Rubrik Install and Upgrade Guide provides detailed information about how to
register the Rubrik cluster.
Logging in with a local account

Users who have an account in the local directory on the Rubrik cluster can log in with their local
account credentials. During login, the Domain field is left blank, since local users are not part of an
LDAP domain.
1. Access the Rubrik CDM UI Welcome screen.
2. In Username, type the username assigned to the local account.
3. In Password, type the password for the account.
4. Click Sign In.
The Dashboard page for the web UI appears.
Rubrik CDM Version 5.0 User Guide Logging in to the Rubrik CDM web UI 47
Configuration
Logging in with an LDAP account

Authentication through an LDAP domain requires a user name and password associated with that
domain. If a user is a member of multiple LDAP domains, the user should indicate which domain
to use for authentication.
If no domain is specified during login, the Rubrik cluster searches all LDAP domains randomly until
it finds the first occurrence of the user name. The password entered by the user must match the
password stored in the LDAP directory that was found during the search, or login fails.
1. Access the Rubrik UI Welcome screen.
2. In Username, type the username associated with the LDAP account.
4. In Domain or Domain Display Name, type the name of the LDAP domain that contains the
login credentials to be used for authentication.
5. Click Sign In.
The Rubrik cluster authenticates the username through the specified LDAP domain, with one of
the following results:
• Authentication fails.
• Authentication succeeds, but access is denied because the user account has the No Access
role assigned.
• Authentication succeeds, and access is permitted. The Dashboard page for the web UI
appears.
Settings menu
The web UI provides access to Rubrik cluster settings and tasks through the Settings menu.
Opening the Settings menu

The Settings menu provides access to Rubrik cluster settings and tasks.
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the web UI.
The Settings menu appears.
Rubrik CDM Version 5.0 User Guide Settings menu 48

Configuration
Settings and tasks available through the Settings menu

Table 2 summarizes the settings and tasks that are available through the Settings menu and
provides links to sections that provide more information.
Table 2 Settings and tasks (page 1 of 3)
Menu item Description
Application Configuration
vCenter Add, view, edit, and delete vCenter Servers.
Servers See vSphere Virtual Machines for more information.
vCD Instances Add, refresh, edit, and delete vCloud Director instances. See vCloud Director instances
for more information.
SCVMM Add, view, edit, and delete Microsoft System Center Virtual Machine Managers
servers (SCVMMs).
See Hyper-V Virtual Machines for more information.
Nutanix Add, view, edit, and delete Nutanix Clusters.
Clusters See AHV Virtual Machines for more information.
Hosts Add, view, edit, and delete physical Windows, Linux, and Unix hosts.
See Enabling polling via SNMP for more information.
Cloud Sources Configure the accounts and regions on which instances need to be protected.
Guest OS Provide credentials to access the guest operating systems. Also, control deployment of
Settings the Rubrik Backup Service (RBS) to vSphere virtual machines that have a Windows guest
operating system.
See Guest OS settings for more information.
System Configuration
Replication Add and remove a Rubrik cluster as a replication target and view information about
Targets replication activity.
See Replication for more information.
Archival Provide the connection settings for an archival location, view information about archival
Locations activity, and initiate a recovery connection.
See Archiving for more information.
Storage Arrays Add, edit, and remove configuration information for storage arrays.
See Manage storage arrays for more information.
Adaptive Configure the Rubrik cluster to pause backup of a virtual machine when resource usage
Backup exceeds set values.
See Adaptive Backup for more information.
Pause Manual pause and resume of all backup jobs and archival jobs.
Protection See Pause and resume protection activity for more information.
Resume
Protection

Configuration

TLS Install or delete signed Transport Layer Security (TLS) certificates, and generate
Certificates Certificate Signing Requests (CSRs).
For more information, refer to the Rubrik CDM Security Guide.
IPMI Provide more security for the baseboard management controller on the Rubrik nodes by
Credentials setting an IPMI password.
See Configuring IPMI for more information.
iSCSI Sources Provide and view the connection settings for an iSCSI data connection.
See Configuring iSCSI for more information.
Cluster Set Rubrik cluster name and time zone and set visibility settings for Data Sources.
Settings See Time zone setting and Data sources setting for more information.
Syslog Provide connection information for a syslog server to permit transmission of Rubrik
Settings cluster notifications in syslog format to that server.
See Syslog settings for more information.
SMB Security Enable secure SMB connections. Add domain name and credentials for secure SMB
domains once enabled.
See Secure SMB settings for more information.
Network Configuration
Proxy Settings Provide the Rubrik cluster with proxy configuration information for external connections.
See Proxy settings for more information.
Network Provide connection information for NTP servers, DNS servers, and search domains. Also
Settings provides information on Interfaces.
See Network settings for more information.
Network Enable and configure replication throttling. Enable and configure archival throttling.
Throttling See Network Throttling for more information.
Notification Configure the SMTP server on the Rubrik cluster so it can send email. Configure an
Settings SNMP server to be able to poll the Rubrik cluster for information. Configure a list of email
recipients, and decide whether log messages should be sent to Syslog.
See Notification settings for more information.
Access Management
Users Manage local user accounts and manage authorization for authenticated users.
See User Accounts for more information.
Organizations Manage local tenant organizations.
See Multitenant Organizations for more information.
Support
Support Instruct the Rubrik cluster to provide a complete bundle of cluster and node logs for local
Bundle download.
See Support bundle for more information.

Configuration

Enable Tunnel Enable and disable the tunnel used by Rubrik Support.
Disable Tunnel See Opening and closing a Support tunnel for more information.
About Rubrik Click to display the Rubrik software version.
Adaptive Backup
Adaptive Backup settings instruct the Rubrik cluster to check the resource usage of a virtual
machine before starting a snapshot. When the resource usage is above configured limits, the
Rubrik cluster postpones the snapshot.
When Adaptive Backup settings are enabled, the Rubrik cluster checks the virtual machine I/O
latency, datastore I/O latency, and virtual machine CPU utilization before starting a snapshot.
When a value exceeds a configured limit, the Rubrik cluster reschedules the snapshot.
After approximately 15 minutes, the Rubrik cluster checks the values again. When the values are
below the limits, the Rubrik cluster initiates the snapshot. When the values are above the limits,
the Rubrik cluster reschedules the snapshot.
Each time an Adaptive Backup setting causes the rescheduling of a snapshot, the Rubrik cluster
moves the policy-based snapshot schedule for the virtual machine to accommodate the change.
Example 1 describes this.
Example 1 Rescheduling caused by Adaptive Backup settings

The Rubrik cluster has Adaptive Backup settings enabled. A virtual machine is protected by the
GOLD SLA Domain of the Rubrik cluster. This SLA Domain requires hourly snapshots. The next two
hourly snapshots for this virtual machine are scheduled for 1:00 PM and 2:00 PM.
At 1:00 PM the Rubrik cluster finds that the CPU utilization of the virtual machine is above the
configured limit. The 1:00 PM snapshot is rescheduled for 1:15 PM.
At 1:15 PM the snapshot is successfully initiated, and the next hourly snapshot is scheduled for
2:15 PM.
Rubrik CDM Version 5.0 User Guide Adaptive Backup 51

Configuration
On-demand snapshots
Adaptive Backup settings also apply to on-demand snapshots.
When the Adaptive Backup settings are enabled, the Rubrik cluster performs an Adaptive Backup
settings check before starting an on-demand snapshot. When a value exceeds a configured limit,
the Rubrik cluster reschedules the on-demand snapshot.
After approximately 15 minutes, the Rubrik cluster checks the values again. When the values are
below the limits, the Rubrik cluster initiates the on-demand snapshot.
The Rubrik cluster continues to reschedule the on-demand snapshot until the values for the virtual
machine are below the configured limits. When the values are below the limits, the Rubrik cluster
completes the on-demand snapshot.
Limit types
When applying Adaptive Backup settings the Rubrik cluster considers the virtual machine I/O
Latency, datastore I/O latency, and virtual machine CPU utilization before initiating a snapshot of
that virtual machine.
The Rubrik cluster postpones a snapshot when the actual value of a limit type exceeds the value
that is set for the limit.
Table 3 describes the limit types that the Rubrik cluster considers when applying Adaptive Backup
settings.
Table 3 Limit types considered by Adaptive Backup settings
Limit Description
Maximum VM IO Sets the maximum time in milliseconds to process a command from the
Latency guest OS to the virtual machine.
The actual value is determined from ‘vm.maxTotalLatency’.
Maximum Datastore IO Sets the highest latency for all datastores being used by a virtual machine,
Latency not including any excluded VMDKs.
The actual value is determined by finding the highest value for
‘disk.TotalLatency’ for all of the datastores assigned to the virtual machine.
Maximum VM CPU Sets the maximum percentage of the combined frequency of all processors
Utilization assigned to the virtual machine.
The actual value is computed by dividing the ‘vm.overallCpuUsage’ by
‘vm.maxCpuUsage’.
Rubrik CDM Version 5.0 User Guide Adaptive Backup 52

Configuration
Enabling Adaptive Backup settings

Configure Adaptive Backup settings to postpone snapshots when the resource usage of a
protected virtual machine is above configured limits.
The gear menu appears.
3. Click Adaptive Backup.
The Adaptive Backup page appears.
4. Select Enable Adaptive Backup.
5. In Maximum VM IO Latency, type an integer value representing the highest virtual machine
I/O latency allowed, in milliseconds.
6. In Maximum Datastore IO Latency, type an integer value representing the highest
datastore I/O latency allowed, in milliseconds.
7. In Maximum VM CPU Utilization, type an integer value representing the greatest
percentage of virtual machine CPU utilization allowed.
8. Click Update.
The Rubrik cluster saves the Adaptive Backup settings. The Rubrik cluster checks the measured
values at the time of every snapshot and postpones a snapshot when a measured value is higher
than a set value.
Configuring IPMI
The Rubrik node hardware includes a baseboard management controller (BMC) that can be used
to perform Intelligent Platform Management Interface (IPMI) tasks. Provide more security for the
Rubrik nodes by requiring a secure strong password for access to the IPMI interface.
Use the web UI to assign a strong password and control access to the IPMI interface on all nodes
in the Rubrik cluster.
3. Click IPMI Credentials.
The Configure IPMI page appears.
Rubrik CDM Version 5.0 User Guide Configuring IPMI 53

Configuration
4. Select which external services can access IPMI. Choices are:

• HTTPS
• IKVM (Java for .Net)
• Virtual Media (media in remote drives)
• SSH
5. Click Update.
6. Click IPMI Password.
The Update IPMI password page appears.
7. In Password, type a secure password.
The password can be from 5 to 19 extended ASCII printable characters. Keep the new
password secret, and store it in a safe location.
8. In Re-Enter Password, type the password again.
9. Click Update.
Configuring iSCSI
The Rubrik cluster supports the iSCSI protocol for direct data connection to a storage array that is
providing storage for virtual machines.
When iSCSI is enabled, the Rubrik cluster maintains a control channel with the hypervisor host
and uses the iSCSI protocol to establish a data channel with the storage array. This protocol
replaces the NBD transport protocol for transfers of data from the storage array.
The Rubrik cluster supports the following authentication modes:
 No authentication
 Unidirectional CHAP – Using the Challenge-Handshake Authentication Protocol (CHAP), the
Rubrik cluster authenticates with the storage array.
 Bidirectional CHAP – Using CHAP, the Rubrik cluster authenticates with the storage array and
the storage array authenticates with the Rubrik cluster.
Note: PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994 defines the username
and password requirements for unidirectional and bidirectional CHAP.
Rubrik CDM Version 5.0 User Guide Configuring iSCSI 54

Configuration
To enable iSCSI support, provide the Rubrik cluster with the iSCSI connection details.
3. Click iSCSI.
The iSCSI Sources page appears.
4. In Server Name, type the name of the iSCSI server.
5. In Port, type the connection port used by the iSCSI server for incoming iSCSI connections.
The default is port 3260.
6. In Target, type the IPv4 address of the iSCSI server.
Leave Target empty to instruct the Rubrik cluster to attempt to automatically discover the IP
address of the iSCSI server.
7. In Authentication Mode, select the authentication mode used by the iSCSI server.
Choose one of the following:
• No Authentication
• Unidirectional CHAP
• Bidirectional CHAP
When No Authentication is selected, click Update.
8. (Unidirectional CHAP and Bidirectional CHAP) In Outgoing Name, type a username that
enables the storage array to authenticate the Rubrik cluster.
The storage array must grant sufficient access rights to the account represented by the
username to allow the Rubrik cluster access to the stored data.
9. (Unidirectional CHAP and Bidirectional CHAP) In Outgoing Secret, type the associated
password.
When Unidirectional CHAP is selected, click Update.
10.(Bidirectional CHAP) In Incoming Name, type a username that enables the Rubrik cluster to
authenticate the storage array.
11.(Bidirectional CHAP) In Incoming Secret, type the associated password.
12.Click Update.
A success message appears.
Rubrik CDM Version 5.0 User Guide Configuring iSCSI 55

Configuration
The Rubrik cluster enables the iSCSI connection and uses the iSCSI protocol to directly access
data that is stored on the storage array.
To add additional iSCSI connections, repeat this task for each connection.
The web UI does not currently provide information about the iSCSI connection records that exist
on a Rubrik cluster.
Notification settings
To enable the Rubrik cluster to send email notifications, provide configuration information through
the Notifications page. Also use the Notifications page to enable the SNMPv2c protocol and allow
the Rubrik cluster to respond to queries from an SNMP manager. Provide a list of email recipients
organized by event type to specify who should receive different types of notifications from the
activity log.
The Rubrik cluster transfers notification email messages to an SMTP server for delivery to the
administrator accounts. Configuring outgoing email settings provides instructions for configuring
the Rubrik cluster for email delivery.
The Rubrik cluster stores information in its Management Information Base (MIB). In order for an
SNMP manager to query that information, both the Rubrik cluster and the SNMP manager must
use the SNMPv2c protocol. See Enabling polling via SNMP for more information.
Rubrik provides a private MIB file that defines all the measurements and traps available from the
Rubrik cluster. The Rubrik MIB file can be downloaded from the web UI. See Downloading the
Rubrik MIB file for instructions. See Rubrik MIB file for information on MIB file contents, including
the trap messages sent by the Rubrik cluster.
Trap receivers collect the traps sent by the Rubrik cluster. Adding trap receivers explains how to
configure one or more trap receivers.
Notification messages are collected from the activity log and organized by event type. All
messages associated with one or more event types can be sent to a list of email recipients, as
configured in the web UI. See Configuring email settings for notifications for more information.
Rubrik CDM Version 5.0 User Guide Notification settings 56

Configuration
Rubrik MIB file

The Rubrik MIB file defines what kinds of information can be obtained from the Rubrik cluster. The
information can be divided into two categories: parameters and traps.
An SNMP manager polls the Rubrik cluster for parameter information via the SNMP protocol.
Examples of parameters in the Rubrik MIB file include:
 Current storage available on the cluster
 Average physical ingest bandwidth for last hour
 Number of active nodes in the cluster
 Rubrik SLA Domain name
A trap is an alert message that is triggered by a predefined condition. The Rubrik cluster sends
traps to one or more trap receivers as soon as a trap condition occurs. The trap receiver decodes
the traps based on information found in the MIB file. The Rubrik MIB file specifies several
categories of traps, as shown in Table 4.
Table 4 Traps in the Rubrik MIB file (page 1 of 2)
Category Traps
Job Rubrik cluster job failure
Network • Network interface down on a port
• Network interface changed state to Recovered
Hardware • Clock on machine is out of sync
• Replace chassis
• Errors with DIMM
• Errors with BIOS
• Node replacement required because of hardware issues
• Replace power supply
• Chassis recovered
• DIMM recovered
• BIOS recovered
Power • Power supply recovered
• Check power supply

Configuration
Table 4 Traps in the Rubrik MIB file (page 2 of 2)

Category Traps
Disk • A disk on a node is unavailable
• A disk on a node was marked recovered
• A disk on a node could not be marked removed
• A disk on a node was successfully marked removed
• A disk on a node could not be set up
• A disk on a node was successfully set up
• Unformatted disk found on a node
• A disk on a node failed health checks
Configuring outgoing email settings

Provide the Rubrik cluster with account information for an SMTP server.
Before you begin — Obtain the information that is described in Table 5.
Table 5 Required outgoing email settings
Setting Description
Host Name Host Name of the SMTP server.
Port Incoming port on the SMTP server. Normally port 25, port 465, or port
587, depending upon the type of encryption used.
From Email Address The email address assigned to the account on the SMTP server.
Username The username assigned to the account on the SMTP server.
Password The password associated with the username.
Encryption The encryption protocol that the SMTP server requires for incoming
SMTP connections. The Rubrik cluster supports the following protocols:
• NONE
• SSL
• STARTTLS

3. Click Notification Settings.
The Notification Settings page appears.
4. In Host Name, type the IP address or the FQDN of the SMTP server.
5. In Port, enter the incoming connections port for the SMTP server.

Configuration
6. In From Email Address, type the email address assigned to the account on the SMTP server.
7. In Username, type the username assigned to the account on the SMTP server.
8. In Password, type the password associated with the username.
9. In Encryption, select the encryption protocol required by the SMTP server.
10.Click Update.
The Rubrik cluster validates and stores the email settings.
11.Click Send Test Email.
The Rubrik cluster sends a test email to the user accounts on the local Rubrik cluster that have
the Admin role.
Modifying the outgoing email settings

Use the Email Settings page to make changes to the outgoing email settings.
4. Make changes to the settings.
5. Click Update.
The Rubrik cluster validates and stores the email settings.
6. Click Send Test Email.
The Rubrik cluster uses the new settings to send a test email to the user accounts on the local
Rubrik cluster that have the Admin role.
Deleting the outgoing email settings

Use the Email Settings page to remove the outgoing email settings.

Configuration

4. Select the Email Settings tab.
5. Click Clear SMTP Settings.
The Rubrik cluster removes the settings.
Enabling polling via SNMP

SNMP managers can poll the SNMP agent on the Rubrik cluster and request information by using
the SNMPv2c protocol.
The SNMP agent on the Rubrik cluster collects information and compiles it into a Management
Information Base (MIB). The information collected corresponds to the Object Identifiers (OIDs)
defined in RFC 1213 “MIB-II” and RFC 2790 “Host Resources” and in the Rubrik MIB file.
The Rubrik cluster opens incoming UDP port 161 for polling by SNMP managers. A request for
information must include the community string (similar to a password) along with an SNMP
GET-REQUEST in order for the Rubrik cluster to respond with the requested information.
Enable SNMPv2c on the Rubrik cluster and provide a community string to allow an SNMP manager
to poll the Rubrik cluster.
4. Select the SNMP tab.
5. Click Edit SNMP.
The Edit SNMP dialog box appears.
6. Select Enable SNMPv2c to allow polling.
7. In Community String, enter the string to be used as a password when sending a request to
the SNMP agent.
8. Click Update.

Configuration
Adding trap receivers

Traps from the Rubrik MIB file can be sent to a trap receiver for further processing. Configure one
or more trap receivers by specifying the IP address or FQDN, along with the receiver port.
5. Click Add Traps Receiver.
The Add Traps Receiver dialog opens.
6. In Traps Receiver (IP or FQDN), enter the IP address or FQDN corresponding to the trap
receiver that will collect the traps sent from the Rubrik cluster.
7. In Receiver Port, enter the incoming connections port for the SNMP trap receiver.
8. Click Add.
9. Repeat step 5 through step 8 to configure additional trap receivers. Each trap receiver can use
a different port and different IP address.
Downloading the Rubrik MIB file

The Rubrik MIB file is available for downloading from the Enable SNMP dialog and from the Add
Traps Receiver dialog. Download the MIB file from the Rubrik cluster to view the types of
measurements and notification messages (traps) specified in the file.
5. Click either Edit SNMP or Add Traps Receiver.
6. Click Download MIB file at the top of the dialog box to download the file to your browser’s
default location.

Configuration
Configuring email settings for notifications

The activity log, which can be viewed by clicking the globe icon in the web UI, records all
notifications. Notifications are classified by event type, such as configuration, hardware,
replication, and so on. These notifications can be sent to specific email addresses by configuring
them in the Notifications dialog. Notifications can also be sent to the Syslog server.
Provide an email recipient list to the Rubrik cluster so it can send email notifications for specified
event types. Configure one email recipient list at a time, and select all event types that share the
same email recipient list. Also, choose whether to send notifications to the syslog server.
4. Select the Notifications tab.
5. Click the blue + icon.
The Add Notification Setting dialog appears.
6. Scroll through the menu of event types and select the ones that share the same email recipient
list. To select all event types, click Type.
7. Click Next to specify where to send the notifications for the specified event types.
8. (Optional) Click Emails in the left pane of the dialog box and specify a list of email addresses,
separated by commas. To send to all the Administrators instead, select Send to all
Administrators.
9. (Optional) Click Syslog in the left pane of the dialog box, then select Send to syslog server.
10.Click Finish.

Configuration
Manage hosts
The Hosts page provides a central location to add physical Windows, Linux, and Unix hosts to the
Rubrik cluster. The Hosts page also provides the ability to edit hosts and to remove hosts from the
Rubrik cluster.
Before you begin — Complete the tasks described in:
 Obtaining the Rubrik Backup Service software through the Rubrik CDM web UI or Obtaining the
Rubrik Backup Service software by URL
 Installing the Rubrik Backup Service software on a Linux or Unix host or Installing the Rubrik
Backup Service software on a Windows host
Adding a physical host

Add supported physical hosts to the Rubrik cluster.
3. Click Hosts.
The Hosts page appears.
4. Select the Windows Hosts tab or select the Linux & Unix Hosts tab.
The Add Hosts dialog box appears.
6. In IP or Hostname, type a comma-separated list of IPv4 addresses or resolvable hostnames
of physical hosts.
The list can contain a mix of IPv4 addresses and hostnames. The Rubrik cluster requires one
IPv4 address or one hostname for each physical host being added.
7. Click Add.
The Rubrik cluster check connectivity with the specified physical hosts and adds the physical
hosts.
Rubrik CDM Version 5.0 User Guide Manage hosts 63

Configuration
Editing a physical host

Change the IP address or hostname specified for a physical host.
3. Click Manage Hosts.
5. Open the ellipsis menu next a host entry and click Edit.
The Edit Host dialog box appears.
6. In IP or Hostname, type a replacement IPv4 address or resolvable hostname for the physical
host.
7. Click Update.
The Rubrik cluster check connectivity using the specified value and stores the information for the
host.
Removing a physical host

Remove a physical host from the Rubrik cluster when data management is no longer required.
3. Click Manage Hosts.
5. Open the ellipsis menu next to a host entry and click Delete.
A confirmation message appears.
6. Click Delete.
The Rubrik cluster removes the selected host.
Rubrik CDM Version 5.0 User Guide Manage hosts 64

Configuration
Manage storage arrays

To obtain optimal ingest performance when all data is stored on a storage array, the Rubrik cluster
can retrieve data through storage array level snapshots.
Storage array integration describes array integration for virtual machines.
Table 6 describes the requirements for storage array integration.
Table 6 Storage array integration requirements
Category Requirement
Storage array type Pure Storage FlashArray//m series
Storage array API Pure Storage REST API version 1.0 or newer
Storage array account Username and password for a storage array account with ‘storage
admin’ privileges.
Adding a storage array

Add a storage array to allow the Rubrik cluster to directly interact with the storage array.
3. Click Storage Arrays.
The Storage Arrays page appears.
The Add Storage Array dialog box appears.
5. In Array Type, select Pure Storage.
6. In Hostname, type the IPv4 address or resolvable hostname of the storage array.
7. In Username, type the username for an account with ‘storage admin’ privileges on the
storage array.
9. Click Add.
The Rubrik cluster tests access to the storage array and saves the configuration information.
Rubrik CDM Version 5.0 User Guide Manage storage arrays 65

Configuration
Editing a storage array

Edit the stored information for a storage array.
4. Open the ellipsis menu next to an array entry and click Edit.
The Edit Storage Array dialog box appears.
5. Edit the fields.
6. Click Update.
The Rubrik cluster tests access to the storage array using the new configuration information and
saves the configuration information.
Deleting a storage array

Delete the entry for a storage array to remove the configuration information that is stored by the
Rubrik cluster.
! IMPORTANT
Deleting a storage array removes storage array integration for all virtual machines that use
the array as a datastore. The Rubrik cluster switches the data ingestion path from the
storage array to the vCenter Server. This can potentially cause a performance impact for
snapshots of those virtual machines.

Rubrik CDM Version 5.0 User Guide Manage storage arrays 66

Configuration

4. Open the ellipsis menu next to an array entry and click Delete.
A warning appears.
5. Click Delete.
The Rubrik cluster removes the configuration information for the selected storage array.
Proxy settings
Some of the functionality of the Rubrik cluster relies on Internet access. The Rubrik cluster can be
configured to use a proxy server when accessing the Internet.
You can optionally configure the Rubrik cluster to use a proxy server in order to accommodate
your network and security requirements. The proxy server must be configured to permit the
Rubrik cluster to meet the network requirements listed in Ports.
Functions that use Internet access

Table 7 describes the Rubrik cluster functions that use Internet access.
Table 7 Functions that require Internet access
Function Description
Archiving to public cloud Communication between the Rubrik cluster and cloud-based archival locations.
Uploading log bundles Upload of log bundles to Amazon S3. Log bundles provide Rubrik Support with
a 30 day historical view of the Rubrik cluster. Rubrik Support can use the log
bundles when diagnosing issues.
Uploading real-time logs Real-time upload of error and failed job logs to an Amazon EC2 instance. The
Rubrik Support alert system uses these logs to provide quick responses to
issues.
Uploading statistics Upload of Rubrik cluster statistics to provide Rubrik Support with a dashboard
view of the health of a Rubrik cluster. The statistics are also integrated into the
Rubrik Support alert system.
Opening tunnel Create a tunnel from the Rubrik cluster to the Rubrik Support SSH server. The
Rubrik Support SSH server runs on an Amazon EC2 instance.
The tunnel can be opened to permit Rubrik Support to securely access the
Rubrik cluster. When the tunnel is opened, Rubrik Support can use the tunnel to
diagnose issues and perform maintenance operations. Enable and disable this
tunnel from the web UI.
Rubrik CDM Version 5.0 User Guide Proxy settings 67

Configuration
Proxy implementations
A Rubrik cluster supports the following proxy server implementations:
 HTTP
 HTTPS, using the HTTP CONNECT method and port 443
 SOCKS5
Configuring proxy server support

Configure a Rubrik cluster to route Internet communication through a proxy server.
3. Click Proxy Settings.
The Proxy Settings page appears.
4. In Protocol, select an Internet protocol that is supported by the proxy server:
• HTTP
• HTTPS
• SOCKS5
5. In Proxy Server IP or FQDN, type the IPv4 address or the FQDN of the proxy server.
6. In Port Number, type the port on the proxy server for requests from the Rubrik cluster.
The web UI automatically populates this field with the default port for the selected protocol.
When the proxy server uses a custom port, type that value instead.
7. (Optional) In User Name, type the proxy server username assigned to the Rubrik cluster.
8. (Optional) In Password, type the password associated with the assigned username.
9. Click Update.
The Rubrik cluster stores the proxy settings and routes all subsequent Internet traffic through the
proxy server.
Rubrik CDM Version 5.0 User Guide Proxy settings 68

Configuration
Network settings
The Rubrik cluster uses network address information for specific types of network entities to
perform system tasks. Table 8 describes the information that the Rubrik cluster uses.
Table 8 Network information
Network entity Description
NTP Comma-separated list of IP addresses or resolvable hostnames of network time protocol
(NTP) servers.
Requires bidirectional UDP access to the servers on port 123.
DNS Comma-separated list of IP addresses of domain name system (DNS) servers.
Requires bidirectional TCP and UDP access to the DNS servers on port 53.
Search domain Comma-separated list of domain names. Restricts DNS queries to the provided domains.
Floating IPs Comma-separated list of IP addresses used to maintain NFS mounts if a Rubrik node
fails.
The number of floating IP addresses is distributed evenly across the nodes in a cluster. If
the number of available nodes changes for any reason, floating IP addresses are
rebalanced as necessary to maintain an even distribution. Each floating IP must be in
one of the subnets of a Rubrik node’s network interfaces; otherwise, it cannot be
configured.
Note: Rubrik node IP address assignments cannot be changed through the web UI. To change the
IP address of a Rubrik node, refer to the Rubrik CLI Reference or contact Rubrik Support.
Providing network settings

The Rubrik cluster requires network settings information to perform system tasks.
3. Click Network Settings.
The Network Settings page appears.
4. In NTP Servers, type a comma-separated list of network time protocol servers.
For each server, type either the IPv4 address or the FQDN.
5. In DNS Servers, type a comma-separated list of domain name system servers.
For each server, type the IPv4 address.
Rubrik CDM Version 5.0 User Guide Network settings 69

Configuration
6. In Search Domains, type a comma-separated list of search domains.

For each search domain, type the FQDN.
7. (Optional) In Floating IPs, type a comma-separated list of IPv4 addresses.
8. Click Update.
The Rubrik cluster stores the information.
Editing network settings

Edit the network settings to accommodate changed network requirements.
4. Change the network settings.
5. Click Update.
The Rubrik cluster stores the new information.
Network Throttling
Rubrik CDM allows configuration of how much bandwidth is used for replication and archiving for
outbound data.
Use the Network throttling feature to set bandwidth limits for replication and archiving. The
general throttling settings can also be modified by setting one or more scheduled overrides. The
general settings can be used alone or with scheduled throttle overrides. General rules for the
throttling settings are the following:
 The general setting applies unless overridden by a scheduled override.
 Scheduled throttle overrides apply only for the specified time window.
 Scheduled overrides override the general throttle setting.
 Multiple schedules can be set.
 No two schedules can have a common time window.
 The scheduled overrides are enforced according to the cluster time zone.
Rubrik CDM Version 5.0 User Guide Network Throttling 70

Configuration
The bandwidth limits for archiving and replication are configured separately and are independent
of each other. The bandwidth limits are at a cluster level and are distributed dynamically between
the nodes based on the load. This means that cluster size should also be taken into account when
configuring throttle limits, the same throttle limit may not work well across different cluster sizes.
Note: The bandwidth limit is enforced on each node by throttling traffic on port 443 for archiving
and port 7785 for replication. If an archival location proxy is enabled and uses a port other than
443, archival throttling will not work.
Enabling and configuring replication throttling

Configure replication throttling limits to specify how much bandwidth can be used for replication
network traffic. This can be configured only by a global admin.
3. Click Network Throttling.
The Network Throttling page appears.
4. Select Enable Replication Throttling.
5. Under Replication Network Usage Threshold (Mbps), type an integer value representing
the highest network usage allowed, in Mbps.
6. Click Update.
This setting can be used alone or with scheduled replication throttling overrides.
Note: Network throttling is not supported for archiving to any location that does not use Port 443,
such as NFS targets and QStar tape.
Scheduling replication throttling overrides

Replication throttling overrides can be scheduled to specify how much bandwidth can be used for
replication during specified days and times. Multiple throttle schedules can be set. For example,
bandwidth can be more limited during business hours and increased during non-business hours.

Configuration
Replication throttling must be enabled for scheduled overrides to work. The scheduled limit
overrides the general limit if the schedule is active.
4. Click Schedule Override.
The Schedule Network Throttle Override page appears.
5. Select Replication.
6. Under Replication Network Usage Threshold (Mbps), type an integer value representing
the highest network usage allowed, in Mbps.
7. Select specified Day(s) for the replication throttling policy.
8. Select specified times Between a given time and another given time for the replication
throttling policy.
9. Click Add.
10.Repeat the steps to schedule additional replication policies if needed.
After throttling is configured, click the ellipsis next to the scheduled override to edit or delete the
throttle policy.
Enabling and configuring archival throttling

Configure archival throttling limits to specify how much bandwidth can be used for archival
network traffic. This can be configured only by a global admin.
4. Select Enable Archival Throttling.
5. Under Archival Network Usage Threshold (Mbps), type an integer value representing the
highest network usage allowed, in Mbps.

Configuration
6. Click Update.
This setting can be used alone or with scheduled archival throttling overrides.
Scheduling archival throttling overrides

Archival throttling overrides can be scheduled to specify how much bandwidth can be used for
archiving during specified days and times. Multiple throttle schedules can be set. For example,
bandwidth can be more limited during business hours and increased during non-business hours.
Archival throttling must be enabled for the scheduled overrides to work. The scheduled limit
overrides the general limit if the schedule is active.
The Network throttling page appears.
4. Click Schedule Override.
The Schedule Network Throttle Override page appears.
5. Select Archival.
6. Under Archival Network Usage Threshold (Mbps), type an integer value representing the
highest network usage allowed, in Mbps.
7. Select specified Day(s) for the archival throttling policy.
8. Select specified times Between a given time and another given time for the archival throttling
policy.
9. Click Add.
10.Repeat the steps to schedule additional archive policies if needed.
After throttling is configured, click the ellipsis next to the scheduled override to edit or delete the
throttle policy.
Guest OS settings
The Guest OS Settings page enables the administration of guest OS credentials for virtual
machines and fileset hosts. The page also provides a setting to enable and disable automatic
deployment of the Rubrik Backup Service to vSphere virtual machines.
Rubrik CDM Version 5.0 User Guide Guest OS settings 73

Configuration
The Rubrik cluster uses guest OS credentials to provide application consistent snapshots of
vSphere virtual machines that are running a Windows guest operating system. The Rubrik cluster
also uses guest OS credentials to enable direct restore of files and folders to guest operating
systems that do not have the Rubrik Backup Service installed.
Backup consistency levels describes application consistent snapshots.
Restore files and folders directly to a guest file system describes direct restore to the file system of
a supported guest operating system. Guest OS credentials can also be added through the Restore
File dialog during a direct restore.
Guest OS credentials
Guest OS credentials provide access to guest operating systems for vSphere virtual machines.
To allow the Rubrik cluster to start scripts on a vSphere virtual machine, provide Guest OS
credentials with sufficient privileges. Without adequate credentials, the Rubrik cluster cannot start
the scripts.
To restore directly to a Linux guest, provide the credentials for an account that has Write
permission for the restore location.
To restore directly to a Windows guest or to create application-consistent snapshots from a
Windows guest, the Rubrik cluster requires the credentials of an account that has administrator
access to the guest. The account can be either a local administrator account or a domain
administrator account.
 Providing the credentials of a local administrator account on the guest meets this requirement.
However, when there are many guests, providing individual guest OS credentials for each guest
can be inconvenient.
 Providing the credentials of a domain administrator account meets this requirement, and
avoids the need to submit a separate guest OS credential for each guest, but does not satisfy
the security concerns of many networks.
Rubrik recommends providing the Rubrik cluster with a credential for a domain-level account that
has a small privilege set that includes administrator access to the relevant guests. Based on
organizational requirements, several credentials of this sort can be provided. The Rubrik cluster
tries each provided guest OS credential to gain access to a guest.

Configuration
Providing credentials for a Windows guest

Provide credentials with administrator privileges for a Windows guest to enable application
consistent snapshots and direct restores.
Before you begin — Select or create a credential for an account that provides administrator access
to the Windows guest.
3. Click Guest OS Settings.
The Guest OS Settings page appears.
The Add Guest OS Credentials dialog box appears.
5. In Domain, type the resolvable hostname or IP address of the authentication server for the
credential.
When the guest OS performs Workstation Authentication of credentials instead of Domain
Authentication, leave the Domain field empty.
With some ESXi hypervisors, the VMware API requires a single period character in the Domain
field to correctly pass the Workstation Authentication value to the Windows guest. When an
empty Domain field does not provide successful Workstation Authentication with the Windows
guest, add a period character in the Domain field.
6. In Username, type the username for the credential.
7. In Password, type the password for the credential.
8. (Optional) To add credentials for additional virtual machines, click the blue + icon on the Add
Guest OS Credentials dialog box.
9. Click Update.
The Rubrik cluster stores the credential.

Configuration
Providing credentials for a Linux guest

Provide credentials with the necessary Write privileges for a Linux guest to enable direct restores.
Before you begin. Select or create a credential for an account that provides the necessary Write
access for the Linux guest.
5. Leave the Domain field empty.
6. In Username, type the username for the credential.
7. In Password, type the password for the credential.
8. (Optional) To add credential for additional virtual machines, click the blue + icon on the Add
Guest OS Credentials dialog box.
9. Click Update.
The Rubrik cluster stores the credentials.
Editing guest OS credentials

Edit guest OS credentials to provide the Rubrik cluster with changes to the authentication server,
credential username, and credential password.
4. Open the ellipsis menu next to a guest OS credential entry, and click Edit.
The Edit Guest OS Credential dialog box appears.

Configuration
5. Make changes to the information.
! IMPORTANT
For a Linux credential, ensure that the Domain field is empty.
6. Click Update.
The Rubrik cluster saves the new information.
Deleting guest OS credentials

Delete guest OS credentials to remove them from the list of credentials that the Rubrik cluster
uses to access virtual machines.
4. Open the ellipsis menu next to a guest OS credential entry, and click Delete.
5. Click Delete.
The Rubrik cluster deletes the selected credential.
Rubrik Backup Service deployment

The Connector Settings tab of the Guest OS Setting page can be used to enable and disable
automatic deployment of the Rubrik Backup Service.
Automatic deployment of the Rubrik Backup Service provides a method for automatically installing
and registering the Rubrik Backup Service on multiple vSphere virtual machines that are running a
Windows guest OS.
Automatically deploying the RBS provides more information about this feature.

Configuration
Secure SMB settings

Enabling secure SMB connections provides end-to-end encryption for all data transmitted over
SMB. The encryption uses the AES-CCM algorithm. Enabling secure SMB connections enables SMB
support for live mounts of SQL Server, Hyper-V, and managed volume snapshots.
Note: Once enabled, all SMB connections are secured. This feature cannot be disabled.
Before you begin — Disconnect any existing live mounted SQL Server, Hyper-V or volume groups.
Wait for any currently running backup jobs to finish, or pause those jobs.
3. Click SMB Security.
The SMB Security page appears.
4. Click Enable SMB Security.
A list of Active Directory (AD) domains detected by Rubrik agents displays.
5. Click Authenticate next to a listed AD Domain.
The Authenticate dialog appears.
6. Enter the user credentials for a user on the AD Domain.
7. (Optional) Specify a domain controller.
8. Click Authenticate.
9. (Optional) To add an AD domain not listed, click +.
The Add SMB Domain dialog appears.
10.Enter the FQDN of the domain, the user credentials, and the domain controller, then click Add.
The new AD Domain displays on the list. The Authentication Status for the domain changes to
‘Configured’.
Note: When the Rubrik cluster cannot reach the controller for the AD Domain, or when
authentication to the AD Domain fails, the status changes to Failed. Re-configure any AD
Domains in the Failed status.
Rubrik CDM Version 5.0 User Guide Secure SMB settings 78

Configuration
Enabling Kerberos authentication for SMB shares

Clients that are part of an AD Domain can authenticate to SMB shares on a Rubrik CDM cluster
using the Kerberos protocol instead of the default NT LAN Manager (NTLM) protocol.
4. Note the name listed in the Service Account Name column.
This name is a randomly generated unique identifier known as the Service Principal Name
(SPN).
5. Log on to the controller for the AD Domain of the client.
Consult Microsoft Active Directory documentation for details on logging in to AD Domain
controllers.
6. Use the ‘setspn’ command to set the SPN noted in step 4 as an alias for the hostname of the
Rubrik node.
The client uses Kerberos authentication to access the SMB share.
Deleting an AD domain
Removing a configured AD Domain removes the ability to perform secure Live Mounts of data
sources that depend on that domain.
4. Click the ellipsis next to the domain.
5. Click Delete.
The AD Domain entry is removed from the list.
Rubrik CDM Version 5.0 User Guide Secure SMB settings 79

Configuration
Syslog settings
The Rubrik cluster supports transmission of system activities to an external syslog server.
The Rubrik cluster uses the standard syslog protocol for formatting and transmission of system
notifications. By default, at the transport layer the Rubrik cluster sets the syslog standard protocol
and port (UDP/514). The transport layer protocol and port can also be configured to use custom
settings.
At the application layer, the syslog transmissions use the HTTP protocol.
When syslog support is enabled, the Rubrik cluster sends to the syslog server messages that are
based on the events that also appear in the Activity Log. Viewing Activity Log messages describes
the messages that appear in the Activity Log.
Note: Syslog message format conforms to RFC 5424.
Setting up syslog support

Transmit Rubrik cluster notifications to a syslog server.
3. Click Syslog Settings.
The Syslog Settings page appears.
4. In IP or Hostname, type the IPv4 address or FQDN of the syslog server.
5. In Protocol, select either UDP or TCP.
6. In Port Number, enter the listening port for the syslog server.
7. Click Test Connection.
The Rubrik cluster sends a test message to the syslog server and displays the content of the
message in the web UI. Check the syslog server for the message. The test is successful when
the message text that appears in the web UI is received by the syslog server.
8. Click Update.
The Rubrik cluster saves the settings and begins transmitting system notifications to the syslog
server.
Rubrik CDM Version 5.0 User Guide Syslog settings 80

Configuration
Support bundle
When it is not feasible for Rubrik Support to use the Support Tunnel to troubleshoot an issue on a
Rubrik cluster, the Rubrik cluster can create a bundle of Rubrik cluster and Rubrik node logs for
download and transfer.
Once a support bundle is created, it can be downloaded from the web UI and transferred to Rubrik
Support. The support bundle provides an alternative method for providing Rubrik Support with
troubleshooting information that does not require a network connection between Rubrik Support
and the Rubrik cluster.
The Rubrik cluster organizes a support bundle into a single file using tar and compresses the tar
file using gzip. The size of a support bundle will vary significantly depending on many factors, such
as:
 Number of Rubrik nodes
 Data protection activity
 Number of logged alerts, warnings, and notifications
Creating and downloading a support bundle

Instruct the Rubrik cluster to create a support bundle file. Then download the support bundle file.
3. Click Support Bundle.
The Support Bundle dialog box appears.
4. Click Download.
The Rubrik cluster starts creating the support bundle and a message appears in the
Notifications area.
When the support bundle is ready, the ‘Prepared logs’ message appears in the web UI
Notifications area.
5. Click the ‘Prepared logs’ message.
The message can be clicked in the Notifications area, or on the Notifications page.
The Save As dialog box appears in the web browser.
Rubrik CDM Version 5.0 User Guide Support bundle 81

Configuration
6. Select a download location for the file, and click Save.

Configuring Chrome to ask for download location describes how to enable user-selectable
download locations in Chrome.
The web browser retrieves the file from the Rubrik cluster and saves it to the selected location.
7. Contact Rubrik Support to arrange the method to use when transferring the support bundle.
Support describes how to contact Rubrik Support.
Time zone setting

The web UI provides the ability to set the time zone that is used by the Rubrik cluster. The Rubrik
cluster uses the specified time zone for time values in the web UI, all reports, SLA Domain
settings, and all other time-related operations.
A Rubrik cluster can be configured to use the same time zone as its physical location, or any other
time zone. Once the time zone is set, the Rubrik cluster displays all time values using the
configured time zone.
Time values in the web UI appear the same in all web browsers, even when viewed from web
browser hosts running in different time zones.
The Rubrik cluster automatically handles any changes between standard time and daylight savings
time for the selected time zone.
Default time zone

The default time zone used by a Rubrik cluster is the Coordinated Universal Time (UTC) time zone.
Until a time zone is configured for a Rubrik cluster, the Rubrik cluster displays a banner message in
the web UI to alert the user that a cluster time zone is not set and that the Rubrik cluster is using
the UTC time zone.
Time zone setting changes

The time zone setting for a Rubrik cluster can be changed, either from the default UTC time zone
to another time zone, or between two configured time zone settings. How a change impacts a
displayed time value depends upon the whether the time value is an event time value or a report
time value.
An event time value stays the same relative to the UTC time zone. The offset from UTC changes to
match the configured time zone.
A report time value keeps the set value. After the cluster time zone setting is changed, the
displayed time value stays the same.
Rubrik CDM Version 5.0 User Guide Time zone setting 82

Configuration
Table 9 shows the impact of changing the time zone setting from PDT to EDT for an event and for
a report.
Table 9 Impact of changes between two time zone settings
Original time zone New time zone
Report at 1:00 PM (PDT) Report at 1:00 PM (EDT)
Snapshot window 1-3 PM (PDT; UTC -7) Snapshot window 4-6 PM (EDT; UTC -4)
The table shows:

• Report that was scheduled for 1:00 PM in the PDT time zone is scheduled for 1:00 PM in the
EDT time zone after the time zone setting is changed.
• Snapshot window of 1-3 PM in the PDT time zone keeps the same time relative to UTC (8-10
PM UTC) by changing to 4-6 PM in the EDT time zone. To use the original snapshot window
after the time zone setting is changed, edit the SLA Domain rule to specify a snapshot window
of 1:00 PM to 3:00 PM EDT.
Setting the cluster time zone

Use the web UI to set the cluster time zone.
3. Click Cluster Settings.
The Cluster Settings page appears.
4. In Cluster Time Zone, select a time zone for the Rubrik cluster.
5. Click Update.
The Rubrik cluster changes the cluster time zone to the specified time zone and handles
zone-specific daylight savings time changes automatically.
Security banner and classification settings

The Rubrik cluster provides the ability to display a custom advisement that must be acknowledged
before login is permitted. For example, this might be the text of an authorized-use agreement. The
Rubrik cluster also allows setting top and bottom banners on every page of the web UI.
The login-advisement text can be entered either as plain text or using HTML tags.
Rubrik CDM Version 5.0 User Guide Security banner and classification settings 83
Configuration
The Cluster Settings page of the UI has the following security-related settings:
 Login advisement
 Top and bottom banners in a selected color
 Top and bottom banner text
Setting the login banner text

Use the web UI to set the login banner text.
4. In Login Banner Text, enter the login-advisement text.
5. Click Update.
The Rubrik cluster saves the content and adds it to the modal dialog on the login screen for
subsequent logins.
Setting the security classification color and text

Use the web UI to set the security classification color and text.
4. In Security Classification Color, select the banner color.
The supported choices are yellow, orange, red, blue, green, and none.
5. In Security Classification Text, enter the classification text.
6. Click Update.
The Rubrik cluster saves the content and adds it to the banners in subsequent sessions.
Rubrik CDM Version 5.0 User Guide Security banner and classification settings 84
Configuration
Data sources setting

The web UI provides the ability to configure visibility preferences for virtual machines, servers,
and applications. This allows customization of the web UI to specify which data sources appear.
Setting data sources

Use the web UI to configure which data sources appear.
4. Click the Data Sources tab and clear any data sources that are not applicable. Data sources in
use cannot be cleared.
5. Click Update.
The Rubrik cluster saves the settings and displays only the selected data sources.
Opening and closing a Support tunnel

The Rubrik cluster provides a built-in tunnel utility to permit Rubrik Support to make a secure
remote connection to the Rubrik cluster. Rubrik Support uses the tunnel to examine the health of
the Rubrik cluster, and to troubleshoot and resolve issues.
The Support tunnel utility initiates a connection with proxy.rubrik.com to create a tunnel using
outbound port 443 TCP. Once open, the tunnel remains open until either inactivity on the Rubrik
Support side triggers a configurable timeout value, or the user manually closes the tunnel.
The Support Tunnel Page provides a table that includes:
 Nodes attached to the Rubrik cluster
 Tunnel Status of each node: Open or Closed
 Last Opened time for each node
 Timeout Window value configured for each node: the default is 96 hours
 Port number used by each node
Rubrik CDM Version 5.0 User Guide Data sources setting 85

Configuration
If the Support tunnel for a given node is closed, the Last Opened, Timeout Window, and Port
columns are empty.
Note: Opening and closing the Support tunnel, and editing the Timeout window in the Support
tunnel, apply only to the node marked as Current.
Opening the Support tunnel

To permit access by Rubrik Support, open the Support tunnel utility.
3. Click Support Tunnel.
The Support Tunnel page appears.
4. Click Open Support Tunnel.
The Open Support Tunnel dialog box appears.
5. Enter a value, in hours, for the Timeout Window.
If no value is entered, the default value is 96 hours.
6. Click Open Tunnel.
The Support Tunnel page re-appears, showing all of the values for the current node.
Editing the Timeout window

Timeout Window is the only editable value for the Support tunnel. An existing Timeout Window
value can be changed only for the node labeled as Current.
4. Open the ellipsis menu next to the Port column and click Edit Timeout Window.
The Edit Timeout Window dialog box appears.
5. Enter a new value, in hours.
Rubrik CDM Version 5.0 User Guide Opening and closing a Support tunnel 86
Configuration
6. Click Update.
The Support Tunnel page re-appears, showing the updated timeout value.
Closing the Support Tunnel

To prevent access by Rubrik Support, close the Support tunnel utility.
4. Click Close Support Tunnel.
5. Click Close Tunnel.
The Support Tunnel page re-appears, showing no values for the current node except for Node
and a Tunnel Status of Closed.
An alternate method for closing the tunnel is simply to allow the Timeout Window value to expire.
Pause and resume protection activity

The Rubrik cluster provides the ability to pause backup jobs and archival data uploads. Use the
pause feature to temporarily reduce the impact of Rubrik cluster activity on the associated
resources.
Table 10 describes the impact of the pause feature on various Rubrik cluster activities.
Table 10 Impact of using the pause feature (page 1 of 2)
Activity Impact Description
Pending policy Canceled The Rubrik cluster cancels all policy driven snapshots that are scheduled
driven snapshot during the pause period. The missed snapshots are not rescheduled.
Pending Canceled The Rubrik cluster cancels all archival snapshots that are scheduled to
archival occur during the pause period.
snapshot
Running policy Cancel The Rubrik cluster requests the cancellation of all policy driven snapshots
driven snapshot requested that are running. A snapshot is canceled when the state of the snapshot task
permits cancellation. Otherwise, the snapshot completes.
Rubrik CDM Version 5.0 User Guide Pause and resume protection activity 87
Configuration
Table 10 Impact of using the pause feature (page 2 of 2)

Activity Impact Description
Running Cancel The Rubrik cluster requests the cancellation of all archival snapshots that
archival requested are running. An archival snapshot is canceled when the state of the archival
snapshot snapshot task permits cancellation. Otherwise, the archival snapshot
completes.
Database log No impact The pause feature does not stop scheduled backups of database
backups transaction logs.
Replication Cancel The Rubrik cluster requests the cancellation of all replication tasks that are
tasks requested running. A replication task is canceled when the state of the replication task
permits cancellation. Otherwise, the replication task completes.
Manual tasks No impact The pause feature does not affect manually initiated tasks.
Pausing protection activity

Pause protection activity to temporarily reduce the impact of Rubrik cluster activity.
3. Click Pause Protection.
A confirmation dialog box appears.
4. Click Continue.
The Rubrik cluster pauses activity as described in Table 10.
Resuming protection activity

Resume protection activity to remove the restrictions of the pause feature.
3. Click Resume Protection.
4. Click Resume.
The Rubrik cluster resumes all activity.
Rubrik CDM Version 5.0 User Guide Pause and resume protection activity 88
Chapter 2
VLAN Tagging
This chapter describes how to implement the optional VLAN tagging feature, in the following
sections:
 Overview ................................................................................................................. 90
 Adding special network VLANs after system setup ....................................................... 92
 Managing VLANs....................................................................................................... 93
Rubrik CDM Version 5.0 User Guide VLAN Tagging 89

VLAN Tagging
Overview
VLAN tagging is an optional feature that allows a Rubrik cluster to efficiently switch network traffic
using Virtual Local Area Networks (VLANs).
Each VLAN is partitioned and isolated at the data link layer. By applying VLAN tags to network
packets the network traffic of some applications on a physical network can be separated from the
network traffic of other applications on the same physical network.
In enterprise data centers, VLANs are typically used to segregate network traffic according to
organizational group, application type, or security policy. Segregating network traffic using VLANs
can optimize network throughput and promote data security.
Trunk port requirement

To support VLAN tagging, a network switch must be configured with a trunk port.
A trunk port allows packets to pass through without changing the VLAN tag. This process provides
the ability to use multiple VLAN tags on a single port.
Refer to your network switch documentation for information about implementing a trunk port,
trunk link, and VLAN tagging.
Management Network and Data Network

Rubrik recognizes two networks that require special handling when VLANs are used. Those
networks are the Management Network and the Data Network.
The Management Network handles management communications that take the form of API calls
made from a web browser to the nodes of the Rubrik cluster and the responses to those calls. The
Management Network also handles API calls and responses in a Rubrik REST API session.
The Data Network handles data transfers between nodes of the Rubrik cluster.
The Management Network and the Data Network can share the same network, which can be
tagged as a VLAN. The Management Network settings define the configuration for this shared
management/data network VLAN.
Optionally, the Management Network and the Data Network can be separate networks. Each
network can optionally carry a VLAN. When using separate VLANs, the VLAN configuration for the
Management Network is defined by the Management Network settings and the VLAN configuration
for the Data Network is defined by the Data Network settings.
Rubrik CDM Version 5.0 User Guide Overview 90

VLAN Tagging
The Rubrik cluster uses the Management Network and the Data Network to carry data that is
integral to cluster operations and interactions. The importance of these networks imposes
requirements on the actions described in Table 11.
Table 11 Special network VLAN requirements
Action Description
Configuration Management Network and the Data Network VLAN configuration can only be accomplished
by using one of the following methods:
• Specifying the VLAN settings during Rubrik cluster system setup using the Rubrik CLI.
• Using the CLI tool re_ip to reconfigure the network settings for the Rubrik cluster.
Bonding Interface bonding requires:
• The VLAN that is used by the Data Network must use bond0, the active/passive 10GbE
interfaces.
• When a single VLAN is used by both the Management Network and the Data Network,
both networks use bond0.
• When separate VLANs are used for each special network, the Data Network VLAN still
uses bond0 but the Management Network VLAN uses bond1, the active/passive 1GbE
interfaces.
VLAN settings for the Management Network and the Data Network must be configured using the
Rubrik CLI. This can be done during system setup, as described in the Rubrik CDM Install and
Upgrade Guide, or by using the re_ip tool after system setup, as described in Adding special
network VLANs after system setup.
When configuring VLAN settings for the Management Network and the Data Network after system
setup, take into consideration the following:
 All nodes must have an OK status.
 Changing an IP address, or multiple IP addresses, will involve an automatic reboot of each
affected node.
 Configuring the Management Network and the Data Network on two separate networks means
that network access must be available to both the 10GbE and the 1GbE interfaces.

VLAN Tagging
Adding special network VLANs after system setup

Configure VLAN settings for the Management Network and the Data Network, after system setup,
by using the re_ip utility.
! IMPORTANT
Do not use the vlan_add utility to configure VLAN settings for the Management Network or
the Data Network.
The Rubrik CDM Install and Upgrade Guide describes how to use the Rubrik CLI to configure VLAN
settings for the Management Network and the Data Network.
1. Log in to the Rubrik cluster and check that all nodes have an OK status.
When any node in the Rubrik cluster does not have an OK status, make any corrections that
are required to return all nodes to an OK status before continuing this task.
2. On any node in the Rubrik cluster, open an SSH session:
ssh admin@<node_ip>
where <node_ip> is the IP address of a node.
3. At the password prompt, type the password for the admin account.
The Rubrik CLI prompt appears.
4. At the prompt, type:
re_ip
The re_ip utility starts.
5. At Management Gateway, type the IPv4 address of the network gateway for the
Management Network.
To use the existing gateway, press Enter.
6. At Management Subnet Mask, type the subnet mask for the Management Network.
To use the existing subnet mask, press Enter.
7. At Management VLAN, type a unique VLAN tag for the Management Network VLAN.
A valid VLAN tag is any integer from 2 to 4094. The tag must be unique within the network
trunk.
Many switches reserve VLAN 1 for the default native VLAN. To avoid conflicts with this setting,
select a VLAN tag other than VLAN 1.
Rubrik CDM Version 5.0 User Guide Adding special network VLANs after system setup 92
VLAN Tagging
! IMPORTANT
The following two optional steps create a separate network for the Data Network.
Creating a separate Data Network causes the Data Network to bond to the 10GbE
interfaces and the Management Network to bond to the 1GbE interfaces. To allow the
Management Network and the Data Network to share a network on the 10GbE
interfaces, skip these next two steps.
8. (Optional) At Data Subnet Mask, type the subnet mask for the Data Network.
Typing a subnet mask for the Data Network configures the Data Network to bond on the 10GbE
interfaces and the Management Network to bond on the 1GbE interfaces, and brings up the
Data VLAN prompt.
9. (Contingent) At Data VLAN, type a unique VLAN tag for the Data Network VLAN.
10.At Proceed with Re IP, Yes/No, type Yes.
The Rubrik cluster saves the new network configuration and reboots any nodes that have a
changed IP address.
Managing VLANs
Other than the special Management and Data networks, VLANs can be managed from the
command-line interface or from the Rubrik CDM web UI.
Adding VLANs from the command line

The Rubrik CLI provides tools to manage the creation of new VLANs for the cluster. Do not use the
tools in this section to create the special Management and Data VLANs.
ssh admin@<node_ip>
vlan_add
The vlan_add utility starts.
Rubrik CDM Version 5.0 User Guide Managing VLANs 93

VLAN Tagging
4. At VLAN ID, type a unique VLAN tag.

A valid VLAN tag is any integer from 2 to 4094. The tag must be unique within the network
trunk.
Many switches reserve VLAN 1 for the default native VLAN. To avoid conflicts with this setting,
select a VLAN tag other than VLAN 1.
5. At Netmask, type the subnet mask for the network identified by the VLAN tag.
6. At Starting IP address, type an IPv4 address.
This IP address becomes the first IP address in the range allowed by the subnet mask and
identified by the VLAN tag. IP addresses from the allowed range are assigned to the nodes
sequentially starting with this IP address.
The Rubrik cluster saves the new network configuration. The Rubrik cluster routes all packets that
are tagged with the specified VLAN tag through the associated IP addresses.
Adding VLANs from the Rubrik CDM web UI

The Rubrik Rubrik CDM web UI provides tools to manage the creation of new VLANs for the
cluster. Do not use the tools in this section to create the special Management and Data VLANs.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
3. Select Network Settings.
The Network Settings tab appears.
4. Click Interfaces.
The Interfaces tab appears.
5. Click Add VLAN.
The Add VLAN dialog box appears.
6. Enter the required information in the fields:
• VLAN ID
• VLAN Subnet Mask
• IP address of each node in the cluster
7. Click Add VLAN.
The Rubrik cluster saves the new network configuration. The Rubrik cluster routes all packets that
are tagged with the specified VLAN tag through the associated IP addresses.

VLAN Tagging
Viewing VLANs from the Rubrik CLI

Use the Rubrik CLI vlan_list utility to view the VLANs that have been configured on a Rubrik
cluster.
ssh admin@<node_ip>
vlan_list
The Rubrik CLI lists the VLAN tags that have been configured for the Rubrik cluster.
Viewing VLANs through the Rubrik CDM web UI

Use the Rubrik CDM web UI to view the VLANs that have been configured on a Rubrik cluster.
The lower pane of the Network Settings page lists the VLANs that have been configured on the
Rubrik cluster.
Removing a VLAN from the Rubrik CLI

Use the Rubrik CLI vlan_remove utility to remove a non-special VLAN that is no longer required.
Do not use this method to remove the VLAN assigned to the Management Network or to the Data
Network. Use the re_ip utility to make those changes.

VLAN Tagging
! IMPORTANT
Before removing a VLAN, verify that the Rubrik cluster can be accessed on a network other
than the one being removed. Failure to do ensure alternate connectivity can result in the
Rubrik cluster losing network access when the VLAN is removed.

ssh admin@<node_ip>
vlan_remove <VLAN-ID>
where <VLAN-ID> is the tag of the VLAN to remove.
The Rubrik cluster removes the specified VLAN. Network traffic with the specified VLAN tag is
routed through the native VLAN, if available. Otherwise, the traffic is not routed.
Removing a VLAN from the Rubrik CDM web UI

Use the Rubrik web to remove a non-special VLAN that is no longer required.
Do not use this method to remove the VLAN assigned to the Management Network or to the Data
Network. Use the re_ip utility to make those changes.
! IMPORTANT
Before removing a VLAN, verify that the Rubrik cluster can be accessed on a network other
than the one being removed. Failure to do ensure alternate connectivity can result in the
Rubrik cluster losing network access when the VLAN is removed.

The Network Settings tab appears.
4. Click Interfaces.
The Interfaces tab appears.

VLAN Tagging
5. Click Delete VLAN.

The Delete VLAN dialog box appears.
6. Select the VLAN to delete.
7. Click Delete VLAN.
The Rubrik cluster removes the specified VLAN. Network traffic with the specified VLAN tag is
routed through the native VLAN, if available. Otherwise, the traffic is not routed.

Chapter 3
User Accounts
This chapter describes how to add user accounts, assign privileges, set up multifactor
authentication, and generate API tokens for authentication.
 Overview ................................................................................................................. 99
 Local Authentication................................................................................................ 102
 LDAP authentication................................................................................................ 105
 Privileges for End User accounts .............................................................................. 114
 Multifactor authentication ........................................................................................ 120
 API tokens ............................................................................................................. 123
Rubrik CDM Version 5.0 User Guide User Accounts 98

User Accounts
Overview
The Rubrik cluster authenticates Rubrik cluster user accounts at login. Authentication verifies that
the user account is known to the Rubrik cluster and that the correct user account name and
password were provided. After authentication, the Rubrik cluster uses the role and privileges
assigned to the user account to determine what actions are permitted during the session.
Authentication
The Rubrik cluster provides two separate methods for authenticating Rubrik cluster user accounts:
local authentication and LDAP authentication.
For local authentication, the Rubrik cluster validates the username and password typed in the
login fields against values in a database on the Rubrik cluster. When the login information matches
a user account in the database, the Rubrik cluster creates a session and assigns the role and
privileges of the user account to the session.
For LDAP authentication, the Rubrik cluster determines whether to create a session by
authenticating the username and password typed in the login screen with an available LDAP
directory server.
 If a Domain or Domain Display Name is specified during login, the Rubrik cluster attempts to
authenticate the user account against the specified domain. If the Rubrik cluster does not
recognize the specified domain, or if the user’s credentials are not valid for that domain, the
login fails.
 If the Domain or Domain Display Name field on the login screen is left empty, the Rubrik
cluster searches the local directory until it finds the username. If no match is found in the local
directory, the Rubrik cluster searches all available LDAP domains. If a match is found, the
Rubrik cluster assigns the role and privileges of the user account to the session.
Table 12 describes the similarities and differences of the authentication methods.
Table 12 Comparison of Local and LDAP authentication (page 1 of 3)
Feature Local LDAP
Available roles • Administrator Same as for local user
• End User
• No Access

User Accounts

Feature Local LDAP
Local ‘admin’ account Yes No admin account is created for LDAP
created during The admin user account has the by the Rubrik cluster.
installation username ‘admin’ and the role of
Administrator. The admin user account
cannot be deleted or modified except to
change the password.
The password of the admin user
account in the Rubrik CDM web UI
matches the password of the admin
account in the Rubrik CLI.
Modified view for Rubrik cluster modifies the Rubrik CDM Same as for local user.
accounts with the web UI view to show only the resources
End User role applicable to the assigned privileges.
Show accounts with Yes No
the No Access role
Group authentication No Yes
Log in using credentials of a user
account that is a member of the group.
For the session, the Rubrik cluster
combines the privileges of the user
account with the privileges of all the
groups the user belongs to.
Delete account Yes No
Requires Administrator role. Once An Administrator can change the role of
deleted, the account is removed from an account to No Access to hide the
the list of users and groups account in the Rubrik CDM web UI, but
the account will not be deleted on the
LDAP server.
Create new account Yes No
Create new user account by adding: All group and user accounts must be
• username activated before they can be used to
• email address access the Rubrik cluster. From the UI,
search for a group account or user
• password account and change the role to activate
After creating a new user account, the the account.
account has the default role of No
Access.
Change account role Accounts with Administrator role can Same as for local user.
change the role of any other account,
except the local Admin User account.
If an account’s role is changed to End
User, at least one privilege must be
assigned.
Assign End User Requires Administrator role. Requires Administrator role.
privileges After creating an account, change the Change the group or user account role
account role to assign privileges. to assign privileges.

User Accounts

Feature Local LDAP
Modify End User Requires Administrator role. Same as for local user.
privileges
Modify account Requires Administrator role. No
information Permitted account changes: Account information is controlled through
• email address the LDAP directory.
• password
Roles
Each user account and group account has one of three roles associated with it: Administrator, End
User, or No Access. Each role corresponds to a set of privileges that are enabled for the duration of
a session on the Rubrik cluster.
The Rubrik cluster enables the following privileges for each role:
 Administrator role – Full access to all Rubrik operations on all objects.
 End User role – For assigned objects: browse snapshots, recover files and Live Mount.
 No Access role – Cannot log in to Rubrik UI and cannot make REST API calls.
Note: When a local user account is first created, it is automatically assigned the No Access role.
To activate an account and grant a set of privileges, an administrator must change the role to
either End User or Administrator. LDAP directory accounts must also be activated before they can
access the Rubrik cluster.
The resources in a Rubrik cluster can be partitioned into independently managed collections
known as Tenant Organizations. Users in tenant organizations have privilege levels that are
managed by users with the Organization admin role.
Multitenant Organizations describes how to configure tenant organizations.
Viewing the Users and Groups page

The Rubrik cluster provides authentication and authorization information for accounts on the Users
and Groups page.
1. Log in to the Rubrik CDM web UI as the admin user or a user with the Administrator role.
3. Click Users.

User Accounts
The Users and Groups page appears.

The Users and Groups tab lists the local user accounts and the LDAP user and group accounts
along with the following information:
 Directory (either local or the name of the LDAP directory) where user credentials are stored
 Username
 Email address
 Description
 Role assigned to each account
The Rubrik cluster displays local user accounts with the No Access role in the Rubrik CDM web UI.
However, the Rubrik cluster does not display LDAP user accounts with the No Access role.
Local Authentication
Local authentication uses information stored in a database on the Rubrik cluster to authenticate a
login.
Adding a local user account

Create a new local user account on the Rubrik cluster.
3. Click Users.
The Users page appears.
4. Click Users and Groups > Add Local User.
The Add Local User dialog box appears.
5. In Username, type a user name for the new user account.
6. In Email Address, type a valid email address for the new user account.
The Rubrik cluster will send notification email and alert email to the email address.
7. In Password, type a password for the new user account.
8. In Re-enter Password, type the same password.
Rubrik CDM Version 5.0 User Guide Local Authentication 102

User Accounts
9. (Optional) Click Enable RSA SecurID to enable multifactor authentication using an RSA
SecurID server.
Note: An RSA SecurID server must be configured before it can be enabled. See Multifactor
authentication.
10.(If RSA SecurID is enabled) Select an RSA SecurID from the dropdown menu.
11.Click Add.
The Rubrik cluster adds the new local user account.
By default, the Rubrik cluster sets all new local user accounts to the No Access role. To permit the
account to access the Rubrik CDM web UI, change the assigned role to either Administrator or End
User, as described in Changing the role of a local user account.
Editing local user account information

Edit the email address and password for a local user account.
Before you begin — Create a local user account.
3. Click Users.
4. Select the Users and Groups tab.
5. Scroll the page or use the search field to locate a user account entry.
6. Open the ellipsis menu next to the user account entry and select Edit.
The Edit Local User dialog box appears.
7. (Optional) In Email Address, change the email address.
8. (Optional) In Update Password, type a new password.
9. (When password is changed) In Re-Enter Password, type the new password again.
10.(Optional) Change the setting for Enable RSA SecurID.
11.Click Update.
The Rubrik cluster stores the updated information and applies any change to the authorization
level of the account.

User Accounts
Changing the role of a local user account

Change the role that is assigned to a local user account.
Before you begin. Create a user account.
3. Click Users.
5. Use the search field to locate a user.
6. Open the ellipsis menu next to the user account entry.
7. Select Manage Authorization.
The Manage Role dialog box appears.
8. In Roles, select a role for the user account.
When the End User role is selected, the Assigned Objects section appears. Privileges for End
User accounts describes how to use this section to assign object privileges to a user account
that has the End User role.
9. Click Update.
The Rubrik cluster applies the role change to the user account.
Removing a local user account

Remove Rubrik cluster authorization for a local user account and delete the account from the
Rubrik CDM web UI.
3. Click Users.
5. Scroll the page or use the search field to locate a local user.

User Accounts
6. Open the ellipsis menu next to the local user account entry.
7. Select Delete.
The Delete User confirmation appears.
8. Click Delete.
The Rubrik cluster removes Rubrik cluster authorization for the selected user account and deletes
the account.
LDAP authentication
The Rubrik cluster uses LDAP to authenticate users who log in through the Rubrik CDM web UI
welcome screen. After a user is successfully authenticated, the Rubrik cluster controls
authorization through the user management system.
The Rubrik cluster connects to one or more LDAP servers through a service or bind account with
read access. This account permits the Rubrik cluster to search information about the user, such as
email address and group membership. To narrow the search to a specific location within the LDAP
directory tree, a Base DN can be provided. Search filters narrow the search even further by
identifying a specific group or users.
The Rubrik CDM web UI requests LDAP server information in three stages:
 Credentials - see Credentials for details.
 Servers, User & Group Settings - see Servers and User and Group settings for details.
 Multifactor Authentication - see Multifactor authentication for details on configuring an MFA
server before enabling a user for multifactor authentication.
Credentials
LDAP Credentials establish the starting point of an LDAP directory search for a user who is trying
to log in to the Rubrik cluster.
The Rubrik cluster uses the information shown in Table 13 in order to search for information about
an authenticated user in the LDAP directory structure and authenticate a user. Contact your LDAP
or Active Directory administrator for the actual values to use.
Table 13 LDAP credentials
Parameter Description
Domain or Name used by the Rubrik cluster when referring to this LDAP integration. Users can enter
Domain this name for the Domain when logging in on the welcome screen. Domain Display Name
Display can be an alias for the domain that is easier to remember than the full domain name.
Name This information is case insensitive.
Rubrik CDM Version 5.0 User Guide LDAP authentication 105

User Accounts
Table 13 LDAP credentials

Parameter Description
Base DN Indicates where to begin searching within the LDAP tree. If not specified, the Rubrik cluster
will begin searching at the root (defaultNamingContext).
Bind DN or User with read privileges that can be used to search the LDAP directory to obtain
Username information such as group membership.
Password Password for the account entered as the Bind DN or Username.
CA Certificate from the Certificate Authority (CA) that is used to validate the TLS certificate.
Certificates TLS validation is used when a TLS-capable LDAP server is explicitly chosen, or if the LDAP
server offers support for StartTLS.
The Rubrik cluster supports multiple LDAP domains; however, when a user provides a Domain or
Domain Display Name in the login screen, only that domain is searched for the user’s credentials.
The Rubrik cluster uses the LDAP information for authentication on the local Rubrik cluster only. To
enable LDAP authentication on another Rubrik cluster, log in to that Rubrik cluster and provide the
required information.
Logging in with an LDAP account describes how to log in to the Rubrik CDM web UI using an LDAP
account.
When an LDAP server cannot be reached, the Rubrik cluster rejects logins that authenticate
against that server. Until an LDAP server becomes available, the Users and Groups page will not
show authorization for any LDAP users or groups associated with that server.
Servers
The Rubrik cluster requires a list of one or more LDAP servers that it can search.
LDAP servers can be specified in two ways:
 Dynamic DNS name
 IP or hostname along with the associated port for each LDAP server
The Rubrik cluster first tries to connect to an LDAP server. If LDAP servers are not specified, or if
they are not responsive, the Rubrik cluster next tries to discover Global Catalog servers that
correspond to the dynamic DNS name by resolving DNS SRV records for _gc._tcp.<dynamic DNS
name>. If no Global Catalog servers are found, the Rubrik cluster tries to resolve DNS SRV records
for _ldap._tcp.<dynamic DNS name>.
If the discovered servers were active in port 686 (for LDAP) or port 3269 (for Global Catalog),
secure LDAP using TLS is automatically chosen. If the LDAP servers support StartTLS, then
StartTLS is automatically chosen.

User Accounts
Note: To force the Rubrik cluster to connect using only the dynamic DNS name, leave the server
field empty.
User and Group settings

User settings specify how Rubrik determines who is a user, and what attributes to use when
mapping users to the respective LDAP directory.
Table 14 shows the user settings that define the scope of the search for users in a particular LDAP
directory.
Table 14 User settings
Field Description Default
Search Filter Query that specifies which users to (&(objectCategory=person)(objectClass=user)(
retrieve from the LDAP directory. !(useraccountcontrol:1.2.840.113556.1.4.803:=
2)))
Username Attribute that identifies the user. This sAMAccountName
Attribute attribute is compared to the username
entered in the login screen. For example,
in Active Directory the attribute is
sAMAccountName. Specify anr to enable
Microsoft’s Ambiguous Name Resolution.
Group Indicates groups that the user belongs to. memberOf
Membership
Attribute
Group seettings specify how groups are queried and identified.

Table 15 shows the group settings that focus the search on a group within a particular LDAP
directory.
Table 15 Group settings
Field Description Default
Search Filter Query that specifies which groups to (&(objectCategory=group))
retrieve from the LDAP directory.
Group Determines which members belong to a member
Member given group. For example, in Active
Attribute Directory, the attribute is member.

User Accounts
Adding LDAP servers

Provide information about LDAP directory servers to a local Rubrik cluster so it can access the
LDAP directories in order to authenticate accounts.
Information is provided through the Rubrik CDM web UI in three stages:
 Credentials
 Servers, User and Group Settings
 Multifactor Authentication
Specifying credentials for an LDAP server

Before you begin. For each LDAP server domain, obtain the domain name along with the user
name and password of an account with read privileges for that domain.
3. Click Users.
4. Select the LDAP Servers tab.
The LDAP server page appears.
5. Click Add LDAP Server.
The Add LDAP Server dialog appears, with the Credentials step highlighted.
6. In Domain or Domain Display Name, type the domain name associated with the set of
LDAP users.
7. (Optional) In Base DN, specify a DN where the Rubrik cluster should begin searching from
within the LDAP directory tree structure.
If this field is left blank, the Rubrik cluster begins searching at the root of the directory tree.
8. In Bind DN or Username, enter the credentials for a user with read privileges.
9. In Password, type the password for the account entered in the previous step.
10.(If the LDAP server requires a certificate for secure connections) In CA Certificates, provide
the Certificate Authority certificate for TLS certificate validation.
11.Click Next.
The Servers, Users & Group Settings step is highlighted.

User Accounts
Specifying servers, user settings, and group settings

Once the Credentials page is filled in, specify one or more LDAP servers, and optionally, specify
user and group settings.
1. Click the Servers tab.
The Servers dialog opens.
2. (If using Dynamic DNS) In Dynamic DNS Name, enter the dynamic DNS name that publishes
the server.
3. (Optional) Add servers by providing the IP address or hostname and the port number for each
server.
4. (Optional) Select Use SSL connection if secure LDAP is used.
5. (Optional) Click the User Settings tab.
The User Settings dialog appears.
6. In the Search Filter field, enter a query that specifies which users to retrieve from the LDAP
directory.
7. In the Username Attribute field, enter the attribute that will be used when comparing to the
username entered in the login screen.
8. In the Group Membership Attribute field, enter the attribute that determines which groups
the user belongs to.
9. (Optional) Click the Group Settings tab.
10.In the Search Filter field, enter a query that specifies which groups to retrieve from the LDAP
directory.
11.In the Group Member Attribute field, enter the attribute used to determine which members
belong to a given group.
12.Click Next.
The Multifactor Authentication step is highlighted.
Enabling multifactor authentication

In the third step for adding an LDAP server, indicate whether multifactor authentication will be
used for the users in an LDAP directory.
1. (If at least one RSA SecurID server has been configured) Select the RSA SecurID server to use
for multifactor authentication.
See Configuring an RSA Authentication Manager connection and Configuring an RSA Cloud
Authentication Service connection for information on configuring an RSA SecurID server.

User Accounts
2. Click Add.
The LDAP server is added to the list of servers.
Viewing LDAP server information

Review the list of LDAP servers associated with a Rubrik cluster.
3. Click Users.
The LDAP Servers page appears and lists the domain display name of each authentication domain
and whether multifactor authentication is enabled or disabled for that domain.
Deleting an LDAP server

Delete an LDAP server from the list of servers the Rubrik cluster can use to authenticate users.
Once the LDAP server is deleted, users authenticated from that server will not be able to log in.
3. Click Users.
5. Open the ellipsis menu for a listed LDAP display name.
6. Select Delete.
A warning dialog box appears.
7. Click Delete.

User Accounts
User account and group account authorization

The Rubrik cluster uses LDAP server information to authenticate user account credentials at login.
After authentication, the Rubrik cluster uses the settings assigned to a user account or group
account and stored on the Rubrik cluster to determine which operations the user is authorized to
perform.
Note: When a user is added to a Rubrik cluster, the Rubrik cluster assigns the No Access role to
the account. Users with the No Access role cannot log in to the Rubrik cluster.
The Rubrik cluster does not display the accounts of LDAP users with the No Access role. Accounts
appear in the Rubrik CDM web UI when the account is activated on the Rubrik cluster by changing
the role to Administrator or End User. Activating a user account or group account describes how to
activate a user account or group account and assign a specific set of privileges.
Activating a user account or group account

Activate a user account or a group account on the local Rubrik cluster.
Activating a group account activates the individual accounts of all the group members and assigns
the group privileges to all members of a group.
Before you begin — Set up a local user account or add an LDAP user account as described in
Adding LDAP servers.
3. Click Users.
The Rubrik cluster hides user accounts that are not activated.
4. Click Grant Authorization.
The Grant Authorization dialog box appears.
5. In Directory, select a directory from the list.
6. In Search by Name, type the user name for a user account or the group name of a group
account.
The search field uses predictive search that begins displaying accounts when the first character
is typed. The search field matches the characters entered in the search field with all user
names and group names that contain the same sequence of characters.

User Accounts
Continue to type characters to narrow down the results until the user name or group name
appears.
7. Select the user account or group account entry.
8. Click Continue.
9. In Role, select a role.
Selecting the End User role displays the Assigned Objects section.
10.(End User role only) In the Assigned Objects field, assign access to at least one object.
The objects that are assigned to an End User account can be edited after the user is added,
but at least one object must be selected for the account to appear on the Manage Users page.
For information about assigning objects to an account with the End User role refer to:
• Assigning virtual machines, folders, and clusters to an End User account
• Assigning SQL Server databases to an End User account
• Assigning Linux and Unix hosts and host filesets to an End User account
11.(End User role only) (Optional) Click Allow overwrite of original.
This option allows the user account or group account to restore data to the original source
location for all assigned objects.
12.Click Assign.
The Rubrik cluster enables the user account or group account and displays the account on the
Manage Users page.
Changing the role of an LDAP account

Change the role that is assigned to an LDAP user account or group account.
The Rubrik CDM web UI only displays LDAP accounts that have the Administrator role or the End
User role. To change the role of an LDAP account that has the No Access role, use the procedure
described in Activating a user account or group account.
Before you begin — Create a user account.
3. Click Users.

User Accounts

4. Scroll the page or use the search field to locate a user.
5. Open the ellipsis menu next to the user account entry.
7. In Roles, select a role for the user account.
When the End User role is selected, the Assigned Objects section appears.
8. (End User role only) In the Assigned Objects field, assign access to at least one object.
The objects assigned to an End User account can be edited after the user is added, but at least
one object must be selected for the account to appear on the Manage Users page.
For information about assigning objects to an account with the End User role refer to:
• Assigning virtual machines, folders, and clusters to an End User account
• Assigning SQL Server databases to an End User account
• Assigning Linux and Unix hosts and host filesets to an End User account
9. (End User role only) (Optional) Click Allow overwrite of original.
10.Click Update.
The Rubrik cluster applies the role change to the user account.
Deactivating a user account or group account

Remove Rubrik cluster authorization for a user account or group account.
Removing a group account removes the group-level access of the users in the group but does not
change existing user account level access, if any.
3. Click Users.
4. Scroll the page or use the search field to locate a user account or group account

User Accounts
5. Open the ellipsis menu next to the user account or group account entry.
7. Select No Access.
8. Click Assign.
The Rubrik cluster removes Rubrik cluster authorization for the selected user account or group
account and hides the account.
Privileges for End User accounts

Accounts with the End User role can search and browse the backed up data from objects that are
assigned to them.
Any of the following types of objects in a Rubrik cluster can be assigned to an End User role:
 Virtual environment clusters
 Virtual environment folders
 Virtual machines
 SQL Server databases
 Linux and Unix hosts
 Linux and Unix filesets
 Windows hosts
 Windows filesets
 NAS hosts
 Managed volumes
Rubrik CDM Version 5.0 User Guide Privileges for End User accounts 114
User Accounts
Table 16 describes the privileges that can be granted to a user account with the End User role.
Table 16 End User role privileges
Privilege type Description
Download data from Data download only from assigned object types:
backups • vSphere virtual machines
• Hyper-V virtual machines
• AHV virtual machines
• Linux & Unix hosts
• Windows hosts
• NAS hosts
• SQL Server databases
• Managed volumes
Live Mount or Export Live Mount or Export a snapshot only from specified virtual machines and only
virtual machine snapshot to specified target locations.
Export data from backups Export data only from specified source objects.
Restore data over source Write data from backups to the source location, overwriting existing data, only
for assigned objects, and only when ‘Allow overwrite of original’ is enabled for
the user account or group account.
Select a user with the End User role by using one of the methods in this section, then assign
objects to that user.
Inheritance of privileges
Privileges for an object can be inherited from the privilege assigned for a parent object. Privileges
for an object can also be inherited through membership in an LDAP group.
A privileged object can contain other objects. For example, a virtual environment cluster contains
virtual machines. Assigning the privilege for an object also assigns privileges for all objects
contained within the assigned object.
A user that is a member of an LDAP group adds the group’s privileges to the privileges held by the
user individually. A user that does not have a particular object specifically assigned to that user
gains privileges on that object if the user is a member of an LDAP group to which that object is
assigned.
User Accounts
End User ability to overwrite original data during restores

User accounts and group accounts that have the End User role cannot restore data back to the
original source location. This default setting can be changed.
To allow an account with the End User role to restore data to the source location, enable the Allow
overwrite of original option for the user account or group account through the Manage Role dialog
box.
When enabled, the Allow overwrite of original option applies to all objects assigned to the account.
Assigning virtual machines, folders, and clusters to an End User account

Assign an End User account privileges for virtual machines, virtual environment folders, and virtual
environment clusters.
1. (Local account) Select a user account or group account.
Browse the account entries or use search to find and select an account entry.
2. (Local account) Open the ellipsis menu and click Manage Authorization.
3. (LDAP account) Click Grant Authorization and select the account.
4. In Roles, select End User.
The Assigned Objects section appears.
5. (Optional) Click Allow overwrite of original.
6. In the Assigned Objects section, click the pencil icon in the Virtual Machines field.
The Select Virtual Machines dialog box appears, with the All VMs tab selected.
7. (Optional) To view folders, click the Folders tab.
To move down the hierarchy of a folder, click the value in the Name column.
8. (Optional) To view clusters and hosts, click the Clusters/Hosts tab.
To move down the hierarchy of a cluster or host, click the value in the Name column.
9. Select an entry.
Select multiple entries to assign privileges for all selected entries to the account.
10.Click Continue.
The Select Live Mount and Export Locations dialog box appears.
11.In All vCenters, select a vCenter Server.
User Accounts
Select multiple vCenters to permit Live Mount and Export to all selected entries.
12.Click Continue.
The Manage Role dialog box displays.
13.Click Assign.
The Rubrik cluster stores the privileges for the selected account.
Assigning SQL Server databases to an End User account

Assign an End User account privileges for SQL Server hosts, SQL Server clusters, and SQL Server
databases.
1. (Local account) Select an user account or group account.
Browse the account entries. Or, use search to find and select an account entry.
6. In the Assigned Objects section, click the pencil icon in the SQL Server Databases field.
The Select SQL Databases pane displays, with the Hosts/Clusters tab selected.
To move down the hierarchy of a host or cluster, click the value in the Name column.
7. (Optional) To view all databases, select the All DBs tab.
8. Select an entry.
9. Click Continue.
The Select Export Locations dialog box appears.
10.(Optional) Select a Windows host or Windows cluster.
Select multiple hosts or clusters to permit the account to export to each selected location.
To prevent the account from exporting the selected SQL Server databases, do not select a host
or cluster.
User Accounts
To move down the hierarchy of a host or cluster, click the value in the Name column.
11.Click Continue.
12.Click Assign.
Assigning Linux and Unix hosts and host filesets to an End User account
Assign an End User account privileges for a Linux or Unix host and host filesets.
1. (Local account) Select a user account or group account.
Browse the account entries. Or, use search to find and select an account entry.
6. In the Assigned Objects section, click the pencil icon in the Linux & Unix Hosts field.
The Select Linux & Unix Hosts dialog box appears.
7. (Optional) To view the filesets assigned to a host, click the value in the Name column.
8. Select an entry.
9. Click Continue.
The Select Export Locations pane appears.
10.Select a host.
Select multiple hosts to permit the account to export to each selected host.
11.Click Continue.
12.Click Assign.
User Accounts
Assigning Windows hosts and host filesets to an End User account

Assign an End User account privileges for Windows hosts and for Windows host filesets.
6. In the Assigned Objects section, click the pencil icon in the Windows Hosts field.
The Select Windows Hosts dialog box appears.
7. (Optional) To view the filesets assigned to a Windows host, click the value in the Name
column.
8. Select an entry.
9. Click Continue.
10.Select a Windows host.
Select multiple Windows hosts to permit the account to export to each selected host.
11.Click Continue.
12.Click Assign.
User Accounts
Assigning NAS hosts to an End User account

Assign an End User account privileges for NAS hosts.
6. In the Assigned Objects section, click the pencil icon in the NAS Hosts field.
The Select NAS Hosts dialog box appears.
7. In the All NAS Hosts section, select a NAS host.
8. Click Continue.
9. Select a NAS host.
Select multiple hosts to permit the account to export to each selected host.
10.Click Continue.
11.Click Assign.
Multifactor authentication
Multifactor authentication (MFA) adds one or more factors to the basic authentication process,
which prevents unauthorized users from accessing the Rubrik cluster.
Note: When multifactor authentication is required for a user, the Rubrik user’s username must
match the username stored in the MFA server.
Rubrik CDM Version 5.0 User Guide Multifactor authentication 120

User Accounts
If a user account is associated with an MFA server, that user will see an additional login screen
after signing in with username and password. Another authentication factor will be required, such
as a passcode, a PIN, or biometric data. The type of authentication factor, and the number of
factors required to authenticate to the Rubrik cluster, are determined by the configuration of the
MFA server.
If a user is enabled for multifactor authentication, and that user accesses Rubrik REST APIs from a
script, an API token must be generated from the Rubrik CDM web UI and inserted in the script.
See Generating an API token for instructions.
Multifactor authentication with RSA SecurID

The Rubrik cluster can integrate with two types of RSA SecurID integration servers by using REST
API calls: RSA Authentication Manager (on-premise) and RSA Authentication Server (cloud).
When the RSA Authentication Manager is enabled, it generates an Access Key and an Access ID.
The Rubrik cluster acts as an Authentication Agent, and requires the Access Key in order to
securely pass authentication requests to and from the RSA Authentication Manager. If the
Hash-based Message Authentication Code (HMAC) mode is used, the Rubrik cluster also requires
the Access ID.
Note: The Access Key is confidential. Copy this value to a secure location, and use it to configure
the RSA SecurID server from the Rubrik CDM web UI.
Configuring an RSA Authentication Manager connection

Set up an RSA Authentication Manager connection to provide an additional authentication
requirement when users log in to a Rubrik cluster.
3. Click Users.
4. Click the RSA SecurID tab.
The list of RSA SecurID servers appears.
5. Click Add RSA SecurID.
The Add RSA SecurID dialog appears.
6. In the Name field, enter a name to identify your RSA Authentication Manager.

User Accounts
7. In the Base URL field, enter your RSA Authentication Manager server’s REST API base URL.
8. In the RSA SecurID API Key field, enter the API Access Key that was generated when you
enabled RSA SecurID.
9. In the Client ID field, enter the host name or IP address of the Rubrik cluster, which acts as
the Authentication Agent.
10.(Optional) Enter the name of the assurance policy in the Assurance Policy Name field.
11.(If using HMAC mode) In the REST API Access ID field, enter the RSA Authentication
Manager server’s access ID that was generated when you enabled RSA SecurID.
12.(Optional) Download the RSA Authentication Manager server’s certificate and save it as a PEM
file. Copy its contents and paste into the CA Certificates window.
13.Click Add.
Once the RSA server is configured, verify that authentication is working by adding a test account.
Configuring an RSA Cloud Authentication Service connection

Set up an RSA Cloud Authentication service connection to provide an additional authentication
requirement when users log in to a Rubrik cluster.
3. Click Users.
4. Click the RSA SecurID tab.
The list of RSA SecurID servers appears.
5. Click Add RSA SecurID.
The Add RSA SecurID dialog appears.
6. In the Name field, enter a name to identify your RSA Cloud Authentication Service settings.
7. In the Base URL field, enter your RSA Cloud Authentication Service’s REST API base URL.
8. In the RSA SecurID API Key field, enter the API Access Key that was generated when you
enabled RSA SecurID.
9. In the Client ID field, enter the host name or IP address of the Rubrik cluster, which acts as
the Authentication Agent.

User Accounts
10.(If you have an assurance policy) Enter the name of the assurance policy in the Assurance
Policy Name field.
11.(Optional) Download the RSA Authentication Manager server’s certificate and save it as a PEM
file. Copy its contents and paste into the CA Certificates window.
12.Click Add.
Once the RSA server is configured, verify that authentication is working by adding a test account.
API tokens
API tokens are used in scripts to provide secure authentication, rather than hard-coding
credentials directly in the script and exposing them as clear text.
Tokens are generated directly from the Rubrik CDM web UI. When a token is generated, the user
can specify how long the token is valid, and supply a tag that can be used to identify its purpose.
For example, if a different token is generated for each script a user plans to run, the tag can
indicate the name of the script associated with that token.
If a token is accidentally exposed, the user who generated it can delete it from the Rubrik CDM
web UI, then generate a new token.
Note: Users cannot delete tokens generated by other users.
API Tokens have the same privileges as the user who generates them. For example, if a user with
the Administrator role generates an API token, that token has Administrator privileges.
Note that API tokens may not be used for the following purposes:
 Updating or deleting any MFA servers
 Creating new sessions or generating additional API tokens
 Creating new user accounts or updating user account information
 Updating user preferences
 Creating, updating, or deleting LDAP services
Generating an API token

Generate an API token for use in REST API scripts that run on the Rubrik cluster.
2. Click the user icon on the top bar of the Rubrik CDM web UI and select API Token Manager.
The API Token Manager dialog appears.
Rubrik CDM Version 5.0 User Guide API tokens 123

User Accounts
3. Click the plus icon at the top right of the dialog.

The Generate API Token dialog appears.
4. In the Duration field, enter the number of days the token will be valid.
The default is 30 days.
5. In the Tag field, enter a name to distinguish this token from other tokens.
If no tag name is entered, the tag name will appear as API Token in the list of tokens.
6. Click Generate.
The Copy API Token dialog appears.
7. Click Copy and store the API token for future use.
The display shows a list of API token IDs (not the tokens themselves) along with their tag
names, expiration dates, and last activity.
Deleting an API token

Sometimes an API token must be deleted before it expires; for example, if the token is accidentally
exposed or shared with non-authorized users. In this situation, the compromised token can be
deleted and a new token can be generated.
! IMPORTANT
Use caution when deleting an API token. Once the token is deleted, all REST API calls that
use that token will fail.
Delete an API token so that it cannot be used in REST API calls to the Rubrik cluster.
2. Click the user icon on the top bar of the Rubrik CDM web UI and select API Token Manager.
The API Token Manager dialog appears.
3. Open the ellipsis menu next to the API token to be deleted and select Delete.
The Delete API Token dialog appears with a warning message about the consequences of
deleting the token.
4. Click Delete.
The API token is removed from the list of API tokens
Rubrik CDM Version 5.0 User Guide API tokens 124

Chapter 4
Multitenant Organizations
This chapter discusses the management of tenant organizations in the following sections:
 Overview ............................................................................................................... 126
 Create a new tenant organization ............................................................................ 129
 Modifying an existing tenant organization ................................................................. 135
 Deleting a tenant organization ................................................................................. 136
Rubrik CDM Version 5.0 User Guide Multitenant Organizations 125

Overview
The multitenancy extension of the RBAC scheme enables a central organization to delegate
administrative capabilities to multiple tenant organizations.
Each tenant organization in a multitenant RBAC cluster has a subset of administrative privileges
defined by the global organization. The subset of administrative privileges also specifies the
cluster resources available to the tenant organization. The administrators of the tenant
organization can exercise these administrative privileges independently of each other and of the
cluster administrators.
Organizations must be set up by users with the Rubrik Administrator role. However, no additional
external privileges, such as specific Active Directory or Windows Domain permissions, are
required. See User Accounts for full details on RBAC administration and privilege levels.
A Rubrik cluster can have one central organization and any number of tenant organizations. An
organization is a collection of the following elements:
 Protected objects
 Replication and archival targets
 SLA Domains
 Local users
 Active Directory users and groups
 Service credentials
 Reports
A central organization is administered by a user with the Administrator role. The Administrator role
has access to all cluster resources and grants privileges to other users, including tenant
organization administrators.
Tenant organization administrators can create new local users in the tenant organization and
assign the End-user or No Access roles to those users.
Tenant organizations and reports

Tenant organizations have access to the default reports provided by the Rubrik Envision feature.
The report information is restricted to the resources assigned to the tenant organization.
When the user of a tenant organization creates a new custom report, that custom report is only
visible to other users or Active Directory (AD) groups in the tenant organization.
Reports provides detailed information about Rubrik Envision.

Tenant organizations and SLA Domains

SLA Domains that are created outside of a tenant organization and assigned to that organization
cannot be altered by the users or AD groups of the tenant organization. SLA Domains that are
created by the users or AD groups in a tenant organization can be used outside the tenant
organization, but cannot be modified by users that are not members of the organization. Tenant
organization administrators can delete SLA Domains that were created by the users or AD groups
that belong to the organization. An SLA Domain that is assigned to any protectable object on the
cluster cannot be deleted.
Tenant organizations and Active Directory domains

A user with Administrator privileges over the Rubrik cluster can add users or AD groups to a tenant
organization. A tenant administrator can view the list of AD domains of the users or groups in the
tenant organization and manage privileges for those users.
Tenant organizations and users

A tenant administrator can manage privileges for existing cluster users that are assigned to the
organization by the cluster administrator, but cannot otherwise modify those users. A tenant
administrator with the privileges to manage users can create new local users within the tenant
organization and manage them. Tenant administrators cannot add existing cluster users, AD users,
or AD groups to tenant organizations.
Users with the end user role in an organization receive notifications about system activity on
objects assigned to those users. Tenant administrators receive notifications about system activity
that affects all of the objects in the tenant organization.
Multitenancy and Rubrik Envoy

Rubrik provides Rubrik Envoy to protect and maintain tenant virtual machines in secure and
isolated networks. Rubrik Envoy acts as a trusted managed service provider representing Rubrik
cluster in the tenant network.
Deploy Rubrik Envoy as a virtual appliance in a tenant network. Rubrik Envoy acts as a proxy
between the tenant network and the service provider network. After deployment, Rubrik Envoy
provides secure managed access between the tenant network and the network used by the Rubrik
cluster.
Rubrik Envoy allows service providers to offer backup-as-a-service (BaaS) in a multitenant
environment.
Rubrik Envoy supports protection of VMware virtual machines and filesets.

Table 17 describes the features offered by Rubrik Envoy.

Table 17 Rubrik Envoy features
Feature Description
Proxy service • Rubrik Envoy acts as a proxy between the tenant network and the service
provider network.
• Rubrik Envoy works with the tenant virtual machines for application
quiescence.
• Rubrik Envoy orchestrates file restores between the tenant network and the
managed service provider network.
Secure managed access • Tenants can only access Rubrik CDM web UI via Rubrik Envoy.
• Tenants can only see and access objects that belongs to their organization
only.
Self-service recovery • Tenant admistrators can manage recovery through the self-service Rubrik
CDM web UI.
Rubrik Envoy Configuration Workflow

The following summarizes the deployment process of Rubrik Envoy:
 The global administrator downloads the Rubrik Envoy virtual machine OVA package and
creates a Rubrik Envoy virtual machine.
 Rubrik pre-installs the Rubrik Envoy agent on the Rubrik Envoy virtual machine.
 Rubrik cluster generates the certificate for Rubrik Envoy.
The Envoy agents for each organization within the Rubrik cluster share the same public-private
key pair.
 Rubrik administrator adds the Rubrik Envoy virtual machines to the Rubrik cluster.
Rubrik cluster identifies the Rubrik Envoy agents by the installed certificate on the agent.
 Rubrik cluster generates a separate public certificate of the Envoy virtual machine for Linux and
Windows agents.
 Tenants access Rubrik CDM web UI via Rubrik Envoy virtual machine.
 Tenants download the agent from the Rubrik CDM web UI.
 Rubrik acts as the agent server and sends request to the Rubrik Envoy agent.
The request contains details of the actual virtual machine.

Create a new tenant organization

Create a new tenant organization by providing the Rubrik cluster with a name for the organization,
adding users, and assigning objects to be protected.
Only users with the Administrator role can create tenant organizations. For details on managing
user roles, see User Accounts.
Note: Users that are part of tenant organizations can have different levels of cluster and
organization privileges. Users with the “No Access” role at both cluster and organization levels are
unable to log in to the Rubrik cluster. A user with the “No Access” cluster role that is part of a
tenant organization must have the “End User” role or higher within that organization to
successfully log in to the Rubrik cluster.
Naming the organization and adding users or AD groups

The first steps in defining a tenant organization are assigning a name and adding users or AD
groups.
1. Log in to the Rubrik CDM web UI as a user with Administrator privileges.
3. Click Organizations.
The Organizations page appears.
4. Click Create Organization.
The Create Organization wizard appears.
5. Enter the name for the organization in the Organization Name field.
6. Click Next.
7. Select a domain from the Domain drop-down.
Valid domains are ‘local,’ for user accounts on the cluster, or any AD domains connected to the
cluster. An organization can contain users or AD groups from any number of separate domains.
8. Enter a search string in the Search by Name field to display a list of users and AD groups that
match the string.
9. Click Add for a user or AD group in the list to add that user or AD group to the organization.
10.(Optional) Select Organization Admin to grant a user or AD group the Organization Admin
privilege level.
Rubrik CDM Version 5.0 User Guide Create a new tenant organization 129
11.(Optional) Clear Create/Edit SLA to prevent a user or AD group with the Organization Admin
privilege level from creating or modifying an SLA Domain.
12.(Optional) Clear Manage Hosts to prevent a user or AD group with the Organization Admin
privilege level from managing hosts in the tenant organization.
13.(Optional) Clear Manage Users to prevent a user or AD group with the Organization Admin
privilege level from managing users and AD groups in the tenant organization.
14.Click Next.
The Protectable Objects section of the wizard appears, as shown in Figure 1.
Figure 1 Create Organization wizard - Protectable Objects section
Next task — Use the procedure in Protecting objects in an organization to continue creating the
organization.
Protecting objects in an organization

Specify the organization objects to protect.
Before you begin. Complete the steps in Naming the organization and adding users or AD groups.
5. On the Create Organization wizard, in the Protectable Objects section an object tab and select
the appropriate tab to add an object to the tenant organization.
To filter the lists on the tabs, enter a string in the “Search by Name” field.
6. Select the objects to include in the tenant organization from the list.
The number of selected objects next to the listed object type updates automatically.
7. Click Next.
The Other Resources section of the wizard displays.
Next task — Use the procedure in Assigning protection resources to a tenant organization to
continue creating the organization.
Assigning protection resources to a tenant organization

Finalize the creation of a tenant organization by assigning resources that can be used to provide
data management and protection.
Before you begin — Complete the procedures in Naming the organization and adding users or AD
groups and Protecting objects in an organization.

5. Open the Create Organization wizard at the Other Resources section.
6. (Optional) Click SLA Domains.
A list of available SLA Domains appears.
7. (Optional) Select the SLA Domains to assign to the tenant organization.
8. (Optional) Click Archival Locations.
A list of available archival locations appears.
9. (Optional) Select the archival locations to assign to the tenant organization.
10.(Optional) Click Replication Targets.
A list of available replication targets appears.
11.(Optional) Select the replication targets to assign to the tenant organization.
12.Click Next.
The Envoy section of the wizard displays.
Next task — Use the procedure in Configuring Rubrik Envoy to continue creating the organization.
Configuring Rubrik Envoy

Install, deploy, and configure the network of the Rubrik Envoy virtual appliance before connecting
it to the Rubrik cluster.
5. Open the Create Organization wizard at the Envoy section.
6. Click on OVA package for Rubrik Envoy.
7. Download the file to your computer.
The browser downloads the OVA package to the selected location.
8. On the vSphere Web Client, right-click on the host and click Deploy OVF Template to install
the OVA disk image.
9. Select the downloaded OVA file as the template, and click Continue.
The virtual machine configuration page appears.
10.Type a name for the virtual machine and click Save.
Rubrik cluster saves the settings of the virtual machine.
Refer to VMware documentation for information on how to configure a virtual appliance.
11.On the Rubrik Envoy virtual appliance, connect one network interface card (NIC) to the service
provider network and the other to the tenant network.
12.Click Finish.
The virtual appliance is deployed to the vSphere environment.
13.Log in to the Rubrik Envoy virtual machine with the username and password generated when
the OVA is being deployed to the specific Rubrik cluster.
You can find the username and password by clicking the information icon on the Rubrik CDM
web UI Envoy configuration page.
14.Open a terminal session on the host.
15.Use the sudoedit command to change the network configuration.
sudoedit /etc/network/interfaces
There can be different ways to set up the network interfaces, such as using static network
settings for both interfaces or using static network settings on one interface and dynamic
settings on the other interface. Sample configuration settings can be found in the text file
included with the OVA package. Such samples are for reference only and are not exhaustive.
16.Use the ifdown and ifup commands to restart the eth0 and eth1 interfaces.
sudo ifdown eth0
sudo ifdown eth1
sudo ifup eth0
sudo ifup eth1
17.Use the ifconfig command to check the network configuration.
ifconfig
18.Make note of the IP addresses of the eth0 and eth1 interfaces.
The Rubrik Envoy agents run on the Rubrik Envoy virtual appliance.
Next task — Use the procedure in Connecting Rubrik Envoy to finish creating the organization.
Connecting Rubrik Envoy

Connect the Rubrik Envoy virtual appliance to the Rubrik cluster.
Before you begin — Complete the procedures in Naming the organization and adding users or AD
groups, Protecting objects in an organization, Assigning protection resources to a tenant
organization, and Configuring Rubrik Envoy.
5. Open the Create Organization wizard at the Envoy section.
6. Select Connect to Rubrik Envoy.
The IP Address or Hostname and Port Number becomes available.
7. Type the IP address or hostname of the Envoy agent on the Rubrik cluster network.
This IP address is the IP address of the interface connected to the service provider network.
A list of available archival locations appears.
8. Type the port number of the port of which Rubrik Envoy accepts connections from the Rubrik
agents that can access the Rubrik CDM web UI.
9. Click Finish.
Rubrik cluster sends a request to the Rubrik Envoy virtual machine to create a NAT rule on the
virtual machine to forward requests from the tenant virtual machines to the Rubrik CDM web
UI. The NAT rule stores the Envoy IP address and port that are used for tenant virtual
machines to access the Rubrik CDM web UI.
Rubrik cluster connects the organization to Rubrik Envoy.
Modifying an existing tenant organization

Modify the properties of a tenant organization.
1. Log in to the Rubrik CDM web UI as a user with the Administrator privilege level.
4. Select the ellipsis menu next to the organization to edit.
The ellipsis menu opens.
5. Select Edit from the ellipsis menu.
The Edit Organization page appears with the Organization Name section selected.
6. (Optional) Change the organization name by typing a new name in the Organization Name
field.
7. (Optional) Click Users at the top of the Edit Organization page to manage users or AD groups
in the organization.
Users or AD groups with the Organization Admin role and the Manage Users permission can
create local users and change privilege levels for users and AD groups.
8. (Optional) Edit users or AD groups.
Naming the organization and adding users or AD groups describes user and AD group
information.
9. (Optional) Click Protectable Objects at the top of the “Edit Organization” page to manage
the protectable objects assigned to the tenant organization.
Users or AD groups with the Organization Admin role can change which objects are assigned to
a tenant organization.
10.(Optional) Edit the protectable objects.
Protecting objects in an organization provides information about the protectable objects that
are assigned to a tenant organization.
11.(Optional) Click Other Resources at the top of the “Edit Organization” page to manage SLA
Domains, archival locations, or replication targets assigned to the tenant organization.
Users with the Organization Admin role and the Create/Edit SLA permission cannot modify SLA
Domains that are assigned to a tenant organization by users with the Global Admin role.
Rubrik CDM Version 5.0 User Guide Modifying an existing tenant organization 135
12.(Optional) Follow the steps in Assigning protection resources to a tenant organization to edit
the resources that are assigned to a tenant organization.
13.(Optional) Click Envoy at the top of the “Edit Organization” page to edit the IP address and
port assigned to the tenant organization.
This IP address is the IP address of the interface connected to the service provider network.
14.Click Finish.
The Rubrik cluster modifies the tenant organization.
Deleting a tenant organization

Remove a tenant organization from the Rubrik cluster.
4. Select the ellipsis menu next to the organization to delete.
The ellipsis menu opens.
5. Select Delete from the ellipsis menu.
A confirmation dialog appears.
6. Click Delete.
The Rubrik cluster deletes the organization definition.
Effects of deleting a tenant organization

Deleting a tenant organization from a Rubrik cluster has the following effects on the data objects
that comprise the organization:
 Users and AD groups in the organization have their privilege level set to “No Access”.
 SLA Domains created within the tenant organization persist.
 All other protectable elements remain unmodified.
 When Rubrik Envoy is configured, the Envoy virtual machine persists and stores the metadata
for the deleted tenant organization.
Rubrik CDM Version 5.0 User Guide Deleting a tenant organization 136
Chapter 5
Protection Policies
This chapter describes the SLA Domain feature and the available protection policies.
 SLA Domain overview ............................................................................................. 138
 Default SLA Domains .............................................................................................. 139
 Custom SLA Domains .............................................................................................. 140
 Snapshot window ................................................................................................... 146
 First full backup ...................................................................................................... 147
 SLA Domain changes .............................................................................................. 149
 Delete an SLA Domain ............................................................................................ 153
 Local SLA Domain management............................................................................... 154
 Local SLA Domain page........................................................................................... 155
Rubrik CDM Version 5.0 User Guide Protection Policies 137

Protection Policies
SLA Domain overview

Protecting data that exists in production environments is an ongoing challenge for most
organizations. The ease of deploying new virtual machines, applications, and hosts increases the
burden of correctly configuring and applying enterprise policies for back up, replication, and
archiving of data. Legacy tools that are not optimized for virtual environments further increase the
cost, complexity, and risk associated with these policies.
Service Level Agreements (SLAs) through the Rubrik SLA Domain feature addresses these
challenges by unifying data protection policies under a single policy engine. The SLA Domain
feature provides a configurable set of policies that can be applied to groups of virtual machines,
applications, and hosts to achieve specific data protection objectives.
The SLA Domains feature represents an easy-to-configure container for data protection policies.
Table 18 provides an overview of those policies.
Table 18 Data protection policies available through the SLA Domain feature
Policy Description
Snapshot and backup Directs the Rubrik cluster when to create point-in-time snapshots and backups
frequency and retention of data sources and how long to keep the data.
Replication Directs the Rubrik cluster to send replicas of source snapshots and backups to
a target Rubrik cluster and defines the maximum time to keep the replica.
Archiving Directs the Rubrik cluster to move snapshot and backup data to a separate
data storage system for long-term retention.
The SLA Domains feature simplifies data protection. Rubrik provides Gold, Silver, and Bronze
default SLA Domains that are ready for immediate use.
For example, an enterprise can choose to protect mission-critical databases with the data backup,
retention, replication, and archival policies specified in the Gold SLA Domain and protect web
servers through the policies defined in the Bronze SLA Domain.
Custom SLA Domains can be quickly and easily created. Create custom SLA Domains to apply to
groups of data sources. Use the custom SLA Domains to meet the data protection and retention
requirements of different groups of virtual machines, applications, and file system hosts.
Rubrik CDM Version 5.0 User Guide SLA Domain overview 138
Protection Policies
For each protected data source, SLA Domain policies generally result in the protection objects that
are described in Table 19.
Table 19 Data protection objects created by SLA Domain policies
Object Description
Snapshot An application consistent, point-in-time backup of a data source.
Replica Copy of a snapshot that resides on a remote Rubrik cluster that is designated as the
replication target.
Archival snapshot Copy of a snapshot that resides on a secondary storage host.
Default SLA Domains

Rubrik CDM has three default local SLA Domains.
 Gold
 Silver
 Bronze
These policies have the archival policy and the replication policy disabled, do not have a Snapshot
Window, and do not set a Take First Full Snapshot time.
The additional default SLA rules assigned to these SLA Domains are described in Table 20.
Table 20 SLA rules for the default SLA Domains
Name Hourly Daily Monthly Yearly
Gold Create snapshot Pick the last Pick last successful Pick last successful
every 4 hours successful snapshot snapshot every month snapshot every year
Retain for 3 days every day and retain it and retain it for 1 year and retain it for 2
for 32 days years
Silver Create snapshot Pick the last Pick last successful Pick last successful
every 12 hours successful snapshot snapshot every month snapshot every year
Retain for 3 days every day and retain it and retain it for 1 year and retain it for 2
for 32 days years
Bronze None Create snapshot Pick last successful Pick last successful
every day and retain it snapshot every month snapshot every year
for 32 days and retain it for 1 year and retain it for 2
years
Rubrik CDM Version 5.0 User Guide Default SLA Domains 139
Protection Policies
Custom SLA Domains

Custom SLA Domains provide the ability to create sets of data protection policies that meet the
requirements of various groups of data sources in an enterprise.
The SLA rules shown in this example specify the following policies:
• Hourly Rule – Create a snapshot every 4 hours and retain it for 3 days.
Based on this rule, the Rubrik cluster creates and retains at least 18 snapshots in the system.
Up to 24 snapshots may be retained in the system to account for daily expiration boundaries.
• Daily Rule – Pick the last successful snapshot created during a day and retain it for seven
days.
For this rule, the Rubrik cluster creates six snapshots every day and retains the last successful
snapshot created during a day for seven days.
• Monthly Rule – Pick the last successful snapshot created during a month and retain it for a
year.
For this rule, the Rubrik cluster retains the last successful snapshot created during the month
for a year.
• Yearly Rule – Pick the last successful snapshot created during a year and retain it for 2 years.
For this rule, the Rubrik cluster retains the last successful snapshot created during the year for
two years.
Service Level Agreement

The Service Level Agreement section defines the frequency with which snapshots are created and
how long snapshots are retained.
The Rubrik cluster creates snapshots to satisfy the smallest frequency that is specified by the SLA
rules of the SLA Domain.
For example, when the Hourly rule specifies the smallest frequency, the Rubrik cluster creates
snapshots based on the settings of the Hourly rule. However, when the Daily rule specifies the
smallest frequency, the Rubrik cluster creates snapshots based on the settings of the Daily rule.
The Rubrik cluster uses each rule that specifies a frequency that is larger than the smallest to
determine snapshot expiration.
Rubrik CDM Version 5.0 User Guide Custom SLA Domains 140
Protection Policies
Table 21 describes the frequency and retention rule types available in the Service Level Agreement
section.
Table 21 Rule types in the Service Level Agreement sectiona
Rule type Frequency Retention
Hourly Every n0 hours For n1 days
Daily Every n2 days For n3 days
Monthly Every n4 months For n5 years
Yearly Every n6 years For n7 years
a. The variables n0-n7 represent a user assigned number that defines a period in the associated units.
Table 22 describes the frequency and retention rule types available in the advanced Service Level
Agreement section.
Table 22 Rule types in the advanced Service Level Agreement sectiona
Rule type Frequency Retention
Hourly Every n0 hours For n1 days or n2 weeks
Daily Every n3 days For n4 days or n5 weeks
Weekly Every n6 weeks For n7 weeks
(On specified day of week)
Monthly Every n8 months For n9 months, n10 quarters, or n11 years
(On the first, 15th. or last day of the month)
Quarterly Every n12 quarters For n13 quarters or n14 years
Begin Quarter in (specify month)
(On the first or last day of the quarter)
Yearly Every n15 years For n16 years
Begin Year (specify month)
(On the first or last day of the year)
a. The variables n0-n16 represent a user assigned number that defines a period in the associated units.
For each rule type, the rule that initiates the creation of the retained snapshot is the rule type that
specifies the smallest frequency, such as the hourly rule. This occurs when a snapshot that is
initiated by another rule is the last successful snapshot for the defined period.
Each of the rule types described in Table 21 is referred to as an SLA Rule. Any snapshot created
based on an SLA Rule is referred to as a policy driven snapshot.
Protection Policies
Base Frequency
The Base Frequency of an SLA Domain is the frequency at which snapshots must be created to
comply with all of the rules specified for the SLA Domain.
In general:
 The Base Frequency normally corresponds to the frequency specified by the Hourly Rule.
 When there is no Hourly Rule, the Base Frequency normally corresponds to the frequency
specified in the Daily Rule.
 When both the Hourly Rule and the Daily Rule are not defined, the Base Frequency
corresponds to the frequency specified in the Monthly Rule.
 When the Yearly Rule is the only rule defined, the base frequency corresponds to the frequency
specified in that rule.
Local retention period

The Rubrik cluster retains a snapshot or backup locally for the period specified by the SLA Domain.
By default, the period is the time specified by each rule.
For an SLA Domain, the maximum retention period is the longest period that is specified by any of
the rules. By default, a Rubrik CDM device retains data locally, on the device, up to the maximum
retention period. For a Rubrik CDM device with reduced storage capacity, such as a Rubrik Edge,
retaining data up to the maximum retention period can result in rapidly filling up storage capacity.
After setting an archival policy, a replication policy, or both, the local retention period can be
shortened from the default maximum retention period. Shortening the local retention period can
be used to reduce the storage requirements of the Rubrik CDM device.
On Rubrik Edge, for example, snapshots and backups could be retained for only a few days locally
and retained for a much longer period on a physical Rubrik cluster that is configured as the
replication target.
SLA Domain name

An SLA Domain name must meet the following requirements:
 Is unique in the local Rubrik cluster namespace
 Consists of any combination of the following characters: alphanumeric, blank space, hyphen,
and underscore
 Contains at least one character
Protection Policies
Creating a custom SLA Domain

Create a custom SLA Domain with policies that meet specific SLA requirements.
2. On the left-side menu, select SLA Domains > Local Domains.
The Local SLA Domains page appears.
The first page of the Create SLA Domain dialog box appears.
4. In SLA Domain Name, type a name for the new SLA Domain.
The name must comply with the requirements described in SLA Domain name.
5. (Optional) Create an Hourly Rule by completing both of the following:
Simplified method:
• In Take Snapshots: Every (Hours), type an interval, in hours, for creating Hourly Rule
snapshots
• In Keep Snapshots: For (Days), type an interval, in days, to retain Hourly Rule
snapshots
Advanced method:
• In Take Snapshots: Every (Hours), type an interval, in hours, for creating Hourly Rule
snapshots
• In Keep Snapshots: For (Days) or (Weeks), type an interval, in days or weeks, to
retain Hourly Rule snapshots
6. (Optional) Create a Daily Rule by completing both of the following:
Simplified method:
• In Take Snapshots: Every (Days), type an interval, in days, for creating Daily Rule
snapshots
• In Keep Snapshots: For (Days), type an interval, in days, to retain Daily Rule snapshots
Advanced method:
• In Take Snapshots: Every (Days), type an interval, in days, for creating Daily Rule
snapshots
• In Keep Snapshots: For (Days) or (Weeks), type an interval, in days or weeks, to
retain Daily Rule snapshots
Protection Policies
7. (Optional) Create a Weekly Rule by completing both of the following:

Advanced method:
• In Take Snapshots: Every (Weeks), type an interval, in months, for creating Weekly
Rule snapshots
• In On: (Day of Week), specify the day of the week to create the snapshot
• In the upper Keep Snapshots: For (Weeks) field, type an interval, in years, to retain
Weekly Rule snapshots
8. (Optional) Create a Monthly Rule by completing both of the following:
Simplified method:
• In Take Snapshots: Every (Months), type an interval, in months, for creating Monthly
Rule snapshots
• In the upper Keep Snapshots: For (Years) field, type an interval, in years, to retain
Monthly Rule snapshots
Advanced method:
• In Take Snapshots: Every (Months), type an interval, in months, for creating Monthly
Rule snapshots
• In On: (Day of Month), specify the first, 15th or last day of the month to create the
Monthly Rule snapshot
• In Begin Quarter in: (Month) specify the month that indicates the start of the first
quarter for the Monthly Rule snapshot
• In the upper Keep Snapshots: For (Months) (Quarters) or (Years) field, type an
interval, in months, quarters, years, to retain Monthly Rule snapshots
9. (Optional) Create a Quarterly Rule by completing both of the following:
Advanced method:
• In Take Snapshots: Every (Quarters), type an interval, in quarters, for creating
Quarterly Rule snapshots
• In On:(Day of Week), specify the day of the week to create the Quarterly Rule snapshot
• In the upper Keep Snapshots: For (Weeks) field, type an interval, in years, to retain
Quarterly Rule snapshots
Protection Policies
10.(Optional) Create a Yearly Rule by completing both of the following:

Simplified method:
• In Take Snapshots: Every (Years), type an interval, in years, for creating Yearly Rule
snapshots
• In the lower Keep Snapshots: For (Years) field, type an interval, in days, to retain Yearly
Rule snapshots
Advanced method:
• In Take Snapshots: Every (Years), type an interval, in years, for creating Yearly Rule
snapshots
• In On: (First or Last Day of Year), specify the first or last day of the year to create the
Yearly Rule snapshot
• In Begin Year in: (Month) specify the month that indicates the start of the year
• In the upper Keep Snapshots: For (Years) field, type an interval, in years, to retain
Yearly Rule snapshots
Note: The maximum local retention period changes to the maximum retention period specified
in the SLA rules.
11.(Optional) Create a snapshot window for the SLA Domain.

Configuring a snapshot window describes how to configure a snapshot window that creates
snapshots for the data sources that are assigned to the SLA Domain.
12.(Optional) Specify a first full snapshot and backup time for the SLA Domain.
Configuring a first full time describes how to specify a first full snapshot and backup time for an
SLA Domain.
13.Click Configure Remote Settings.
The second page of the Create SLA Domain dialog box appears.
Specify at least one SLA rule to enable Configure Remote Settings.
14.(Optional) Create an archival policy for the SLA Domain.
Archival policy describes how to create an archival policy for an SLA Domain.
15.(Optional) Create a Replication Retention policy for the SLA Domain.
Replication policy describes how to create a replication retention policy for an SLA Domain.
16.(Optional) In Retention On Brik, specify a local retention period for the SLA Domain.
Protection Policies
Move the slider to set the local retention period for the SLA Domain. The setting can be from 0
day up to the maximum local retention period defined in the SLA rules.
Note: An archival policy, a replication policy, or both must be specified before the local
retention period can be adjusted.
Local retention period provides information about the local retention period.
17.Click Create.
The Rubrik cluster creates the new SLA Domain and adds it to the Local SLA Domains page.
Next task — Assign data sources to the SLA Domain.
Snapshot window
A custom SLA Domain can optionally provide a snapshot window. A snapshot window defines a
period during each day when the Rubrik cluster is permitted to create snapshots for the data
sources that are assigned to the SLA Domain.
! IMPORTANT
When a backup is running and the current Snapshot Window closes, any currently running
backup will be allowed to complete, but no new backup job will be allowed to start.
Configuring a snapshot window

Configure a snapshot window for an SLA Domain when creating a custom SLA Domain or when
editing an SLA Domain.
3. Complete one of the following to add or modify the snapshot window for an SLA Domain:
• For a new custom SLA Domain, click the blue + icon and configure the SLA rules, as
described in Creating a custom SLA Domain.
• For an existing SLA Domain, on the Local SLA Domains page, select the SLA Domain. The
properties page for the selected SLA Domain appears. Open the ellipsis menu, and select
Edit.
The Snapshot Window section appears near the bottom of the dialog box.
Rubrik CDM Version 5.0 User Guide Snapshot window 146

Protection Policies
4. In Take Snapshots From, click the left box and select the beginning time for the snapshot
window.
The Rubrik cluster waits until the specified time to initiate policy-based snapshots for this SLA
Domain.
5. In Take Snapshots From, click the right box and select the ending time for the snapshot
window.
The Rubrik cluster will not initiate policy-based snapshots for this SLA Domain after this time.
6. Complete any other changes and click Create (new SLA Domains) or Update (existing SLA
Domains).
The Rubrik cluster adds the snapshot window to the SLA Domain. The Rubrik cluster creates
snapshots for the SLA Domain only during the specified period each day.
First full backup

A custom SLA Domain can optionally provide a first full window. The Rubrik cluster waits until the
first full window before initiating the first full snapshots or backups of data sources that are
assigned to the SLA Domain.
For data sources that are added outside of the period that allows first fulls, the Rubrik cluster
initiates the first full at the next occurrence of the first full window.
The Rubrik cluster ignores a snapshot window for a first full, and instead uses the first full window
to determine whether to initiate a first full.
The default value for this field is First Opportunity. When an SLA Domain is configured to take the
first full at the first opportunity, the Rubrik cluster initiates the first full when a data source is
added. For the First Opportunity setting only, when a snapshot window is specified, the Rubrik
cluster waits until the next available snapshot window.
After a first full is created for a data source, subsequent snapshots or backups of that data source
are created based on the SLA Domain rules, including any snapshot window setting.
Rubrik CDM Version 5.0 User Guide First full backup 147
Protection Policies
Configuring a first full time

Configure a first full time for an SLA Domain when creating a custom SLA Domain or when editing
an SLA Domain.
3. Complete one of the following to add or modify the first full time for an SLA Domain:
• For a new custom SLA Domain, click the blue + icon and configure the SLA rules, as
described in Creating a custom SLA Domain.
Edit.
The Snapshot Window section appears near the bottom of the dialog box.
On the Take first full between line, the default value First Opportunity appears in the left box.
4. On the Take first full between line, click the left box and select a day of the week.
The selection specifies the first day of each week when the Rubrik cluster can initiate first full
snapshots and backups.
After entering a value, fields for specifying the end of the time range appear.
5. On the Take first full between line, click the right box and select a time of the day.
The selection specifies the time of day when the Rubrik cluster can initiate first full snapshots
and backups.
6. On the second line, click the left box and select a day of the week.
The selection specifies the last day of each week when the Rubrik cluster can initiate first full
7. On the second line, click the right box and select a time of the day.
The selection specifies the time of day when the Rubrik cluster stops initiating first full
8. Complete any other changes and click Create (new SLA Domains) or Update (existing SLA
Domains).
The Rubrik cluster adds the first full policy to the SLA Domain, and initiates first full snapshots and
backups, for data sources that are awaiting a first full, at the next occurrence of the selected day
and hour.
Rubrik CDM Version 5.0 User Guide First full backup 148
Protection Policies
SLA Domain changes

To make changes to the policies of a local SLA Domain, open that SLA Domain for editing. Only
local SLA Domains can be edited.
Remote SLA Domains provide information in a read-only format. To edit an SLA Domain that
appears as a remote SLA Domain, log in to the Rubrik cluster on which the SLA Domain is local.
Changing the settings of an existing SLA Domain will cause changes to the data protection
provided by the SLA Domain.
Editing an SLA Domain

Edit an existing local SLA Domain to change the data protection that is provided. Consider the
consequences of planned changes before applying the changes.
3. On the Local SLA Domains page, select the SLA Domain.
The properties page for the selected SLA Domain appears.
4. Open the ellipsis menu, and select Edit.
The Edit SLA Domain dialog box appears.
5. Make changes to the SLA rules, the archival policy, and the replication policy.
6. Click Update.
The Rubrik cluster stores the new policies and rules for the SLA Domain. The following sections
describe the potential consequences of various SLA Domain changes.
Base Frequency changes

Editing the SLA rules can change the frequency with which snapshots are created. When changes
to the frequency impact the Base Frequency of the SLA Domain, all future snapshots are created
using the new Base Frequency.
Rubrik CDM Version 5.0 User Guide SLA Domain changes 149
Protection Policies
Base Frequency increased

Increasing the Base Frequency causes the SLA Domain to create new snapshots based on the
higher frequency. When the retention periods are unchanged, there are no changes to existing
snapshots.
Since the system cannot increase the frequency with which snapshots were taken in the past,
increasing the snapshot creation frequency for an SLA Domain can cause all the virtual machines
being protected by the SLA Domain to be out of compliance. The frequency of the existing
snapshots may not be sufficient to meet the requirements of the new policy.
Example 2 describes the results of increasing the base frequency of an SLA Domain.
Example 2 Increasing Base Frequency

Edits are made to an SLA Domain to increase the Base Frequency by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every six hours and retain it for three days.
• New Hourly Rule – Create one snapshot every three hours and retain it for three days.
These edits result in the following impact to snapshots:
• Existing snapshots – No change.
• New snapshots – Snapshots are created based on the higher frequency specified in the new
Hourly Rule, once every three hours instead of every six hours.
Base Frequency decreased

Decreasing the snapshot creation frequency causes all new policy driven snapshots associated
with the SLA Domain to be created based on the lower frequency.
The Rubrik cluster also applies a decreased Base Frequency to existing snapshots. Applying the
decreased Base Frequency causes some of the existing snapshots to expire automatically.
Automatic expiration occurs when an existing snapshot is not required for compliance with the
new policy.
Automatic expiration applies to existing snapshots on the local Rubrik cluster, archival snapshots
on the archival location, and replicas on the target replication cluster.
Protection Policies
Example 3 describes the results of decreasing the base frequency of an SLA Domain.
Example 3 Decreasing Base Frequency

Edits are made to an SLA Domain to decrease the Base Frequency by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every three hours and retain it for three days.
• New Hourly Rule – Create one snapshot every six hours and retain it for three days.
• Existing snapshots – Some existing snapshots expire automatically because retention of these
snapshots is not required for compliance with the new lower frequency.
• New snapshots – Snapshots are created based on the lower frequency specified in the new
Hourly Rule (for instance, once every 6 hours instead of every 3 hours).
Retention Changes
Editing the SLA rules can change the retention period associated with snapshots. The new
retention period is applied to existing snapshots and to new snapshots. Edits can increase or
decrease retention period. In both cases, existing snapshots are impacted by the edits.
Snapshot retention period increased

Increasing the retention period causes the Rubrik cluster to retain all new snapshots and all
existing snapshots for the new longer retention period.
Example 4 provides an example of an SLA Domain that is edited to increase the snapshot retention
period.
Example 4 Increasing snapshot retention

Edits are made to an SLA Domain to increase the snapshot retention period by making the
following SLA rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for three days.
• New Hourly Rule – Create one snapshot every four hours and retain it for five days.
• Existing Snapshots – Retained for five days instead of three days.
• New Snapshots – Retained for five days.
Protection Policies
Snapshot retention decreased

Decreasing the retention period causes the Rubrik cluster to retain new snapshots for the shorter
retention period. The Rubrik cluster also applies the new retention period to existing snapshots.
Some existing snapshots expire automatically because they are not required for compliance with
the new policy.
Example 5 provides an example of an SLA Domain that is edited to decrease the snapshot
retention period.
Example 5 Decreasing snapshot retention

Edits are made to an SLA Domain to decrease the snapshot retention period by making the
following SLA rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for seven days.
• New Hourly Rule – Create snapshot every four hours and retain it for four days.
• Existing snapshots – Some existing snapshots expire automatically as they are not required for
compliance with the shorter retention period.
• New snapshots – Retained for 4 days.
Impact of retention changes on archival policy and replication policy

When the retention period associated with any SLA Rule is changed, it can potentially trigger an
automatic change of an SLA Domain’s existing Archival and Replication policies.
These changes are described in the following sections:
 Archival policy changes
 Replication policy changes
Before changing the retention period of an SLA Rule, consider the automatic changes to archival
policy and replication policy that result from the change.
Snapshot window changes

Changing the snapshot window causes the Rubrik cluster to use the new snapshot window when
creating new snapshots.
Protection Policies
Take first full changes

Changing the time specified by the Take first full field causes the Rubrik cluster to wait until the
specified time before creating the first full snapshot or backup of newly added data sources. When
a snapshot window is specified, the Rubrik cluster creates the first full during the next available
snapshot window after the specified Take first full time.
Delete an SLA Domain

Deleting an SLA Domain deletes the SLA rules, archival policy, and replication policy specified for
the SLA Domain and removes the SLA Domain from the list of local SLA Domains.
The Rubrik CDM web UI only permits the deletion of a local SLA Domain that has no assigned data
sources.
Remote SLA Domains provide information in a read-only format. To delete an SLA Domain that
appears as a remote SLA Domain, log in to the Rubrik cluster on which the SLA Domain is local.
Information about a remote SLA Domain is removed from the Rubrik CDM web UI of the target
Rubrik cluster when either of the following is true:
 The remote SLA Domain does not protect any virtual machines.
 The remote SLA Domain’s replication policy is disabled.
Deleting an SLA Domain

Delete an SLA Domain to remove all of its SLA rules and policies.
Before you begin — Remove all data sources that are assigned to the SLA Domain. An SLA
Domain cannot be deleted when data sources are assigned to it.
3. On the Local SLA Domains page, select the SLA Domain.
The properties page for the selected SLA Domain appears.
Rubrik CDM Version 5.0 User Guide Delete an SLA Domain 153
Protection Policies
4. Open the ellipsis menu, and select Delete.

The Delete SLA Domain confirmation message appears.
Note: When data sources are assigned to the SLA Domain, a warning message appears. Click
OK to acknowledge the message. To delete the SLA Domain, first remove the data sources that
are assigned to the SLA Domain.
5. Click Delete.
Local SLA Domain management

The Rubrik cluster provides management information and tasks for local SLA Domains. A local SLA
Domain is an SLA Domain that is created on the local Rubrik cluster.
The Local SLA Domains page provides general information about all the local SLA Domains.
Viewing all local SLA Domains

Access the Local SLA Domains page to view general information about all local SLA Domains.
1. Log in to the Rubrik CDM web UI of a selected Rubrik cluster.
A local Rubrik cluster session starts on the selected Rubrik cluster.
Information on the Local SLA Domains page

The Local SLA Domains page provides information on a local SLA Domain.
Table 23 describes the information available on the Local SLA Domains page.
Sort the information in ascending or descending order by clicking on one of the columns headings.
Table 23 Columns on the Local SLA Domains page (page 1 of 2)
Column heading Description
Name Name assigned to the local SLA Domain.
Base Frequency The rate at which snapshots are created as a result of all of the SLA rules of the SLA
Domain.
Object Count Combined total number of source objects that are protected by the SLA Domain.
Archival Location Name of the archival location that is assigned to the SLA Domain.
Rubrik CDM Version 5.0 User Guide Local SLA Domain management 154
Protection Policies
Table 23 Columns on the Local SLA Domains page (page 2 of 2)

Replication Target Name of the replication target that is assigned to the SLA Domain, or None.
Searching for a local SLA Domain

Use the search field on the Local SLA Domains page to find a specific local SLA Domain or group of
local SLA Domains.
3. In the search box of the Local SLA Domains page, type a text string.
The Rubrik cluster provides a list of the local SLA Domains that have a name that contains the
search string.
Local SLA Domain page

The Rubrik cluster provides a specific page for each local SLA Domain. The page provides details
about a local SLA Domain in a set of information cards.
The page also provides the ability to edit the local SLA Domain and to delete the local SLA Domain,
as described in Editing an SLA Domain and Deleting an SLA Domain.
Viewing a local SLA Domain page

To see details about a local SLA Domain, view the page for that local SLA Domain.
2. On left-side menu, select SLA Domains > Local Domains.
The page for the local SLA Domain appears
3. On the page, click a local SLA Domain entry.
The page of the selected local SLA Domain appears.
Rubrik CDM Version 5.0 User Guide Local SLA Domain page 155
Protection Policies
Information provided for a local SLA Domain

Table 24 describes information that the Rubrik cluster provides through the cards on the page for
a local SLA Domain.
Table 24 Information on the page for a local SLA Domain (page 1 of 2)
Information card Element or field Description
SLA Domain Policy Quick view of the SLA rules specified by the local SLA domain.
Take Column listing of the Hourly, Daily, Monthly, and Yearly rules of
snapshot frequency.
Keep Column listing of the Hourly, Daily, Monthly, and Yearly rules of
snapshot retention.
Snapshot Window The Snapshot Window for the SLA Domain.
Replication Replication retention policy of the SLA Domain.
Retention Policy
Archival Policy Archival policy of the SLA Domain.
Storage Donut graph Quick view of the occupied and free space on the local Rubrik
cluster. Click legend entries to include or exclude them from the
graphic. The graphic always starts at the top and runs clockwise
with the segments displayed in order by size from largest to
smallest.
This domain Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that is occupied by
data associated with the selected local SLA Domain. Hover
over This domain to highlight that section in the graphic.
Other domains Color-highlighted graphical indication of the portion of the total
data from other local SLA Domains. Hover over Other
domains to highlight that section in the graphic.
Unprotected Color-highlighted graphical indication of the portion of the total
data from unprotected virtual machines. Hover over
Unprotected to highlight that section in the graphic.
Available Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that is free. Hover
over Available to highlight that section in the graphic.
Line graph Shows the storage ramp up over time, from 30 days to the
present.
Protection Policies
Table 24 Information on the page for a local SLA Domain (page 2 of 2)

Information card Element or field Description
Source list Drop down list Selection list to choose a type of data source. Open the list to
select a data source type:
• vSphere VMs
• Hyper-V VMs
• AHV VMs
• Linux & Unix Hosts
• Windows Hosts
• NAS Shares
• SQL Server DBs
• Managed Volumes
Search field Search field that permits a text string search of the names of all
data sources that are protected by the selected local SLA
Domain. Search is confined to the currently selected data
source.
Name Name of a protected data source.
Location Location or host of the protected data source.
Chapter 6
Replication
This chapter provides information about replication policy, setting up replication, and using the
replication feature.
 Replication overview ............................................................................................... 159
 Replication target setup .......................................................................................... 160
 Replication policy.................................................................................................... 166
 Replication policy changes....................................................................................... 168
 Manage Replications page ....................................................................................... 170
 Replication monitoring and reporting........................................................................ 171
 Remote SLA Domains.............................................................................................. 172
 Remote data sources .............................................................................................. 175
Rubrik CDM Version 5.0 User Guide Replication 158

Replication
Replication overview
When a replication policy is enabled for a local SLA Domain, the local Rubrik cluster (source Rubrik
cluster) rapidly copies snapshot and backup data for that SLA Domain to a remote Rubrik cluster
(target Rubrik cluster).
A source Rubrik cluster and a target Rubrik cluster use the Transport Layer Security (TLS) protocol
to encrypt all replication data-in-flight.
A Rubrik cluster can have multiple target Rubrik clusters. Each SLA Domain on the source can
direct replication to the target that best accomplishes business goals.
Also, a Rubrik cluster can be the target for many source Rubrik clusters.
When issues interfere with the network connection between the source Rubrik cluster and a target
Rubrik cluster, the replication task is retried. The Rubrik cluster retries the task every 30 seconds,
with up to 20 retries. This provides the ability to handle up to 10 minutes of network downtime
before the task fails.
! IMPORTANT
When constraints, such as limited bandwidth, interfere with the completion of all of the
replication tasks that are specified for an SLA Domain, the Rubrik cluster may skip
replication of older snapshots and backups to ensure that the newest data is successfully
replicated.
Replication policy workflow

Adding a replication policy to an SLA Domain follows a set workflow.
The replication workflow is:
1. Set up a target Rubrik cluster.
2. Enable replication for the SLA Domain.
3. Select a target Rubrik cluster.
4. Select the retention period for the data on the target.
5. Optionally, modify the retention period for the data that is retained locally on the source Rubrik
cluster.
Rubrik CDM Version 5.0 User Guide Replication overview 159

Replication
Replication target setup

A Rubrik cluster can replicate data to target Rubrik clusters. To use a Rubrik cluster as a replication
target, the source Rubrik cluster must be provided with information about the target.
A Rubrik cluster can have multiple target Rubrik clusters. An SLA Domain on the Rubrik cluster can
be set up to use any one of the available targets.
After at least one target Rubrik cluster is successfully set up, the source Rubrik cluster makes
replication policy settings available for local SLA Domains.
Communication between the source Rubrik cluster and the target Rubrik cluster can use either of
the following addressing methods:
 Network address translation (NAT)
 Private network
Note: IP addresses for the source and target clusters must be static in order for replication to
work properly. Floating IP addresses cannot be used.
Replication using NAT

To perform replication, a source Rubrik cluster can optionally communicate with a target Rubrik
cluster by using NAT.
When using replication over NAT, the source Rubrik cluster sends data packets destined for the
target Rubrik cluster using the following method:
 The source Rubrik cluster sends the data packet to a specified port on the gateway for the
target Rubrik cluster.
The specified port is a port reserved for routing for replication requests and acknowledgments.
 The gateway device forwards the data packet to one of the private IP addresses that is
assigned to a node on the target Rubrik cluster.
 The target Rubrik cluster provides the data packet to the appropriate service and node on the
target Rubrik cluster.
Rubrik CDM Version 5.0 User Guide Replication target setup 160
Replication
The process is reversed for data packets sent from the target Rubrik cluster to the source Rubrik
cluster:
 The target Rubrik cluster sends the data packet to a specified port on the gateway for the
source Rubrik cluster.
 The gateway device forwards the data packet to one of the private IP addresses that is
assigned to a node on the source Rubrik cluster.
 The source Rubrik cluster provides the data packet to the appropriate service and node on the
source Rubrik cluster.
Replication
Figure 2 shows an example replication using NAT configuration.

Figure 2 Replication using NAT
Figure 3 Example of settings for NAT
Replication
To use replication with NAT, follow the requirements described in Table 25.
Table 25 Requirements for replication using NAT
Requirement Description
Assigned ports on the target Assign incoming ports on the target gateway specifically for the
gateway replication processes. Each dedicated “replication” port on the target
gateway receives data packets from the source Rubrik cluster. A
minimum of one “replication” port on the target gateway is required, up to
a maximum of the number of Rubrik nodes on the target Rubrik cluster.
To provide redundancy, Rubrik recommends at least two “replication”
ports on the target gateway.
Port forwarding rules on the The target gateway uses port forwarding rules to forward the data
target gateway packets received on a target gateway “replication” port. The target
gateway forwards the data packets to port 7785 of the associated private
IP address that is assigned to a Rubrik node on the target Rubrik cluster.
Assigned ports on the source Assign incoming ports on the source gateway specifically for the
gateway replication processes. Each dedicated “replication” port on the source
gateway receives data packets from the target Rubrik cluster. A minimum
of one “replication” port on the source gateway is required, up to a
maximum of the number of Rubrik nodes on the source Rubrik cluster. To
provide redundancy, Rubrik recommends at least two “replication” ports
on the source gateway.
Port forwarding rules on the The source gateway uses port forwarding rules to forward the data
source gateway packets received on a source gateway “replication” port. The source
gateway forwards the data packets to port 7785 of the associated private
IP address that is assigned to a Rubrik node on the source Rubrik
cluster.
Address mapping
When setting up replication using NAT, communication between the source Rubrik cluster and the
target Rubrik cluster can use either of the following addressing methods:
 One-to-one Network Address Translation (NAT)
Rubrik cluster utilizes a pool of public addresses that are mapped one-to-one to the private
addresses.
 One-to-multiple Port Address Translation (PAT)
PAT is an extension to NAT that permits multiple private addresses and ports to be mapped to
a single public address.
Rubrik cluster utilizes a single public address and multiple ports that are mapped to multiple
private addresses. Each private address is associated with a “replication” port.
Replication
Setting up replication using NAT

Provide the source Rubrik cluster with the required information to enable replication using NAT.
Before you begin — For source and target, make available the gateway ports and port forwarding
rules that are described in Table 25.
1. Log in to the Rubrik CDM web UI on the source Rubrik cluster.
3. Click Replication Targets.
The Manage Replication page appears.
The Add Remote Cluster dialog box appears.
5. Select NAT.
The NAT view of the Add Remote Cluster dialog box appears.
Figure 2 shows an example replication using NAT configuration.
6. In Source Gateway IP, type the local IPv4 address of the source gateway device.
Use the public IPv4 address of the source gateway device that sends replicated data to the
target gateway device.
7. In Target Gateway IP, type the local IPv4 address of the target gateway device.
Use the public IPv4 address of the target gateway device that receives replicated data from the
source gateway device.
8. In Source Gateway Ports, type a comma-separated list of the ports on the source gateway
that are specified for Rubrik cluster replication.
There must be at least one port, and no more ports than the number of Rubrik nodes on the
source Rubrik cluster. For each port, the gateway must have a port forwarding rule that directs
data packets to the IP address of a Rubrik node on the source Rubrik cluster.
9. In Target Gateway Ports, type a comma-separated list of the ports on the target gateway
that are specified for Rubrik cluster replication.
There must be at least one port, and no more ports than the number of Rubrik nodes on the
target Rubrik cluster. For each port, the gateway must have a port forwarding rule that directs
data packets to the IP address of a Rubrik node on the target Rubrik cluster.
10.In Target Cluster Username, type the username for an account on the target Rubrik cluster
that has the Admin role.
Replication
11.In Target Cluster Password, type the password for the account.
The source Rubrik cluster tests the replication information.
After a successful test, the source Rubrik cluster adds the replication relationship to the
Replication Clusters section of the Manage Replication page. The target Rubrik cluster also adds
the replication relationship to its Manage Replication page.
Replication using a private network

To perform replication, a source Rubrik cluster can optionally communicate with a target Rubrik
cluster through a private network.
To replicate to a target Rubrik cluster through a private network, the source Rubrik cluster sends
data packets to the static IPv4 address of the target Rubrik cluster, and the target Rubrik cluster
sends data packets to the static IPv4 address of the source Rubrik cluster.
Note: When private IPv4 addressing is used, this method carries the potential for IP address
conflicts between the source Rubrik cluster and the target Rubrik cluster. To avoid this problem, be
sure each cluster uses different static IPv4 addresses.
Setting up replication using a private network

Provide the source Rubrik cluster with the required information about the target Rubrik cluster to
enable replication over a private network.
Before you begin. For the source and the target, ensure that the network meets the port
requirements described in Ports.
The static address view of the Add Remote Cluster dialog appears.
5. In Target Cluster IP, type one of the IPv4 addresses of the target Rubrik cluster.
Do not use a floating IP address for the target cluster IP.
6. In Target Cluster Username, type the username for an account on the target Rubrik cluster
that has the Admin role.
Replication
7. In Target Cluster Password, type the password for the account.

8. Click Add.
The source Rubrik cluster tests the replication information.
After a successful test, the source Rubrik cluster adds the replication relationship to the
Replication Clusters section of the Manage Replication page. The target Rubrik cluster also adds
the replication relationship to its Manage Replication page.
Removing a replication target

Remove a replication target to prevent replication to that target.
4. In the Replication Clusters section, open the ellipsis menu next to the name of the target
Rubrik cluster.
5. Click Delete.
6. Click OK.
The local Rubrik cluster removes the replication target.
7. Manually remove or change the replication policies of the SLA Domains that used that target.
After removing a target, the replicas on that target become unmanaged objects. The replicas must
be manually managed through the Snapshot Retention page of the target Rubrik cluster.
Replication policy
Enable a replication policy for an SLA Domain to replicate the snapshot and backup data of the
source objects that are protected by the SLA Domain.
A replication policy specifies a replication target and determines how long replicas are kept on the
target. Replication policy is optional for an SLA Domain.
Rubrik CDM Version 5.0 User Guide Replication policy 166

Replication
After enabling a replication policy, a slider provides two alternative settings that determine how
long replicas are kept. The first alternative specifies that only the most recent replica is kept. The
second alternative specifies that replicas are kept for the retention period that is specified by the
slider’s position, up to the Maximum Retention Period of the SLA Domain.
Table 26 describes the alternative slider position settings.
Table 26 Replication retention slider settings
Slider setting Replica retention
Far left, null position Retained until another replica is created.
Any position except the far left The period defined by the position of the slider, up to the Maximum
Retention Period of the SLA Domain
When a replication policy is set, the Rubrik cluster immediately begins creating replicas of
unexpired snapshots and backups. Snapshots or backups that existed before the replication target
was added to the Rubrik cluster are not replicated.
Configuring replication policy for an SLA Domain

Configure the replication policy for an SLA Domain when creating a custom SLA Domain or when
editing any SLA Domain.
Before you begin — Configure at least one replication target for the Rubrik cluster, as described in
Replication target setup.
3. Complete one of the following to add or modify a replication policy for an SLA Domain:
• For a new custom SLA Domain, click the blue + icon and configure the other fields on the
Create New SLA Domain dialog box, as described in Creating a custom SLA Domain.
Edit.
4. Complete the Service Level Agreement for the SLA Domain.
Creating a custom SLA Domain describes this task.
5. Click Remote Settings.
6. In Replication, click the toggle.
Rubrik CDM Version 5.0 User Guide Replication policy 167

Replication
The replication slider becomes available.

7. Open the drop down list and select a replication target.
8. Do one of the following with the replication slider:
• Leave the slider in the leftmost position.
This position specifies that only the most recent replica is kept on the target Rubrik cluster.
• Move the slider to the right to define a replication retention period.
The selected position defines the maximum time that a replica is kept on the target Rubrik
cluster.
9. Complete any other changes.
For example, change the Retention On Brik setting, as described in Creating a custom SLA
Domain.
10.Click Create or Edit.
The Rubrik cluster adds the replication policy to the SLA Domain and applies it to the existing
snapshots or backups and the new snapshots or backups for data sources that are assigned to the
SLA Domain.
Replication policy changes

Editing an SLA Domain can result in a variety of changes that impact the replication policy. These
changes can determine how long the Rubrik cluster retains replication snapshots or backups on a
target cluster and which replication snapshots or backups are automatically expired by the Rubrik
cluster.
Possible changes that can impact an replication policy include:
 Replication policy disabled
 Replication policy re-enabled
 Replication retention period increased
 Replication retention period decreased
Replication policy disabled

When the replication policy is disabled, the Rubrik cluster does not create additional replicas on
the target Rubrik cluster.
Replicas on the target Rubrik cluster that existed before the replication policy was disabled remain
on the target. Manage these replicas through the Snapshot Retention page of the target Rubrik
cluster. Retention Management describes how to use the Snapshot Retention page.
Rubrik CDM Version 5.0 User Guide Replication policy changes 168
Replication
Replication policy re-enabled

When a replication policy is disabled and then re-enabled, the Rubrik cluster does not create
replicas for existing snapshots and backups.
When the replication policy for an SLA Domain is re-enabled, the Rubrik cluster immediately
initiates replication tasks to push replicas for the newest snapshots and backups to the target
Rubrik cluster.
Replicas that exist from before the replication policy was disabled are managed again when the
policy is re-enabled. The Rubrik cluster manages these existing replicas based on the current SLA
rules and replication retention period.
Replication retention period increased

Changes to the SLA rules can cause an automatic increase in the replication retention period.
When this happens, the Rubrik cluster applies the new higher replication retention period to all
replicas on the target Rubrik cluster and the Rubrik cluster continues to manage the replicas based
on the SLA rules.
Replication retention period decreased

Changes to the SLA rules can cause an automatic decrease in the replication retention period.
When the replication retention period is decreased, the Rubrik cluster applies the new lower
replication retention period to all replicas on the target Rubrik cluster and the Rubrik cluster
continues to manage the replicas based on the SLA rules.
Rubrik CDM Version 5.0 User Guide Replication policy changes 169
Replication
Manage Replications page

The Manage Replication page provides summary information about the replication associations of
the local Rubrik cluster.
Viewing the Manage Replication page

Use the Manage Replication page to view summary information about the replication associations
of the local Rubrik cluster.
Before you begin. Configure a replication target Rubrik cluster, as described in Manage
Replications page.
2. On the top action bar, click the gear icon.
3. On the menu, select Replication Targets.
The Manage Replication page appears and provides two sections of information:
 for Replication
 Replication Clusters
For Replication section

The for Replication section of the Manage Replication page provides historical information about
network bandwidth consumption due to replication activities.
Two line charts display the network bandwidth consumption, for the previous 24 hours, in a
multiple of bits per second.
The Incoming chart displays the incoming network bandwidth consumption caused by replication
to the local Rubrik cluster from all source Rubrik clusters.
The Outgoing chart displays the outgoing network bandwidth consumption caused by replication
activity from the local Rubrik cluster to all target Rubrik clusters.
Replication Clusters section

The Replication Clusters section of the Manage Replication page provides information cards for
each of the replication associations of the local Rubrik cluster.
Each card displays the local Rubrik cluster on the left-side and a remote Rubrik cluster on the
right-side. The card provides information about the replication association between the two Rubrik
clusters.
Rubrik CDM Version 5.0 User Guide Manage Replications page 170
Replication
The information cards in the Replication Clusters section use symbols to indicate the replication
configuration between the two Rubrik clusters, either unidirectional or bidirectional.
In addition to the replication configuration symbol, the information card provides the information
described in Table 27.
The information on the card is presented from the perspective of the local Rubrik cluster. The card
does not provide all replication information or the remote Rubrik cluster, only the information from
the association between the two clusters.
Table 27 Information provided by the Replication Clusters information card
Field Local section Remote section
Data Total amount of data replicated by the Total amount of data replicated by
remote Rubrik cluster to the local the local Rubrik cluster to the remote
Rubrik cluster. Rubrik cluster.
When the remote Rubrik cluster is the When the local Rubrik cluster is the
target of a unidirectional replication target of a unidirectional replication
association this section is empty. association this section is empty.
SLA Domains The number of remote SLA Domains The number of local SLA Domains
that replicate data to the local Rubrik that replicate data to the remote
cluster. Rubrik cluster.
Objects The number of remote objects that are The number of local objects that are
replicated to the local Rubrik cluster. replicated to the remote Rubrik
cluster.
Replication monitoring and reporting

The Rubrik cluster provides information about replication tasks on the target Rubrik cluster in the
following locations:
 Activity Log
 Operational Tasks report
Replication tasks in the Activity Log

The target Rubrik cluster provides real-time monitoring of replication activity. Activity Log
describes the Activity log.
After a source Rubrik cluster generates a snapshot for a virtual machine, the source Rubrik cluster
begins replicating that snapshot to the target Rubrik cluster. The Activity Log on the target Rubrik
cluster lists an entry for the replication task.
View only replication tasks in the Activity Log by setting Replication in the Type filter.
Rubrik CDM Version 5.0 User Guide Replication monitoring and reporting 171
Replication
Replication tasks in the Protection Tasks Summary report

The target Rubrik cluster provides a virtual machine-oriented view of the success and failure of
completed replication tasks in the Protection Tasks Summary report.
On the Protection Tasks Summary report, in Filter Type, choose Replication to see all replication
task results for the selected period. Protection Tasks Summary report describes the Protection
Tasks Summary report.
Remote SLA Domains

A remote SLA Domain is an SLA Domain that was created on a Rubrik cluster other than the local
Rubrik cluster. Remote SLA Domains appear on a local Rubrik cluster when the local Rubrik cluster
is a replication target.
Viewing all remote SLA Domains

Access the Remote SLA Domains page to view general information about all remote SLA Domains.
2. On the left-side menu, select SLA Domains > Remote Domains.
The Remote SLA Domains page appears.
Information on the Remote SLA Domains page

The Remote SLA Domains page provides read-only information that is described in the following
table. Sort the information in an ascending or descending order by clicking on one of the columns
headings.
Table 28 describes the information that is provided by the Remote SLA Domains page.
Table 28 Columns on the Remote SLA Domains page
Name Name of the remote SLA Domain.
Remote Cluster Name of the remote Rubrik cluster.
Base Frequency The rate at which snapshots and backups are created as a result of all of the SLA
rules of the remote SLA Domain.
Object Count Total number of objects that are protected through the remote SLA Domain.
Replication Retention Replication retention period specified by the remote SLA Domain.
Rubrik CDM Version 5.0 User Guide Remote SLA Domains 172
Replication
Searching for a remote SLA Domain

Use the search field on the Remote SLA Domains page to find a specific remote SLA Domain or a
group of remote SLA Domains.
3. In the search box at the top of the Remote SLA Domains page, type a text string.
The Rubrik cluster provides a list of every remote SLA Domain name that contains the search
string.
Individual remote SLA domain pages

The Rubrik cluster provides a specific page for each remote SLA Domain. A remote SLA domain is
an SLA Domain on another Rubrik cluster that uses the local Rubrik cluster as a replication target.
The remote SLA Domain page provides details about a remote SLA Domain in a set of information
cards. The remote SLA Domain page provides read-only information. To edit the properties of a
remote SLA Domain, log in to the Rubrik cluster that is the source for that SLA Domain.
Viewing the page of a remote SLA Domain

3. On the Remote SLA Domains page, click a remote SLA Domain entry.
The page of the selected remote SLA Domain appears.
Information provided for a remote SLA Domain

Table 29 describes the information that the Rubrik cluster provides through the cards on the page
for a remote SLA Domain.
Table 29 Information provided for a remote SLA Domain (page 1 of 3)
Information card Field Description
SLA Domain Policy Quick view of the SLA rules specified by the remote SLA domain.
Replication

Take Column listing of the Hourly, Daily, Monthly, and Yearly rules of
snapshot frequency.
Keep Column listing of the Hourly, Daily, Monthly, and Yearly rules of
snapshot retention.
Backup Window (Optional) Displays the Snapshot Window setting, when the
remote SLA Domain has a Snapshot Window.
Storage Donut graph Quick view of the occupied and free space on the local Rubrik
cluster that is occupied by data associated with the selected
remote SLA Domain. Click legend entries to include or exclude
them from the graphic. The graphic always starts at the top and
runs clockwise with the segments displayed in order by size from
largest to smallest.
This domain Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that is occupied by data
associated with the selected remote SLA Domain. Hover over
This domain to highlight that section in the graphic.
Other domains Color-highlighted graphical indication of the portion of the total
from other SLA Domains. Hover over Other domains to highlight
that section in the graphic.
Unprotected Color-highlighted graphical indication of the portion of the total
from unprotected virtual machines. Hover over Unprotected to
highlight that section in the graphic.
Available Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that free. Hover over
Available to highlight that section in the graphic.
Line graph Shows the storage ramp up over time for data associated with the
selected remote SLA Domain, from 30 days to the present.
Data source Selection list to choose a type of data source. Open the list to
selection select a data source type:
• vSphere VMs
• Hyper-V VMs
• AHV VMs
• Windows Hosts
• NAS Shares
• SQL Server DBs
• Managed Volumes
Search field Search field that permits a text string search of the names of the
selected type of data source objects that are protected by the
remote SLA Domain.
Replication

Name Names of the data source objects of the selected type.
Location Location information for the selected type of data source objects.
Remote data sources

Remote data sources are the virtual machines, databases, hosts, and NAS shares that provide the
data that is replicated to a local Rubrik cluster.
A target Rubrik cluster provides access to the replicas of remote data sources though Rubrik CDM
web UI pages that are similar to the pages provided for local data sources. The difference is that
the pages for remote data sources are read-only. Use these pages to find and work with the
replicas of the remote data sources.
Viewing a remote data source page

Access the page for a remote data source to view and work with the replicas from the remote data
source.
Note: To go directly to the page for a remote data source, type the name of the data source in the
search box on the top bar of the Rubrik CDM web UI and select the remote data source from the
results list.

3. In the Name column, select the name of a remote SLA Domain.
The page for the selected remote SLA Domain appears.
Rubrik CDM Version 5.0 User Guide Remote data sources 175
Replication
4. On the data source card, select a data source type.

Select from one of the following types:
• vSphere VMs
• Hyper-V VMs
• AHV VMs
• Windows Hosts
• NAS Shares
• SQL Server DBs
• Managed Volumes
5. On the data source card, in the Name column, click the name of a data source.
For a virtual machine or a database, the remote data source page appears.
For a file system based data source, the Filesets card appears.
6. (File system data sources only) On the Filesets card, in the Name column, select the name of a
fileset.
The remote data source page appears.
Snapshots card or Recovery Points card

For a selected remote data source, the Snapshots card or Recovery Points card provides the ability
to browse and work with the replicas that reside on the local Rubrik cluster.
The card provides information through a series of calendar views. Each view uses color spots to
indicate the presence of replicas on a date. The color indicates one of the following:
 Status of compliance with the replication policy of the remote SLA Domain for the selected
remote virtual machine on the selected date.
 Consistency state of the snapshot.
 Indexing status.
Table 30 lists the colors that the card uses and describes the status that each color represents.
Table 30 Status colors used on the Snapshots card calendar views
Color Status
Green All replicas required by SLA Domain policy were successfully created.
Replication
Table 30 Status colors used on the Snapshots card calendar views

Color Status
Orange All replicas required by SLA Domain policy were successfully created but at least one replica
caused a warning.
Red At least one replica required by SLA Domain replication policy was not successfully created.
Table 31 describes the calendar views available on the Snapshots card.

Table 31 Calendar views on the Snapshots card
View Description
Year The Year view displays replica creation information for an entire year. A color spot indicator on a
specific date indicates replication activity, and displays the compliance status for the replication
policy for that day.
Month The Month view displays replica creation information for an entire month. A color spot indicator on
a specific date indicates replication activity, and displays the compliance status for the replication
policy for that day.
Day On a Snapshot card, the Day view displays the individual replicas that were created on the
selected day.
On a Recovery Points card, the Day view provides access the replicas of the available snapshots
and log backups for the database.
Working with a replica

Access a replica and perform one of the actions available for data source type.
3. In the Name column, select the name of a remote SLA Domain.
The page for the selected remote SLA Domain appears.
Replication
4. On the data source card, select a data source type.

Select from one of the following types:
• vSphere VMs
• Hyper-V VMs
• AHV VMs
• Windows Hosts
• NAS Shares
• SQL Server DBs
• Managed Volumes
5. On the data source card, in the Name column, click the name of a data source.
For a virtual machine or a database, the remote data source page appears.
For a file system based data source, the Filesets card appears.
6. (File system data sources only) On the Filesets card, in the Name column, select the name of a
fileset.
The remote data source page appears.
7. Select a date.
The Day view appears.
8. Based on the type of data source perform an available action.
Chapter 7
Archiving
This chapter provides information about archival policy, setting up archival locations, and using the
archival feature.
 Overview ............................................................................................................... 180
 Archival policy ........................................................................................................ 183
 Archival policy changes ........................................................................................... 187
 Archival location configuration ................................................................................. 190
 Amazon S3............................................................................................................. 191
 Amazon Glacier ...................................................................................................... 196
 Google Cloud Platform ............................................................................................ 201
 Microsoft Azure....................................................................................................... 204
 Object storage system ............................................................................................ 209
 NFS share .............................................................................................................. 213
 QStar tape archive .................................................................................................. 216
 Reader-writer archival model ................................................................................... 219
 Disaster recovery using an archival location .............................................................. 223
 Tests for disaster recovery using an archival location................................................. 234
 Cascading archival .................................................................................................. 235
 Archival consolidation.............................................................................................. 238
 Archival location proxy ............................................................................................ 240
 Archival lifecycle best practices ................................................................................ 243
 Archival location removal......................................................................................... 243
Rubrik CDM Version 5.0 User Guide Archiving 179

Archiving
Overview
An SLA Domain can include an archival policy that instructs the Rubrik cluster to copy protected
data to an archival location. The archival policy specifies the archival location to use, how soon
after a backup the data is copied, and how long the data is retained.
The Rubrik cluster supports the following archival location types:
 Amazon S3
 Amazon Glacier
 Google Cloud Platform
 Azure
 Object Store
 NFS
 Tape
Multiple archival locations and types can be added to a Rubrik cluster. The archival policy of an SLA
Domain can only specify one archival location but each SLA Domain can specify a different archival
location.
Archival data security

The Rubrik cluster encrypts archival data before transmitting the data to any of the supported
archival location types.
As part of the process of preparing a file for archiving, a Rubrik cluster uses an encrypted
multi-part upload to create AES-256 encrypted chunks of data.
The Rubrik cluster then encrypts (wraps) the random AES-256 key. Depending on the type of
archival location, this wrapping can use an 2048-bit RSA key that is provided when an archival
location is set up, a KMS key, or an encryption password.
The Rubrik cluster stores the wrapped AES-256 key at the archival location with the associated
encrypted data chunks.
The protocol that is used to transfer data between the Rubrik cluster and an archival location
depends upon the archive type:
 Cloud-based archival locations use the HTTPS protocol.
 Object storage systems use either HTTPS or HTTP, depending on the capabilities and
configuration of the system.
 NFS shares use UDP or TCP, depending on the configuration of the NFS host.
 QStar Archive Manager tape archives use the SMB protocol.

Archiving
Archival location encryption keys

The Rubrik cluster requires a 2048-bit RSA key as part of the set up of an archival location on
Amazon S3, Microsoft Azure, or an object storage system. For Amazon S3, a KMS master key ID
can be used instead.
The Rubrik cluster encrypts the keys that are provided during archival set up and stores the keys
in Cassandra, a distributed database that is part of each Rubrik cluster. The Cassandra nodes for a
Rubrik cluster can only be accessed by using the RSA private key of that Rubrik cluster.
Archival workflow
Archiving data to an archival location follows a standard workflow. As one of the steps in that
workflow, the Rubrik cluster determines whether to upload an incremental or full copy of the
archival snapshot.
The following steps describe the typical sequence of tasks that a Rubrik cluster performs to satisfy
the archival policy of an SLA Domain.
1. Based on the archival policy initiate an archival task.
2. Determine the most recent existing archival snapshot from the data source.
3. Use the factors described in Table 32 to determine whether to run an Incremental upload or a
Full upload of the snapshot.
4. Check that the required space is available.
5. Prepare the metadata for the new archival snapshot.
6. Create a local copy of the archival snapshot data.
7. Upload archival snapshot data to the archival location.
8. Verify the integrity of the uploaded data.
9. When the local copy of the index file for the snapshot is ready, upload a copy of the index file
to the archival location.
10.Upload the metadata for the new archival snapshot to the archival location.
Table 32 describes the factors used by a Rubrik cluster to determine when a full upload of an
archival snapshot is required.

Archiving
Upload of a full archival snapshot

When any one of the factors listed in Table 32 is true then the Rubrik cluster performs a full
upload.
Table 32 Factors that require upload of a full archival snapshot
Factor Description
Status Upload a full when the status of the most recent archival snapshot is corrupt or
expired.
Requirement Rubrik Support can manually trigger the upload of a full snapshot to resolve an
issue.
Archival time With Instant Archive enabled, the Rubrik cluster uploads a full snapshot when the
time between the most recent archival snapshot and the current snapshot is greater
than the default time-based threshold for uploading a full snapshot.
With Instant Archive disabled, the Rubrik cluster uploads a full snapshot when the
time between the most recent archival snapshot and the current snapshot is greater
than six times the Archival Threshold value.
The Rubrik cluster uses 30 days as the default time-based threshold for uploading a
full snapshot. This value can be modified by Rubrik Support.
Percent change rate The Rubrik cluster uploads a full snapshot when both:
• Percent change rate exceeds 100%.
• Time between the most recent full archival snapshot and the current snapshot
exceeds 15 days.
The percent change rate exceeds 100% when the following formula resolves to true:
total_bytes x 100 / last_full_bytes > 100
where:
• total_bytes is the total number of bytes stored at the archival location for all
increments of the snapshot.
• last_full_bytes is the total number of bytes in the last full archival snapshot.
The minimum time to upload value of 15 days can be configured by Rubrik Support.
Tape or Glacier A tape or Glacier archival location requires the transfer of a full snapshot each time.
archival
The percent change rate factor means that the more changes that occur in a data source the more
frequent the Rubrik cluster will upload full snapshots of that data source.
The minimum time to upload check on the percent change rate factor ensures that at least a
minimum amount of time exists between most recent archival snapshot and the current snapshot.
When a full upload is not required, the Rubrik cluster uploads an incremental with only the data
that has changed since the last snapshot.

Archiving
Multiple archival locations

Multiple active archival locations can be configured for a Rubrik cluster. When an SLA Domain is
created or edited, any one of the available archival locations can be selected for the archiving
policy of that SLA Domain.
After configuring at least one archival location, archival policy for every existing and new SLA
Domain can be enabled and configured.
The Rubrik cluster supports a mix of multiple active archival locations of any of the supported
types.
! IMPORTANT
Even though a Rubrik cluster can upload data to multiple archival locations, each archival
location can only be associated with one Rubrik cluster. In other words, archival locations
cannot be shared by multiple Rubrik clusters for any reason.
Archival bucket exclusivity

An archival bucket can be used by only one Rubrik cluster.
Cloud-based archival locations use the following terms to identify a logical unit of storage
(bucket):
 ‘bucket’ – Amazon S3 and Google Cloud Platform
 ‘container’ – Microsoft Azure
 ‘vault’ – Amazon Glacier
A specific bucket can be used by only one Rubrik cluster. When a bucket is assigned to a Rubrik
cluster, the Rubrik cluster places restrictive permissions on the bucket that prevent other Rubrik
clusters from using the bucket. This action protects the data that is written to the bucket.
Archival policy
An archival policy defines how long to retain data within the local Rubrik cluster before moving the
data to an archival account for long term storage. Archival policy is optional for an SLA Domain.
When available, the Rubrik cluster uses an encrypted connection to transfer data to an archival
location. The Rubrik cluster deduplicates, compresses, and, when supported by the archival
location, encrypts all data that is stored at the archival location.
Rubrik CDM Version 5.0 User Guide Archival policy 183

Archiving
Instant Archive
The Instant Archive feature can be enabled to instruct the Rubrik cluster to immediately queue a
task to copy a new snapshot to a specified archival location.
When an SLA Domain has the Instant Archive feature enabled, the Rubrik cluster queues a task to
copy a snapshot to the associated archival location as soon as the snapshot is processed.
The Instant Archive feature does not change the amount of time that a snapshot is retained locally
on the Rubrik cluster. The Retention On Brik setting determines how long a snapshot is kept on the
Rubrik cluster.
Note: Instant Archive is not supported for tape archival locations or Amazon Glacier.
Configuring archival policy for an SLA Domain without Instant Archive

Configure the archival policy for an SLA Domain when creating a custom SLA Domain or when
editing an SLA domain, and do not enable Instant Archive.
Before you begin — Configure at least one archival location for the local Rubrik cluster, as
described in Archival location configuration.
3. Complete one of the following to add or modify an archival policy for an SLA Domain:
Edit.
5. Click Configure Remote Settings.
6. In Archival, click the toggle.
The archival location field and the archival policy slider become available.
7. Clear Enable Instant Archive.

Archiving
8. In the archival location field, select one of the configured archival locations.
Domain.
The Rubrik cluster adds the archival policy to the SLA Domain and applies it to the existing
snapshots and the new snapshots for data sources assigned to the SLA Domain.
Example 6 describes the results of an archival policy without Instant Archive.
Example 6 Archival policy without Instant Archive

Assume the following rules are specified for an SLA Domain:
• Hourly Rule – Take one snapshot every 12 hours and retain the snapshot for five days.
• Daily Rule – Retain the most recent daily snapshot for 32 days.
• Monthly Rule – Retain the most recent monthly snapshot for one year.
• Annual Rule – None specified.
• Archival policy – Retention on Brik is set to 60 days. Instant Archive is not enabled.
The Rubrik cluster transfers snapshots that are 61 days old (or older) to the archive location and
retains the archival snapshots at that location for one year from the date of the snapshot. The one
year value is the Maximum Retention Period which, in this example, is specified by the Monthly
Rule.
The local Rubrik cluster stores all relevant snapshots, as determined by the Hourly Rule and the
Daily Rule, for 60 days. After 60 days, the Rubrik cluster creates archival snapshots, stores them in
the archival account, and expires the source snapshots on the local Rubrik cluster. The Rubrik
cluster expires the archival snapshots based on the retention settings of the Daily Rule and the
Monthly Rule for the SLA Domain.

Archiving
Configuring archival policy for an SLA Domain with Instant Archive

Configure the archival policy for an SLA Domain when creating a custom SLA Domain or when
editing an SLA Domain, and enable Instant Archive.
Before you begin. Configure an archival location for the local Rubrik cluster, as described in
Archival location configuration.
3. Complete one of the following to add or modify an archival policy for an SLA Domain:
Edit.
5. Click Configure Remote Settings.
6. In Archival, click the toggle.
7. In the archival policy section, select Enable Instant Archive.
With the Instant Archive feature enabled, the Rubrik cluster creates a snapshot and
immediately queues a task to transfer the associated archival snapshot to the archival location.
8. In the archival location field, select one of the configured archival locations.
Domain.
The Rubrik cluster adds the archival policy to the SLA Domain and applies it to the existing
snapshots and the new snapshots for data sources assigned to the SLA Domain.

Archiving
Example 7 describes the results of an archival policy with Instant Archive.
Example 7 Archival policy with Instant Archive

Assume the following rules are specified for an SLA Domain:
• Hourly Rule – Take one snapshot every 12 hours and retain the snapshot for five days.
• Daily Rule – Retain the most recent daily snapshot for 32 days.
• Monthly Rule – Retain the most recent monthly snapshot for one year.
• Annual Rule – None specified.
• Archival policy – Retention on Brik is set to 60 days. Instant Archive is enabled.
When snapshots are created, the Rubrik cluster immediately queues tasks to transfer the
associated archival snapshots to the archive location and retains the archival snapshots at that
location for one year. The one year value is the Maximum Retention Period which, in this example,
is specified by the Monthly Rule.
The local Rubrik cluster stores all relevant snapshots, as determined by the Hourly Rule, the Daily
Rule, and the Monthly Rule (day 33 through day 60), for 60 days. After 60 days, the Rubrik cluster
expires the source snapshots on the local Rubrik cluster. The Daily Rule and Monthly Rule govern
the expiration of the archival snapshots.
Archival policy changes

Editing an SLA Domain can result in a variety of changes that impact the archival policy. These
changes can impact where the Rubrik cluster stores existing snapshots and new snapshots, which
snapshots the Rubrik cluster retains for long term storage, and which snapshots the Rubrik cluster
automatically expires.
Possible changes that can impact an archival policy include:
 Archival policy disabled
 Archival policy re-enabled
 Local cluster retention period increased
 Local cluster retention period decreased
 Maximum retention period increased
 Maximum retention period decreased
Rubrik CDM Version 5.0 User Guide Archival policy changes 187
Archiving
Archival policy disabled

After the archival policy is disabled, the Rubrik cluster does not create new archival snapshots at
the archival location. Existing archival snapshots remain at the archival location and the Rubrik
cluster continues to manage the archival snapshots based on the SLA rules.
After the archival policy is disabled, the Rubrik cluster maintains the Retention on Brik setting,
when one is enabled. Otherwise, the Rubrik cluster sets the Local Cluster Retention Period to the
Maximum Retention Period. Existing local snapshots remain on the local Rubrik cluster until the
Rubrik cluster expires them based on the Maximum Retention Period.
! IMPORTANT
Disabling archival policy for an extended period, then re-enabling archival policy, can result
in a backlog that will temporarily delay the expiration of snapshots.
Archival policy re-enabled

When an archival policy is disabled and then re-enabled, all policy driven snapshots on the local
Rubrik cluster that are older than the Local Cluster Retention Period are automatically moved into
the archival account. The Rubrik cluster manages existing archival snapshots at the archival
location based on the SLA rules.
Retention on Brik period increased

When the Retention on Brik period is increased, the Rubrik cluster continues to manage existing
archival snapshots at the archival location based on the SLA rules. Existing archival snapshots are
not moved back to the local Rubrik cluster.
The Rubrik cluster keeps existing local snapshots and new policy driven snapshots on the local
Rubrik cluster for the time set by the new Retention on Brik period. When a policy driven snapshot
on the local Rubrik cluster is older than the Retention on Brik period, the Rubrik cluster moves it to
the archival location.
Retention on Brik period decreased

When the Retention on Brik period is decreased, the Rubrik cluster moves existing local snapshots
that are older than the new Retention on Brik period to the archival location. The Rubrik cluster
also applies the decreased Retention on Brik period to all new policy driven snapshots.
Archival snapshots remain at the archival location and the Rubrik cluster manages those archival
snapshots based on the SLA rules.
Rubrik CDM Version 5.0 User Guide Archival policy changes 188
Archiving
Maximum Retention Period increased

Changes to the SLA rules can cause an automatic increase in the Maximum Retention Period.
When this happens, the Rubrik cluster applies the new higher Maximum Retention Period to all
archival snapshots at the archival location and the Rubrik cluster continues to manage the archival
snapshots based on the SLA rules.
Maximum Retention Period decreased

Changes to the SLA rules can cause an automatic decrease in the Maximum Retention Period.
When this happens, the Rubrik cluster applies the new lower Maximum Retention Period to all
existing policy driven snapshots. The Rubrik cluster automatically expires local snapshots when
the snapshots are not required in order to remain in compliance with the new policy.
The Rubrik cluster automatically expires snapshots from the local Rubrik cluster, replicas at the
target Rubrik cluster, and archival snapshots at the archival location as needed to comply with the
new Maximum Retention Period.
Archival Locations page

Use the Archival Locations page to add, edit, disconnect, and deleted archival locations. The
Archival Locations page provides summary information about the archival locations that are
configured for the local Rubrik cluster.
Viewing the Archival Locations page

Use the Archival Locations page to work with the archival locations of the local Rubrik cluster.
1. In the Rubrik CDM web UI, on the top action bar, click the gear icon.
2. On the menu, select Archival Locations.
The Archival Locations page appears and provides two sections of information:
• Active Archive
• Archival Locations
For Active Archive section

The for Active Archive section of the Archival Locations page provides historical information about
network bandwidth consumption due to archiving activity.
A line chart displays the network bandwidth consumption, for the previous 24 hours, in a multiple
of bits per second. The chart combines all bandwidth consumption for active archival locations.
Rubrik CDM Version 5.0 User Guide Archival Locations page 189
Archiving
Archival Locations section

The Archival Locations section of the Archival Locations page provides information cards for each
of the archival locations that is configured for the local Rubrik cluster.
Table 33 describes the information that is provided by an archival location card. The archival
location card does not have a field label for the name field and the status field. The name field is
at the top of the card and the status field is the first field beneath the name.
Table 33 Information provided on an archival location card
Field Description
Name Reference name for the archival location. The Rubrik cluster uses a default
generated name unless a custom name is configured.
Status Current status of the archival location. The status is either:
• Read/Write – Available for archival write and archival read operations.
• Read Only – Available for archival read operations only.
Data Archived Total amount of data transmitted to the archival location.
Data Downloaded Total amount of data received from the archival location.
Objects Archived Total number of protection objects that have at least one archival snapshot
stored at the archival location.
Archival location configuration

Configure the Rubrik cluster to support a specific archival location by providing the requested
archive-specific information.
The following sections address set up of specific types of archives:
 Amazon S3
 Amazon Glacier
 Microsoft Azure
 Object storage system
 NFS share
 QStar tape archive
Rubrik CDM Version 5.0 User Guide Archival location configuration 190
Archiving
Archival location display name

When creating or editing an archival location, assign a display name or allow the Rubrik cluster to
generate a name. The archival location display name appears when adding or editing an SLA
Domain and on the Archival Locations page.
After a bucket or container name is added to an archival location, the Rubrik cluster automatically
generates a display name for the archival location. The generated name combines the short form
for the archive type and the bucket or container name. For example, for an Amazon S3 archive
with a bucket named ‘region-6’ the Rubrik cluster generates the display name ‘S3:region-6’ and
adds that name to the Archival Location Name field.
The generated display name can be accepted or a new display name can be typed into the
Archival Location Name field. The value in this field appears when adding or editing an SLA
Domain and in the heading portion of the card for the archival location on the Archival Locations
page. The generated name always appears on the second line of the card for the archival location.
Amazon S3
The Rubrik cluster supports Amazon S3 as an archival location with data encryption provided by an
RSA key.
An Amazon S3 archival location can be configured to use one of the following storage classes:
 Standard
 Standard Infrequent Access
 Reduced Redundancy
The storage class can be edited after the archival location is added. The Rubrik cluster applies the
new storage class to data that is archived after a change.
Refer to Amazon's S3 documentation for more information about storage classes and the Amazon
pricing structure.
Rubrik CDM Version 5.0 User Guide Amazon S3 191

Archiving
Adding an Amazon S3 archival location

Prepare to use an Amazon S3 archival location by providing the Rubrik cluster with Amazon S3
keys and connection information.
Before you begin — Complete the tasks described in Generating an RSA key and Preparing to use
Amazon S3 as an archival location.
! IMPORTANT
After successfully completing the following task, only the access key ID, the secret key, and
the storage class can be changed. Confirm all information before starting the task, and
check the provided information before finalizing the task.

3. Click Archival Locations.
The Archival Locations page appears.
The Add Archival Location dialog box appears.
5. In Archival Type, select Amazon S3.
The Amazon S3 archival location fields appear.
6. In Region, select an Amazon S3 region for the bucket.
7. In Storage Class, select one of the following:
• One Zone - Infrequent Access
• Reduced Redundancy
• Standard
• Standard - Infrequent Access
8. In AWS Access Key, paste an access key ID.
9. In AWS Secret Key, paste the associated secret key.
10.In AWS Bucket Name, type the name for the Amazon S3 bucket to use with the Rubrik
cluster.
The bucket name must comply with the guidelines provided by Amazon for DNS-compliant
bucket names. For information refer to:

Archiving
http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
11.In Archival Location Name, type a display name for the archival location.
Alternatively, accept the generated name that is displayed in the field.
12.In Encryption Type, select RSA Key.
13.In RSA Key, paste the RSA key for encrypting data for the selected region.
! IMPORTANT
This password must be stored safely as disaster recovery cannot be performed without
this password.
14.(Optional) In KMS Master Key, paste the KMS master key.
! IMPORTANT
this password.
15.Click Advanced Settings.

The Advanced Settings page appears with the Cloud Compute Settings menu selected.
Configuring cloud compute settings is required in order for Rubrik cluster to launch a
temporary Rubrik instance on the cloud.
16.In Virtual Network ID, copy and paste the resource ID of the virtual network.
17.In Subnet ID, copy and paste the name of the virtual network.
18.In Security Group ID, copy and paste the name of the network security group.
19.(Optional) Check Enable Archive Consolidation to use archival consolidation.
20.Click Save.
21.To configure archival proxy settings, click Archival Proxy Settings.
If configured, all backup or restore data and metadata pertaining to an archival location is
transferred via the archival proxy.
22.In Protocol, select a protocol.
23.In Proxy Server (IP or FQDN), type the archival proxy server IP address or FQDN.
24.In Port Number, type the port number of the archival proxy server.
25.In Username, type the username for the archival proxy server.
26.In Password, type the password of the archival proxy server.

Archiving
27.Click Save.
28.To configure compute proxy settings, click Compute Proxy Settings.
If configured, all API calls for instantiating a virtual machine on the archival location is routed
over the compute proxy.
29.In Protocol, select a protocol.
30.In Proxy Server (IP or FQDN), type the compute proxy server IP address or FQDN. network.
31.In Port Number, type the port number of the compute proxy server.
32.In Username, type the username for the compute proxy server.
33.In Password, type the password of the compute proxy server.
34.Click Save.
The Rubrik cluster tests the keys and connection information and, after a successful test, stores
the keys and connection information.
Editing the Amazon S3 Archive Location Configuration or Settings

Provide more security for the archived data by regularly changing the Amazon S3 access key ID
and secret key. Also, when necessary, change the storage class that the Rubrik cluster uses for
data that is archived after the change and change the display name. When necessary, change the
cloud compute settings for the Rubrik cluster.
Before you begin — When changing the access key ID and the secret key, first use the IAM
console to change the access key ID and secret key assigned to the Rubrik cluster by Amazon S3.
4. On the Archival Locations page, on the archival location card, open the ellipsis menu.
5. Select Edit.
The Edit Archival Location dialog box appears.
6. (Optional) In AWS Access Key and AWS Secret Key, add the new access key ID and secret
key.
7. (Optional) In Archival Location Name, type a new display name for the archival location.
8. (Optional for CloudOn) Click Advanced Settings.

Archiving
9. (Optional for CloudOn) In Virtual Network ID, copy and paste the resource ID of the virtual
network.
10.(Optional for CloudOn) In Subnet ID, copy and paste the name of the virtual network.
11.(Optional for CloudOn) In Security Group, copy and paste the name of the network security
group.
12.Click Save.
13.(For CloudOn) To configure archival proxy settings, click Archival Proxy Settings.
14.(For CloudOn) In Protocol, select a protocol.
15.(For CloudOn) In Proxy Server (IP or FQDN), type the archival proxy server IP address or
FQDN.
16.(For CloudOn) In Port Number, type the port number of the archival proxy server.
17.(For CloudOn) In Username, type the username for the archival proxy server.
18.(For CloudOn) In Password, type the password of the archival proxy server.
19.Click Save.
20.(For CloudOn) To configure compute proxy settings, click Compute Proxy Settings.
22.(For CloudOn) In Proxy Server (IP or FQDN), type the compute proxy server IP address or
FQDN. network.
23.(For CloudOn) In Port Number, type the port number of the compute proxy server.
24.(For CloudOn) In Username, type the username for the compute proxy server.
25.(For CloudOn) In Password, type the password of the compute proxy server.
26.Click Save.
The Rubrik cluster tests the updated information and, after a successful test, stores the updated
information.

Archiving
Amazon Glacier
The Rubrik cluster supports Amazon Glacier as an archival location.
Amazon Glacier is an extremely low-cost cold storage service intended for long-term (months and
years) storage of large amount of very infrequently-accessed data. The following are major
characteristics and differences compared to the Amazon S3 storage service.
 Glacier works with vaults similar to buckets in Amazon S3.
 Glacier manages archives whereas Amazon S3 manages objects.
 Users upload objects to Amazon S3 (and other object stores) and specify the names (which can
be full path names) for these objects, which can later be used to query and download these
objects. Users upload archives to Glacier and cannot specify names for these archives. On a
successful upload, Glacier assigns a unique archiveId to an archive and returns it to the user. It
is user's responsibility to track this archiveId for each archive uploaded.
 Glacier allows adding description to each archive which is used to track additional information
(like the archive's name on the cluster).
 Glacier archives are immutable. Once uploaded, they cannot be modified.
 Glacier does not support synchronous instantaneous downloads of archives. Glacier supports
only asynchronous retrieval of archives, where user first submits a job to retrieve an archive
and then downloads the archive when it's ready for retrieval.
 Glacier supports three levels of retrieval tiers, which determine how long it can potentially take
for archives to be ready for download. This wait can be from minutes to hours depending on
the retrieval tier chosen.
 Glacier supports Vault Lock Policy for vaults. Once applied, the archives in the vault are
protected and cannot be deleted based on the policy.
 Glacier does not support synchronous query to list all archives (similar to listObjects in Amazon
S3). User first submits a job to retrieve vault inventory and then downloads the inventory
information when ready.
 Glacier vault cannot be deleted unless it is empty.
Note: Refer to Amazon's Glacier documentation for more information about storage classes and
the Amazon pricing structure.
Rubrik CDM Version 5.0 User Guide Amazon Glacier 196

Archiving
Amazon Glacier as an Archival Target

Adding a Glacier archival location is similar to adding other types of archival locations.
Table 34 describes the parameters needed to be specified when adding a new Glacier location.
Table 34 Glacier archival parameters
Field Description Additional Information
Name Glacier location name. Can be edited after initial configuration.
AccessKey Glacier user account access key. Can be edited after initial configuration.
SecretKey Glacier user account secret key. Can be edited after initial configuration.
VaultName Glacier Vault to use for this Cannot be edited after initial configuration.
archival location.
Region AWS Region for the Glacier Vault. Cannot be edited after initial configuration.
EncryptionPassword Password to use for encrypting Cannot be edited after initial configuration.
data before sending to Glacier.
This password must be stored
safely as disaster recovery cannot
be performed without this
password.
EnableVaultLock Enable this flag to enable vault You can enable a Vault Lock after the initial
lock on this Glacier vault. configuration. You cannot disable a Vault
Lock once it has been configured.
FileLockDuration Lock duration in days if Vault Lock Can be specified only at the time of
is being enabled. enabling the Vault Lock. Once applied, this
value cannot be changed.
RetrievalTier Retrieval Tier to use when Can be edited after initial configuration.
downloading data from Glacier.
Glacier upload operations

Glacier upload operations have the following characteristics:
 Glacier uploads are synchronous similar to Amazon S3 and other archival targets.
 Glacier refers to uploaded objects as archives.
 Glacier supports native multi-part upload. Large archives are uploaded in parts using
multi-threaded approach.
 After the upload of an archive is successfully completed, Glacier returns an Archive ID for that
archive. The Archive ID is a random unique number generated by Glacier.
 Only full snapshot uploads are supported because of the retrieval mechanism. Incremental
snapshots are not supported.

Archiving
Glacier retrieval/download operations

The Glacier archive download is a multi-step activity.
1. Initiate a download request specifying the archive ID to download. This will return a job id of
the submitted request.
2. Poll using the job ID to check when the job is ready for download. This can take from a few
minutes to several hours depending on the retrieval tier specified when initiating the request.
3. Download the archive. Once an archive is available, it can be downloaded all at once, or in
chunks.
Rubrik only supports retrieval of the entire archive snapshot.
Glacier supports three types of retrieval tiers, providing users with trade off choices between cost
and time to download.
Glacier Vault Lock operations

Glacier supports Vault Lock Policy to deploy and enforce compliance controls for data retention on
a per-vault basis. This policy controls the time duration when an archive cannot be deleted.
The following is supported for managing vault lock policy on Glacier archival locations:
• Support only age-based vault lock policy. User can specify the duration for which all archives
on the vault must be locked. All archives older than this age can be deleted.
• Support enabling vault lock policy at time of adding a Glacier archival location.
• Support enabling vault lock policy for an existing Glacier archival location.
• Once vault lock policy is enabled (initiated) in either ADD or EDIT path mentioned above,
the location card in the UI will show a running top bar to indicate something is in progress.
• A new option "Verify Vault Lock Policy" is added in the drop down menu of the card. When
selected, it will ask user to either ABORT or CONFIRM vault lock.
• Disconnect a Glacier location with vault lock policy enabled.
Setting up a vault lock policy is a multi-step operation:
1. Initiate Vault Lock Policy: Initiate a request to set up a lock policy on an existing vault. If
successful, Glacier activates the specified policy for a duration of 24 hours and returns a Lock
ID.
2. Validate and/or Abort Lock Policy: Validate that the policy is set up as expected, and is what
you really need. If not, Abort the in-progress temporary lock policy using the Lock ID.
3. Complete Vault Lock Policy: Complete and confirm the setting up of the vault lock policy within
24 hour window. Once completed successfully, the vault lock policy cannot be changed or
deleted from the vault.

Archiving
4. Assign a Glacier location with vault lock policy to an SLA Domain.
! IMPORTANT
Deletion of a Glacier location with vault lock policy enabled is not supported if there are any
snapshots protected by the vault lock policy.
Do not manage the vault lock policy directly from the Amazon Glacier management console for
vaults used as an archival target from Rubrik cluster. It can create inconsistency and unexpected
results.
Adding Amazon Glacier as an archival location

Configure a Rubrik cluster to use Amazon Glacier as the archival location.
5. In Archival Type, select Glacier.
The Add Archival Location dialog box changes to show the Glacier fields.
Note: See Table 34 for additional information on Glacier Archival fields.
6. In Region, select an Amazon Glacier region for the archive.

7. In Access Key, type the access key for the Amazon Glacier account.
8. In Secret Key, type the secret key for the Amazon Glacier account.
9. In Glacier Vault Name, type the name of the Glacier Vault to use for the archive. If the vault
does not exist, it will be created.
10.In Archival Location Name, accept the default name or type a new name for the archival
location.
11.In Encryption Password, type the encryption password to recover the Glacier archive.

Archiving
12.In Re-Enter Encryption Password, type the encryption password to recover the Glacier
archive.
! IMPORTANT
this password.
13.In Retrieval Tier, select the Amazon Glacier retrieval tier.

You can select from:
• Standard
• Expedited
• Bulk
14.In Enable Vault Lock Policy select whether Vault Lock Policy is enabled or disabled.
Note: See Glacier Vault Lock operations for additional information on using Vault Lock Policy.
15.If Enable Vault Lock Policy is configured, set File Lock Period (days).
16.Click Add.
If Vault Lock Policy is not enabled, the archival location card will appear with a solid bar across
the top of the card.
If Vault Lock Policy is enabled, the archival location card will appear with moving bar across the
top of the card.
17.(optional) If Vault Lock Policy is enabled, open the ellipsis menu on the archival location card
and select Verify Vault Lock Policy.
Note: If you do not verify Vault Lock Policy within 24 hours, it will be automatically canceled.
A Confirm Vault Lock dialog box appears.

18.(optional) Click Confirm.

Archiving
Google Cloud Platform

The Rubrik cluster supports Google Cloud Platform as an archival location.
Google Cloud Storage is a unified object storage solution offering four storage classes. Each
storage class fits a particular use case with different price points and SLA. The four storage classes
are:
 Multi-regional storage
 Regional storage
 Nearline storage
 Coldline storage
Rubrik supports all Google Cloud Platform Regional and Multi-Regional locations. A regional
location is a specific geographic place somewhere in the world.
Note: Refer to Google's Cloud Platform documentation for more information about storage classes
and the Google pricing structure.
Google Cloud Platform as an Archival Target

Adding a Google Cloud Platform archival location is similar to adding other types of archival
locations.
Table 35 describes the parameters needed to be specified when adding a new Google Cloud
Platform location.
Table 35 Google Cloud Platform archival parameters
Region Region for Google Cloud Platform Cannot be edited after initial configuration.
bucket,
Storage Class The storage class specified for the Cannot be edited after initial configuration.
Google Cloud Platform. The
options include:
• Standard
• Durable Reduced Availability
• Nearline
• Coldline
Bucket Bucket created for use as Rubrik Cannot be edited after initial configuration.
archival target.
Rubrik CDM Version 5.0 User Guide Google Cloud Platform 201
Archiving
Table 35 Google Cloud Platform archival parameters

EncryptionPassword and Password to use for encrypting Cannot be edited after initial configuration.
Re-Enter Encryption data before sending to Google
Password Cloud Platform. This password
must be stored safely as disaster
recovery cannot be performed
without this password.
Archival Location Name Descriptive name for the archival Can be edited after initial configuration.
location. By default this is
configured
as"GCP:<BucketName>".
This field can be edited to any
name.
Service Account JSON Private JSON key for the service Copy and past the contents of this file. It is
Key account. required for the Rubrik archival
configuration.
Adding Google Cloud Platform as an archival location

Configure a Rubrik cluster to use Google Cloud Platform as the archival location.
5. In Archival Type, select Google Cloud Platform.
The Add Archival Location dialog box changes to show the Google Cloud Platform fields.
Note: See Table 35 for additional information on Google Cloud Platform fields.
6. In Region, select a Regional or Multi-regional location which will host the archival data.
• Regional locations - Data is stored in one bucket in a single geographic location within the
specified region.
• Multi-regional locations - Data is geo-redundant and data is stored in multiple geographic
locations.
Archiving
7. In Storage Class, Rubrik will create a bucket with the appropriate Storage Class.
• Standard uses Regional or Multi-regional storage class based on the selection in the
previous field.
• Durable Reduced Availability is a legacy Storage class that is now superseded by Regional
class.
8. In Bucket, enter the bucket name.
• The bucket name needs to be unique across Google Cloud Platform.
• The bucket name can correspond to an existing bucket can be created through the Rubrik
CDM (recommended).
9. In Encryption Password, type the encryption password to recover the Google Cloud Platform
archive.
10.In Re-Enter Encryption Password, type the encryption password to recover the Google
Cloud Platform archive.
! IMPORTANT
this password.
11.In Archival Location Name, accept the default archival location name or specify a custom
name.
12.In Service Account JSON Key, paste the contents of the JSON file obtained from Google
Cloud Platform.
13.Click Add.
The Archival Location can now be assigned to SLA Domains.
Archiving
Microsoft Azure
The Rubrik cluster supports Microsoft Azure as an archival location.
Before you begin. Complete the tasks described in Preparing Microsoft Azure as an archival
location.
! IMPORTANT
Microsoft Azure has a 500 TB data storage limit for each container and for each storage
account. Plan archival usage to ensure that the data storage requirements for any single
container and storage account do not exceed this limit.
Adding Microsoft Azure as an archival location

Configure a Rubrik cluster to use Microsoft Azure as the archival location.
5. In Archival Type, select Azure.
The Add Archival Location dialog box changes to show the Azure fields.
6. In Storage Account Name, type the name of a Microsoft Azure account.
7. In Access Key, type the access key for the Microsoft Azure account.
8. In Container, type the name to be assigned to the container.
Azure restricts the name based on the following rules:
• The name must be from 3 to 63 characters long.
• The name must start with a lowercase letter or a number.
• All letters must be lowercase.
• The name can only contain lowercase letters, numbers, and the hyphen character.
• Each hyphen must be immediately proceeded by and immediately followed by a lowercase
letter or a number. Consecutive hyphens are not allowed.
Rubrik CDM Version 5.0 User Guide Microsoft Azure 204

Archiving
9. In Archival Location Name, type a display name for the archival location.
10.In Instance Type, select the Cloud Platform type of this archival location.
Select one of the following:
• Azure Default – All regions except: China, India, and Azure Government.
• Azure Government – Regions: US Gov Iowa and US Gov Virginia.
• Azure China – Regions: China North and China East.
• Azure Germany – Germany.
11.In RSA Key, paste the RSA key.
The Rubrik cluster uses the RSA key to encrypt the archived data.
! IMPORTANT
this password.
12.(For CloudOn) Click Advanced Settings.

13.(For CloudOn) In Import JSON, paste the text generated in the JSON output file.
When the user runs the rkazurecli_cloud_on.ps1 script, the script generates a JSON output file
with the App Id, App Secret Key, Tenant Id, Subscription, Region, General Purpose Storage
name, General Purpose Storage Container Name, Resource Group name, Virtual Network ID,
Subnet ID, and Security Group name, as described in Configuring Azure Objects.
The Rubrik cluster imports these values from the JSON output file and auto-fills these values on
the Rubrik Rubrik CDM web UI page.
14.(For CloudOn) Click Save.
FQDN.

Archiving
21.Click Save.
FQDN. network.
28.Click Save.
The Rubrik cluster stores the information.
To configure additional Microsoft Azure settings, use the Azure portal.
Editing the Microsoft Azure account name and account key

Provide more security for the archived data by regularly changing the account key for the
Microsoft Azure account. Also, when necessary, edit the account name or display name.
Before you begin — Change the account key assigned to the Microsoft Azure account being used
by the Rubrik cluster.
5. Select Edit.
6. (Optional) In Storage Account Name, type a new account name.

Archiving
7. In Access Key, type the new access key.

8. In Archival Location Name, type a new display name for the archival location.
9. (Optional for CloudOn) Click Advanced Settings.
10.(Optional for CloudOn) In App ID, type a new application ID.
11.(Optional for CloudOn) In App Secret Key, copy and paste the application secret key.
12.(Optional for CloudOn) In Tenant ID, type a new tenant ID.
13.(Optional for CloudOn) In Subscription, select a new subscription.
14.(Optional for CloudOn) In Region, select a new region.
15.(Optional for CloudOn) In General Purpose Storage, select a new general purpose storage.
16.(Optional for CloudOn) In General Purpose Storage Container Name, select a new
general purpose storage container name.
17.(Optional for CloudOn) In Resource Group, type a new resource group name.
18.(Optional for CloudOn) In Virtual Network ID, type a new virtual network ID.
19.(Optional for CloudOn) In Subnet ID, type a new subnet ID.
20.(Optional for CloudOn) In Security Group, type a new security group name.
FQDN.

Archiving
FQDN. network.
35.Click Save.
information.
The Rubrik cluster stores the updated information.
To configure additional Microsoft Azure settings, use the Azure portal.

Archiving
Object storage system

The Rubrik cluster supports using an object storage system as an archival location.
The Rubrik cluster supports the object storage system types described in Table 36.
Table 36 Object storage system vendor choices
Object Store Vendor Description
Amazon S3 API Compatible Object storage systems that are compatible with the Amazon S3 API.
This vendor type includes:
• Cleversafe object storage system
• Cloudian HyperStore
• Basho Riak S2
• Internet Initiative Japan (IIJ) GIO Drive
HDS Hitachi Data Systems (HDS) systems:
• Hitachi Content Platform (HCP) Access Storage Node
• Economy Storage Node
• HCP VM Access Storage Node
Note: Rubrik does not support HDS systems with the HDS server-side
encryption enabled.
HDS systems have a 2 TB limit on file size and do not support multi-part
uploads.
Scality Scality object storage system.
Scality has some limitations on file listing capabilities that prevent full
Amazon S3 API compatibility.
Host Name value

The Rubrik cluster contacts the object storage system by using the information provided in the
Host Name field.
The value provided in the Host Name field of the Add Archival Location dialog box must be a URL
that includes:
 Protocol, either HTTPS or HTTP
 Resolvable hostname or IPv4 address
Optionally, the URL can include a port designation to indicate the port that the objects storage
system listens on.
Rubrik CDM Version 5.0 User Guide Object storage system 209
Archiving
Adding an object storage system as an archival location

Configure a Rubrik cluster to use an object storage system as the archival location.
Before you begin. Do the following:
 For a Cleversafe object storage system, complete the tasks described in Preparing Cleversafe
as an archival location.
 For Scality object storage, complete the tasks described in Preparing Scality as an archival
location.
 For all object storage systems, generate an RSA key for the Rubrik cluster to use when
encrypting the archival data, as described in Generating an RSA key.
5. In Archival Type, select Object Store.
The Add Archival Location dialog box changes to show the object storage system fields.
6. In Object Store Vendor, select one of the following:
• S3 API Compatible Object Store
• HDS
• Scality
7. In Access Key, type the access key for the object storage system account.
8. In Secret Key, type the secret key for the object storage system account.
Archiving
9. In Host Name, type the URL of the object store endpoint.

The URL must include a protocol, either HTTP or HTTPS, and optionally can include a port
designation:
http://<hostname>:<port>
https://<hostname>:<port>
where:
• <hostname> is the resolvable hostname of the object storage system or IPv4 address.
• <port> is the incoming port that the object storage system listens on to receive an archival
connection.
10.In Bucket Prefix, type a prefix to use for naming the buckets.
The Bucket Prefix value cannot contain uppercase letters.
The Rubrik cluster uses the Bucket Prefix value as the common first part of the names for the
buckets assigned to the Rubrik cluster.
For example, when the value of Bucket Prefix is datacenter-1 and the value of Number of
Buckets is 3, the Rubrik cluster creates and uses the following three buckets at the archival
location:
• datacenter-1-rubrik-0
Note: When the provided credentials do not have bucket creation permissions, use the object
storage system management console to manually create the required buckets before
completing this task.
11.In Number of Buckets, type the number of buckets assigned to the Rubrik cluster.
Type an integer value that is greater than or equal to one.
12.In Archival Location Name, type a display name for the archival location.
Archiving
13.In RSA Key, paste the RSA key.

The Rubrik cluster uses the RSA key to encrypt the archived data.
Store the RSA key in a safe location.
! IMPORTANT
this password.
14.Click Add.
The Rubrik cluster tests the keys and connection information and, after a successful test, stores
the keys and connection information.
Editing the object storage system access key and secret key
Provide more security for the archived data by regularly changing the access key and secret key
for the object storage system. Also, when necessary, edit the display name.
Before you begin. On the object storage system, change the access key and secret key assigned to
the Rubrik cluster.
5. Select Edit.
6. (Optional) In Access Key, type the new access key.
7. (Optional) In Secret Key, type the new secret key.
8. (Optional) In Archival Location Name, type a new display name.
9. Click Edit.
information.
Archiving
NFS share
The Rubrik cluster supports using an NFS share, or an EMC Isilon NFS share, as an archival
location.
Adding an NFS archival location

Configure a Rubrik cluster to use an NFS share as the archival location.
Before you begin — Complete the following preparation tasks:
 For an NFS share other than an EMC Isilon NFS share, complete the tasks described in
Preparing to use an NFS share as an archival location.
 For an NFS share from an EMC Isilon, complete the tasks described in Preparing an Isilon NFS
share as an archival location.
5. In Archival Type, select NFS.
The Add Archival Location dialog box changes to show the NFS fields
6. In Host Name, type the resolvable hostname or IP address of the NFS share host.
7. In Export Directory, type the absolute path of the export directory configured in /etc/exports
on the NFS share host, or in the Isilon OneFS UI.
For example, type: /export/RubrikArchive.
! IMPORTANT
The folder specified in the next step must be empty, or only contain files that were
written by the Rubrik cluster. Any other data in the folder will be overwritten by archival
data.
Rubrik CDM Version 5.0 User Guide NFS share 213

Archiving
8. In Destination Folder Name, type the name of the target folder beneath the NFS mount
point.
Use the folder name, not the full path. For example, type Cluster1 when the full path is
/export/RubrikArchive/Cluster1.
! IMPORTANT
The value provided in the next step, for Encryption Password, must be safely stored and
kept secure. If the source Rubrik cluster becomes unavailable for any reason, decryption
of the archival data by a second Rubrik cluster requires the password. Without the
password, the archival data cannot be recovered.
10.In Encryption Password, type a complex password.

The Rubrik CDM web UI rejects a password that is too easy to guess.
The Rubrik cluster uses the password to encrypt the archival data, as explained in Archival data
security.
11.In Re-Enter Encryption Password, type the same password.
12.In Authentication Type, select either: None or Kerberos.
For an NFS share from an EMC Isilon, select Kerberos.
13.In File Lock Period in Days, type a positive integer, or 0.
This value sets the Write Once Read Many (WORM) lock on every file that the Rubrik cluster
writes to the archival location. The default value is 0 (no WORM lock).
14.Click Add.
The Rubrik cluster tests the connection information and, after a successful test, stores the
connection information.

Archiving
Editing an NFS archival location

When changes to the NFS archival location occur, edit the configuration information to update the
settings.
Use the edit task to modify the settings of an existing NFS archival location. Do not use the task to
add a new NFS share as an archival location.
To add a new NFS share as an archival location, complete the tasks described in Adding an NFS
archival location. Adding a new archival location causes the Rubrik cluster to move the existing
archival location to READ-ONLY status and retain read access to the data.
! IMPORTANT
Do not edit the connection information for an NFS archival location to point to a new export.
This will cause data corruption and data unavailability.

5. Select Edit.
6. (Optional) In Host Name, type the new resolvable hostname or IP address of the NFS share
host.
The hostname or IP address must point to the existing NFS share. Only modify this when the
hostname or IP address of the existing NFS share is changed.
7. (Optional) In Export Directory, type the new absolute path of the export directory configured
in /etc/exports, or in the Isilon OneFS UI.
The new absolute path must point to the original destination folder. Only modify this when the
path to the destination folder is changed.
9. (Optional) In Authentication Type, select either: None or Kerberos.
10.(Optional) In File Lock Period in Days, type a positive integer, or 0.
A change to the WORM lock setting only applies to data written after the change is made.

Archiving
11.Click Edit.
information.
QStar tape archive

The Rubrik cluster supports archiving to tape through a QStar Integral Volume set.
The Rubrik cluster features the ability to mount a QStar Integral Volume set as an archival
location. This provides the ability to store archival data in a tape library that is managed by the
QStar Archive Manager software.
The Rubrik cluster uses the SMB/CIFS protocol to mount an exported Integral Volume set. To
archive to a tape location, the Rubrik cluster writes the archival data to the cache of the specified
Integral Volume set. This provides performance similar to writing to a disk.
After the data is written to the Integral Volume set cache, the QStar Archive Manager handles the
cache data and manages the transfer of the data to and from the tape library.
Shared Integral Volume set

Several archival locations can be configured to share a single Integral Volume set and tape library.
When a Rubrik cluster mounts the Integral Volume set that is specified when a tape archival
location is added, it creates a folder beneath the mount point. The folder represents the bucket for
the associated archival location. A single Integral Volume set can have several archival locations
associated with it. Each with a uniquely named folder beneath the mount point.
This method permits several archival locations to share the tape media of the library.
QStar Host Name value

The Rubrik cluster connects with the QStar Archive Manager by using the information provided in
the QStar Host Name field.
The value provided in the QStar Host Name field of the Add Archival Location dialog box must be a
URL that includes the resolvable hostname or IPv4 address of the host of the QStar Archive
Manager instance
Optionally, the URL can include a port designation to indicate the port that the QStar Archive
Manager listens on.
Rubrik CDM Version 5.0 User Guide QStar tape archive 216
Archiving
Adding a QStar tape archive as an archival location

Configure a Rubrik cluster to use an QStar tape archive as the archival location.
Before you begin. Complete the tasks described in Preparing a QStar Integral Volume as an
archival location.
5. In Archival Type, select Tape.
The Add Archival Location dialog box changes to show the tape fields.
6. In QStar Host Name, type the hostname of the host of the QStar Archive Manager instance.
The value can optionally include a port designation:
<hostname>:<port>
where:
• <hostname> is the resolvable hostname or IPv4 address of the host.
• <port> is the incoming port that the QStar Archive Manager instance listens on.
7. In QStar Integral Volume Name, type the name of the Integral Volume set.
8. In Destination Folder Name, type a name for the folder that will be used for the archival
location.
The combination of the three fields: QStar Host Name, QStar Integral Volume Name, and
Destination Folder Name must be unique. After clicking Add, the Rubrik cluster checks the
location to ensure that it is not in use as an archival location.
If the location is in use, the add archival location task fails and a message appears in the
Activity Log.
Archiving
10.In QStar User Name, type the name for a user account.
The specified user account must have permission to mount an Integral Volume set from an
external system and to perform read and write operations on the mounted Integral Volume set.
11.In QStar Password, type the password for the user account.
! IMPORTANT
this password.
12.In Encryption Password, type a complex password.

The Rubrik CDM web UI rejects a password that is too easy to guess.
The Rubrik cluster uses the password to encrypt the archival data.
13.In Re-Enter Encryption Password, type the same password.
14.Click Add.
The Rubrik cluster attempts to mount the Integral Volume set and examines the path specified by
the Destination Folder Name.
If the mount fails or the path is unavailable the job to add the archival location fails and the Rubrik
cluster adds a message to the Activity Log. If both tasks are successful the Rubrik cluster stores
the information and makes the archival location available for use.
Editing the tape archival location

Modify the connection information for the tape archival location. Also, when necessary, edit the
display name.
5. Select Edit.
6. (Optional) In QStar Host Name, type the new hostname value of the QStar Archive Manage
instance.
Archiving
8. (Optional) In QStar User Name, type the name for a new user account.
9. (Required when password changes) In QStar Password, type the new password.
10.Click Edit.
information.
Reader-writer archival model

This model allows for one owner cluster and multiple reader clusters. This model facilities disaster
recovery.
Note: A pair of clusters can be setup as reader and writer for archival or can be setup for
replication. Reader-writer archival and replication is not supported on the same Rubrik cluster pair.
The four possible states for an archival location are described in Table 37.
Table 37 Archival location states
Archival location states Description
Owner The archival location is owned by the cluster and is active for archiving. The
owner cluster has full read-write access to the archival location. There can
be only one owner for each archival target at an archival location.
Paused An archival location on the owner cluster which is currently paused for
archiving.
Reader The archival location created on a cluster for read-only purposes. The
reader cluster can recover snapshots from the archival target but cannot
archive new snapshots or expire any existing snapshots. There can be more
than one reader cluster to the same archival target concurrently. The owner
cluster has no knowledge of any reader cluster accessing the archival target.
Deleted Once an archival location is no longer needed, it can be deleted from a
cluster. Deleting an archival location from a reader cluster has no effect on
the archival target or the owner cluster.
The supported operations for each archival state are described in Table 38.
Table 38 Supported operations for archival states (page 1 of 2)
Archival states Upload Download Expire and delete SLA mapping
Owner Yes Yes Yes Yes
Paused No Yes No No
Reader No Yes Yes Yes
Rubrik CDM Version 5.0 User Guide Reader-writer archival model 219
Archiving
Table 38 Supported operations for archival states (page 2 of 2)

Archival states Upload Download Expire and delete SLA mapping
Deleted No No No No
Creating a reader archival location

Use the Rubrik CDM web UI to create a reader archival location.
When a reader archival location is added, the Rubrik cluster performs metadata recovery from the
archival target. It identifies all protected objects and their snapshots, and populates the local
metadata with this information. A user can access or download any of the recovered snapshots
going forward as long as the snapshot has not expired or been deleted by the owner cluster.
4. Open the ellipsis menu on the page bar, and select Connect as Reader.
The Connect as Reader dialog box appears.
5. In Archival Type, select an archival type.
Each archival type has unique setup parameters. See the related sections earlier in this chapter.
6. Click Connect.
The Rubrik cluster creates a reader archival location. The time that is required to complete
metadata recovery depends on how many objects and snapshots are present at the target archival
location.
Refreshing a reader archival location

Use the Rubrik CDM web UI to refresh a reader archival location.
Since the contents of the archival target can be changed by the owner cluster, the recovery view
of the reader cluster can be inconsistent with the actual contents of the archival location. The
refresh operation takes a point in time view of the contents of the archival target and populates
the reader cluster with that information. Use this operation to synchronize the reader cluster with
the latest content.
Archiving

4. Select a reader archival location.
5. Open the ellipsis menu on the page bar, and select Refresh.
The Rubrik cluster starts the refresh process.
Promoting a reader archival location to an owner archival location

Use the Rubrik CDM web UI to promote a reader archival location to an owner archival location.
The promote operation should be performed on the reader cluster only after ensuring that the
owner cluster is no longer accessing the archival target. This could be because the owner cluster is
no longer available or the archival location was deleted from the owner cluster. Promoting a reader
cluster to owner while the original owner cluster is still accessing the archival location can result in
inconsistent data and potential data integrity issues.
4. Select a reader archival location.
5. Open the ellipsis menu on the page bar, and select Promote to Owner.
The Promote to Owner dialog box appears.
6. If the cluster is synchronized and a refresh is not required, check the The owner cluster has not
modified the archival location since the last refresh. If this box is not checked, then a refresh is
processed before the promotion process.
7. Click Promote.
The new cluster is assigned the owner cluster role.
Archiving
Pausing an archive
Use the Rubrik CDM web UI of the owner cluster to pause an archival location. Pausing suspends
archival activity but does not change the status of the owner cluster.
4. Select an archival location.
5. Click the ellipsis and select Pause Archival.
The Pause Archival Location dialog box appears.
6. Click Pause.
If there are currently jobs running, the current jobs will complete before the archive is paused.
When the archival location is paused the border of the dialog box changes from teal to orange.
Resuming a paused archive

Use the Rubrik CDM web UI to resume a paused archival location.
4. Select an archival location.
5. Click the ellipsis and select Resume Archival.
The Resume Archival Location dialog box appears.
6. Click Resume.
The Rubrik cluster resumes archival activity for the archival location and the border of the archival
location card changes from orange to teal.
Archiving
Disaster recovery using an archival location

A Rubrik cluster establishes a connection with an archival location by using unique credentials. In
the event the original Rubrik cluster becomes unavailable, use the same credentials with another
Rubrik cluster to recover the archived data.
The recovery cluster only obtains exclusive (write) access if it is promoted. This requires using the
credentials of the original Rubrik cluster to authenticate with the archival location. The recovery
Rubrik cluster obtains Read-Only access to the archived data.
The recovery cluster can still connect as a reader while the owner cluster is still active, as long as
the user does not intend to promote the reader cluster.
A cluster for recovery should be connected to an existing archival target only when the original
cluster is lost or has deleted the location and no longer wants to access the archival target.
Disaster recovery from an archival location is available for any of the following archive types:
 Amazon S3
 Amazon Glacier
 Microsoft Azure
 Object storage system
 NFS share
QStar tape archive
Source vCenters available for recovery

When the source vCenters of the original Rubrik cluster are added to the recovery Rubrik cluster
before the recovery, the recovery Rubrik cluster resumes management of the protection objects on
the source vCenters. The recovery Rubrik cluster manages the protection objects based on the
SLA Domain assignments and rules from the original Rubrik cluster.
After recovery, the SLA Domains of the original Rubrik cluster appear in the Rubrik CDM web UI of
the recovery Rubrik cluster. The recovery Rubrik cluster uses the SLA Domain rules from the
original Rubrik cluster to manage the protection objects on those vCenters.
! IMPORTANT
To re-enable the existing archival policies of the original SLA Domains, the archival location
must also be added to the recovery Rubrik cluster as described in Archival location
configuration.
Rubrik CDM Version 5.0 User Guide Disaster recovery using an archival location 223
Archiving
Source vCenters unavailable for recovery

When the source vCenters cannot be added to the recovery Rubrik cluster before the recovery, the
original source virtual machines are unavailable to the recovery Rubrik cluster. The recovery Rubrik
cluster provides management access to this recovered archival data through the Snapshot
Retention page.
Retention Management provides information about the Snapshot Retention page.
Connecting an Amazon S3 archival location for disaster recovery

To connect another Rubrik cluster to an S3 archival location, for disaster recovery, provide the
recovery Rubrik cluster with the connection details that were used by the original Rubrik cluster.
Before you begin — Do the following:
 Select a Rubrik cluster as the recovery Rubrik cluster.
 Obtain the access key ID and the secret key used by the original Rubrik cluster.
 Obtain the KMS master key ID, or the RSA key used by the original Rubrik cluster.
5. In Archival Type, select Amazon S3.
6. In Storage Class, select the Amazon S3 Storage Class.
7. In AWS Access Key, paste the access key ID.
8. In AWS Secret Key, paste the associated secret key.
9. In AWS Bucket Name, type the name of the Amazon S3 bucket of the original Rubrik cluster.
10.In Archival Location Name, select Amazon S3 location name.
11.In Encryption Type, select KMS Master Key ID or RSA Key.
12.(KMS master key only) In KMS Master Key ID, paste the KMS master key ID that was used
to encrypt the archival data on the original Rubrik cluster.
Archiving
13.(RSA key only) In RSA Key, paste the RSA key that was used to encrypt the archival data on
the original Rubrik cluster.
14.Click Connect.
The recovery Rubrik cluster tests the keys and connection information and, after a successful
test, stores the keys and connection information.
The recovery Rubrik cluster connects the archival location for read-only access. A gray border
on the dialog box indicates the cluster is in read-only mode. A rolling bar indicates the cluster is
recovering metadata from the archival location.
15.Open the ellipsis menu on the page bar, and select Promote to Owner.
16.(Refresh not required) Select The owner cluster has not modified the archival location
since the last refresh.
When this field is cleared, the Rubrik cluster performs a metadata refresh before the promotion
process.
17.Click Promote.
The selected Rubrik cluster assumes the owner cluster role and recovery from the archival location
can be started.
Connecting an Amazon Glacier archival location for disaster recovery

Archiving
5. In Archival Type, select Glacier.

6. In Region, select an Amazon Glacier region for the archive.
7. In Access Key, type the access key for the Amazon Glacier account.
8. In Secret Key, type the secret key for the Amazon Glacier account.
9. In Glacier Vault Name, type the name of the Glacier Vault to use for the archive. If the vault
does not exist, it will be created.
10.In Archival Location Name, accept the default name or type a new name for the archival
location.
11.In Encryption Password, type the encryption password to recover the Glacier archive. This
password must match the encryption password from the original owner cluster.
12.In Retrieval Tier, select the Amazon Glacier retrieval tier.
You can select from:
• Standard
• Expedited
• Bulk
13.Click Connect.
process.
16.Click Promote.
can be started.
Archiving
Connecting a Google Cloud Platform archival location for disaster recovery

5. In Archival Type, select Google Cloud Platform.
6. In Region, select a Regional or Multi-regional location which will host the archival data.
7. In Storage Class, select the specified storage class.
8. In Bucket, enter the bucket name.
Use a bucket name that is unique within your Google Cloud Platform account. Rubrik
recommends that you create a new bucket name by typing a new name in this field. However,
an existing Google Cloud Platform name can be used.
9. In Encryption Password, type the encryption password to recover the Google Cloud Platform
archive. This password must match the encryption password from the original owner cluster.
10.In Re-Enter Encryption Password, type the encryption password to recover the Google
Cloud Platform archive.
11.In Archival Location Name, accept the default archival location name or specify a custom
name.
12.In Service Account JSON Key, paste the contents of the JSON file obtained from Google
Cloud Platform.
13.Click Connect.
Archiving
When this field is cleared a refresh is processed before the promotion process.
16.Click Promote.
can be started.
Connecting a Microsoft Azure archival location for disaster recovery

To connect another Rubrik cluster to a Microsoft Azure archival location, for disaster recovery,
provide the recovery Rubrik cluster with the connection details that were used by the original
Rubrik cluster.
 Obtain the account name and the account key used by the original Rubrik cluster.
 Obtain the container name used by the original Rubrik cluster
 Obtain the RSA key used by the original Rubrik cluster.
5. In Archival Type, select Azure.
6. In Storage Account Name, type the name of the Microsoft Azure account.
7. In Access Key, type the access key for the Microsoft Azure account.
Archiving
8. In Container, type the name of the container.

9. In Archival Location name, type the archival location name.
10.In Instance Type, type the instance type.
11.(Optional for CloudOn) Click Advanced Settings.
12.(Optional for CloudOn) In App ID, type a new application ID.
13.(Optional for CloudOn) In App Secret Key, copy and paste the application secret key.
14.(Optional for CloudOn) In Tenant ID, type a new tenant ID.
15.(Optional for CloudOn) In Subscription, select a new subscription.
16.(Optional for CloudOn) In Region, select a new region.
17.(Optional for CloudOn) In General Purpose Storage, select a new general purpose storage.
18.(Optional for CloudOn) In General Purpose Storage Container Name, select a new
general purpose storage container name.
19.(Optional for CloudOn) In Resource Group, type a new resource group name.
20.(Optional for CloudOn) In Virtual Network ID, type a new virtual network ID.
21.(Optional for CloudOn) In Subnet ID, type a new subnet ID.
22.(Optional for CloudOn) In Security Group, type a new security group name.
23.Click Save.
24.Click Connect.
process.
Archiving
27.Click Promote.
can be started.
Connecting an object storage system archival location for disaster recovery

To connect another Rubrik cluster to an object storage system archival location, for disaster
recovery, provide the recovery Rubrik cluster with the connection details that were used by the
original Rubrik cluster.
 Determine the type of object storage system used by the original Rubrik cluster.
 Obtain the access key/username and the secret key/password used by the original Rubrik
cluster.
 Obtain the hostname or IP address of the object storage system endpoint.
 Obtain the bucket prefix used by the original Rubrik cluster.
 Obtain the RSA key that was used to encrypt the archival data on the original Rubrik cluster.
5. In Archival Type, select Object Store.
6. In Object Store Vendor, select the object store vendor.
7. In Access Key, type the access key for the object store account.
8. In Secret Key, type the secret key for the object store account.
9. In Host Name, type the resolvable hostname or IP address of the object store endpoint.
10.In Bucket Prefix, type the prefix that was used for naming the buckets.
Archiving
11.In RSA Key, paste the RSA key that was used to encrypt the archival data on the original
Rubrik cluster. This password must match the encryption password from the original owner
cluster.
12.Click Connect.
process.
15.Click Promote.
can be started.
Connecting an NFS archival location for disaster recovery

To connect another Rubrik cluster to an NFS archival location, for disaster recovery, provide the
 Obtain the hostname of the NFS share host.
 Obtain the export directory configured in /etc/exports on the NFS share host, or in the
Isilon OneFS UI.
 Obtain the name of the target folder beneath the NFS mount point.
 Determine whether Kerberos authentication is required by the export host.
Archiving

5. In Archival Type, select NFS.
6. In Host Name, type the resolvable hostname or IP address of the NFS share host.
7. In Export Directory, type the absolute path of the export directory configured in
/etc/exports on the NFS share host, or in the Isilon OneFS UI.
8. In Destination Folder Name, type the name of the target folder beneath the NFS mount
point.
Use the folder name, not the full path.
9. In Archival Location Name, type the archival location name.
10.In Encryption Password, type the encryption password. This password must match the
encryption password from the original owner cluster.
11.In Authentication Type, select either: None or Kerberos.
12.Click Connect.
process.
15.Click Promote.
can be started.
Archiving
Connecting a tape archival location for disaster recovery

To connect another Rubrik cluster to a QStar tape archival location, for disaster recovery, provide
the recovery Rubrik cluster with the connection details that were used by the original Rubrik
cluster.
 Obtain the values used on the source Rubrik cluster for QStar Host Name, QStar Integral
Volume Name, Destination Folder Name, and Encryption Password.
 Obtain the username and password for an account that has permission to mount the specified
Integral Volume set from an external system and to perform read and write operations on the
mounted Integral Volume set.
5. In Archival Type, select Tape.
6. In QStar Host Name, type the value that was provided on the source Rubrik cluster.
7. In QStar Integral Volume Name, type the name of the Integral Volume set that was
provided on the source Rubrik cluster.
8. In Destination Folder Name, type a name for the folder that was provided on the source
Rubrik cluster.
9. In Archival Location Name, type a name for the archival location.
10.In QStar User Name, type the name for the user account that was provided on the source
Rubrik cluster.
11.In QStar Password, type the password for the user account.
12.In Encryption Password, type the password that was provided on the source Rubrik cluster.
This password must match the encryption password from the original owner cluster.
Archiving
13.Click Connect.
process.
16.Click Promote.
can be started.
Tests for disaster recovery using an archival location

Tests for disaster recovery using an archival location can be performed without impacting the
production environment by following the recommended workflow.
The following steps provide the recommended workflow for performing an archival disaster
recovery test.
1. While an owner cluster is archiving, connect another Rubrik cluster as a reader cluster of the
archival location
2. Recover the archived metadata from the archive target to the reader cluster.
3. Once the metadata recovery is complete, use the reader cluster to download snapshots from
the archival target, without interfering with the owner cluster archival activities.
Note: Do not promote the reader cluster.
4. After the initial metadata recovery by the reader cluster, use the owner cluster to upload new
snapshots.
The reader cluster will not see the new snaps shots until a metadata refresh occurs.
Rubrik CDM Version 5.0 User Guide Tests for disaster recovery using an archival location 234
Archiving
5. From the reader cluster, perform a metadata refresh to get the most recent view of the
location’s archived metadata.
This captures any snapshots that were created while the metadata was originally synchronized.
Refresh can be a time consuming operation. The entire archival location must be scanned for
metadata files.
Cascading archival
Use the cascading archival feature to replicate data from a source Rubrik cluster to a target Rubrik
cluster and then archive the data from the target Rubrik cluster.
Cascading archival combines the ability to rapidly replicate data from a remote site to a central site
with the cost-saving benefit of moving the replicated data to an archival location.
Data retention settings

Several settings impact the retention of data for the cascading archival feature.
Table 39 describes the retention settings that apply when using cascading archival.
Table 39 Data retention settings
Setting Setting location Description
Source Rubrik cluster On the source Rubrik cluster Specifies how long is data is kept locally
SLA Domain > Remote Settings on the source Rubrik cluster.
>Retention on Brik
Target Rubrik cluster On the source Rubrik cluster Specifies how long the data is kept locally
SLA Domain > Remote Settings on the target Rubrik cluster.
>Replication
Archival location On the target Rubrik cluster Specifies how long the data is kept at the
SLA Domain > Remote Settings cascading archival location.
>Archival
! IMPORTANT
The maximum retention setting on the source Rubrik cluster also determines the maximum
retention of replicated data on the target Rubrik cluster and on the cascading archival
location. Shortening the maximum retention of the source SLA Domain will expire data
sooner on the source Rubrik cluster, the target Rubrik cluster, and on the archival location.
For an extreme example, setting the maximum retention on the source Rubrik cluster to 0
will expire the data immediately on the source Rubrik cluster, the target Rubrik cluster, and
Rubrik CDM Version 5.0 User Guide Cascading archival 235

Archiving
Potential retention issue

This is a cautionary example that shows how a properly configured SLA Domain that uses
cascading archival can be modified on the source Rubrik cluster in a way that results in data being
expired on the archival location.
Example 8 provides an example of an SLA Domain that is configured properly for cascading
archival.
Example 8 Cascading archival with early expiration of data

The initial configuration in this example shows an acceptable configuration for cascading archival.
SLA on source Rubrik cluster
 Take snapshots every 1 day for 100 days
 Local retention (on Retention on Brik setting) for 48 days
 Replication retention for 100 days
SLA on target (after enabling cascaded archival)
Archive to cloud location after 48 days
The data would be stored as follows:
 0 to 48 days - old data resides on source Rubrik cluster
 0 to 48 days - old data resides on target Rubrik cluster
 48 days to 100 days - data resides on the archival location
Changes to the configuration on the source Rubrik cluster, as shown in the following example
could lead to data being expired on the target Rubrik cluster and on the archival location.

Archiving
SLA is modified on the source Rubrik cluster

On the source Rubrik cluster, a user modifies the retention setting on the target Rubrik cluster for
the assigned SLA Domain to reduce it to 48 days.
The new settings become:
• Take snapshots every 1 day and retain for 100 days
• Local retention (on Retention on Brik setting) for 48 days
However, on the target Rubrik cluster the settings remain the same:
• Local retention for 48 days
• Archive to cloud location after 48 days
When the change is propagated to the target Rubrik cluster, archival to the cloud is disabled.
Importantly, all the data on the archival location that is older than 48 days is immediately expired
and deleted.
Using cascading archival

Use the Rubrik CDM web UI to configure cascading archival.
From the source Rubrik cluster, complete the following steps.
1. From the Rubrik CDM web UI, select SLA Domains > Local Domains.
2. Click the blue + icon to create an SLA Domain.
The Create SLA Domain dialog box appears.
3. Specify the SLA Domain Name.
4. Specify the SLA settings for the Rubrik cluster.
5. Click Remote Settings.
The Remote Storage Configuration dialog box appears.
6. Enable the Replication toggle.
7. Specify the target Rubrik cluster from the drop-down list.
8. Use the slider bar to specify how long data is kept locally on the target Rubrik cluster.

Archiving
9. Click Create.
It can take several minutes for the replication changes to propagate to other clusters.
From the target Rubrik cluster, complete the following steps.
1. From the Rubrik CDM web UI, select SLA Domains > Remote Domains.
The Remote SLA Domains dialog box appears.
2. Select the source Rubrik cluster SLA Domain.
3. Click Edit Archival Policy.
The Edit Archival Policy dialog box appears.
4. Configure the archival policy for the target Rubrik cluster.
5. Click Update.
The archival policy is configured.
Archival consolidation
Enabling Archival consolidation frees storage on the archival storage as snapshots are expired.
When archival consolidation is enabled, Rubrik merges the expired set of snapshots with the next
live snapshot. This helps free up some storage and reduce the snapshot chain length. With
reduced snapshot chain length, there is no need for Rubrik to upload another full snapshot after
the first one. This usually triggers incremental-forever archival.
With archival consolidation enabled, Rubrik might occasionally upload a full snapshot when the
following conditions are met simultaneously:
 More than 15 days have lapsed since the last full snapshot was uploaded.
Of the current incremental snapshots that are dependent on the most recently uploaded full
snapshot, more than 60 incremental snapshots are unexpired in the coming 30 days.With archival
consolidation enabled, Rubrik will consolidate on a snapshot chain if one of following conditions is
met:
 There are at least five expired snapshots in the snapshot chain and the sum of their physical
sizes is at least 15% of the logical full
 There are at least 40 expired snapshots in the snapshot chain
If the archival consolidation is on Amazon S3 or Microsoft Azure, one of the following conditions
must also be met for consolidation on a snapshot chain:
 The cost of storage saved (after consolidation has run) is at least 1.5 times greater than the
cost of consolidating it
 It has been at least 30 days since we last run consolidation for the snapshot chain
Rubrik CDM Version 5.0 User Guide Archival consolidation 238

Archiving
Archival consolidation has the following characteristics:

 NFS, AWS S3, S3 Compatible Object Stores, and Azure archives support archival consolidation.
 Azure archives support archival consolidation. Archival consolidation is enabled or disabled on a
per archival location basis.
 Upgrading Rubrik CDM to a release version that supports archival consolidation will not
automatically enable archival consolidation for existing archival locations. When archival
consolidation is enabled on an existing archival location, the expired snapshots on the archive
will be merged with the next live snapshot. However, the full snapshots that were uploaded
previously will not be converted to incrementals.
 Archival consolidation can be enabled only on owner cluster archival locations. It cannot be
enabled for reader archival locations. Archival consolidation does not run when an archival to a
location is paused.
Archival consolidation for AWS S3 and Azure

When the storage consumed by expired snapshots exceeds a certain threshold, the Rubrik cluster
launches a temporary Rubrik instance and initiates consolidation jobs on the temporary Rubrik
instance. The temporary Rubrik instance reads archived data from AWS S3 and Azure. Then, the
temporary Rubrik instance identifies the expired snapshots and performs archival consolidation.
Once archival consolidation is complete, the temporary Rubrik instance uploads the consolidated
archival data back to the cloud storage. The Rubrik cluster t hen shuts down and terminates the
temporary Rubrik instance in order to avoid running costs.
Archival consolidation for NFS and S3 Compatible Object Stores

The Rubrik cluster performs archival consolidation for NFS and S3 Compatible Object Store
archival locations by reading the contents of the affected snapshots to the cluster to generate new
consolidated content and then upload it back to the archival location. This increases the
bandwidth consumption between the Rubrik cluster and the archival location. Therefore, provision
additional bandwidth, as required.
Enabling archival consolidation

Archival consolidation is enabled through the Rubrik CDM web UI.
To configure archival consolidation for Azure and Amazon S3 archival locations, cloud compute
settings must be configured.
Rubrik CDM Version 5.0 User Guide Archival consolidation 239

Archiving
Before you begin — Ensure that the connectivity between the Brik and the customer VPC is
established. Contact your Rubrik account team to enable this connectivity.
When creating a new archival location, depending on the archival location type, click Enable
Archive Consolidation, then click Save.
• For NFS and Object Store, the Enable Archive Consolidation is on the Add Archival Location
page.
• For Amazon S3 and Azure, the option is under Advanced Settings > Cloud Compute
Settings.
Alternatively, select an existing archival location, click the ellipsis, select Edit. When the Edit
Archival Location dialog box appears, check Enable Archival Consolidation, then click Edit.
Archival consolidation is enabled.
Archival location proxy

By default archival location proxy is set through global proxy settings. Archival location proxy
allows S3 and Azure archival locations to override the global proxy settings and use specified proxy
settings.
Note: Archival location proxy facilitates archival over a private VPN connection.
Each archival location supports two different kinds of proxies:

 The Archival proxy is used to route traffic for archival requests.
 The Compute proxy is used for API calls that instantiate virtual machines.
Configuring an S3 archival location proxy

S3 archival location proxy is enabled through the Rubrik CDM web UI.
Rubrik CDM Version 5.0 User Guide Archival location proxy 240
Archiving

4. Select an S3 archival location.
5. Click the ellipsis and select Edit.
6. Scroll to the bottom of the dialog box and click Advanced Settings.
7. From Archival Proxy Settings, configure:
• Protocol
• Proxy Server (IP or FQDN)
• Port Number
• Username
• Password
8. Click Save.
9. From Compute Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
10.Click Save.
The archive location proxy settings are saved.
Configuring an Azure archival location proxy

Azure archival location proxy is enabled through the Rubrik CDM web UI.
Archiving
4. Select an Azure archival location.

5. Click the ellipsis and select Edit.
6. Click Advanced Settings.
7. From Archival Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
8. Click Save.
9. From Compute Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
10.Click Save.
The archive location proxy settings are saved.
Archiving
Archival lifecycle best practices

There are best practices for Archival Lifecycle Management. Configure these best practices
through the archival platforms.
Table 40 lists the best practices.
Table 40 Archival Lifecycle Management
Vendor Notes
Amazon Web • In the AWS Console, move older objects in the S3-Standard Storage Class to
Services S3-Infrequent Access Storage Class.
• Rubrik cluster does not support Lifecycle management to Glacier.
• When a snapshot is transitioned from S3-Standard Storage Class to S3-Infrequent
Access Storage Class, keep the snapshot in the S3-Infrequent Access Storage Class
for a minimum of 30 days to avoid early deletion charges as defined in your SLA
Domain retention policy.
Microsoft Azure • Through Azure, move older objects from the Hot storage tier to the Cool storage tier.
Blob Storage • Rubrik cluster does not support Lifecycle management to the Archival storage tier.
• When a snapshot is transitioned from Hot storage tier to Cool storage tier, keep the
snapshot in the Cool storage tier for a minimum of 30 days to avoid early deletion
charges as defined in your SLA Domain retention policy.
Google Cloud • Through GCP, move older objects to Nearline or Coldline storage.
Storage • When a snapshot is transitioned to Nearline or Coldline storage, keep the snapshot in
the Nearline storage for a minimum of 30 days or Coldline storage for a minimum of 90
days to avoid early deletion charges as defined in your SLA Domain retention policy.
Archival location removal

Archival locations store data to meet the policies specified by the SLA Domains of the Rubrik
cluster. Retiring an archival location is a two stage process.
The two stages for retiring an archival location are:
 Disconnect the archival location to prevent further uploads of data to the archival location.
 Wait until the archival retention period of every snapshot and backup is exceeded, then delete
When retention of the archival data is not required, the waiting period can be skipped and the
disconnect and deletion can be done at the same time.
Rubrik CDM Version 5.0 User Guide Archival lifecycle best practices 243
Archiving
Disconnecting an archival location

Disconnect an archival location to discontinue write access to that archival location. The data on
the disconnected archival location remains available for read access and the Rubrik cluster retains
the data for the periods specified by the source archival policies.
! IMPORTANT
An SLA Domain cannot use a disconnected archival location for archiving. When an archival
location is disconnected, all SLA Domains that use that archival location are set to Not
Archiving. To provide an archival policy for an SLA Domain that had the archival location
disconnected, edit the SLA Domain to add a new archival location.

5. Select Disconnect.
A warning appears.
6. Click Disconnect.
The Rubrik cluster sets the archival location to READ-ONLY state.
Rubrik CDM Version 5.0 User Guide Archival location removal 244
Archiving
Deleting an archival location

Delete a disconnected archival location to remove it from the Rubrik cluster. Deleting an archival
location immediately expires all unexpired data that is stored through that disconnected archival
location.
! IMPORTANT
Expired data stored at a deleted archival location cannot be retrieved by the Rubrik cluster.
To meet SLA requirements, wait until all data that is stored through a disconnected archival
location has exceeded the retention periods that are specified by the associated SLA
Domains.

4. On the Archival Locations page, on the archival location card of a disconnected archival
location, open the ellipsis menu.
For disconnected archival locations, the web UI displays ‘Read-only’ in the status section of the
archival location card.
5. Select Delete.
A warning appears.
6. Click Delete.
The Rubrik cluster expires all associated data at the archival location and removes the archival
location from the Rubrik CDM web UI.
Rubrik CDM Version 5.0 User Guide Archival location removal 245
Chapter 8
Hyper-V Virtual Machines
This chapter describes how to protect and manage data from Microsoft Hyper-V virtual machines.
 Overview ............................................................................................................... 247
 Virtual machine protection....................................................................................... 247
 Rubrik Backup Service software for SCVMM .............................................................. 248
 Rubrik Backup Service software for non SCVMM........................................................ 253
 SLA Domain assignment.......................................................................................... 258
 Finding protection objects ....................................................................................... 262
 Protection consequences ......................................................................................... 265
 Local host page ...................................................................................................... 267
 Virtual machine snapshots....................................................................................... 272
 Archival snapshots .................................................................................................. 275
 Recovery and restore of virtual machine data ........................................................... 276
 Recovery of virtual machines ................................................................................... 276
 Recovery of folders and files.................................................................................... 284
 Unmanaged data .................................................................................................... 290
Rubrik CDM Version 5.0 User Guide Hyper-V Virtual Machines 246
Overview
A Rubrik cluster provides data management and protection for virtual machines that are deployed
in a Microsoft Hyper-V environment. The Rubrik cluster can manage and protect virtual machines
in an environment with multiple Hyper-V servers and virtual machines.
Rubrik invokes the Windows Management Instrumentation (WMI) APIs to communicate with the
hypervisor directly for a first full and forever incremental set of backups via Resilient Change
Tracking (RCT). Data is ingested over the SMB protocol to the Rubrik cluster in a secure manner.
There is no requirement to have SCVMM installed in your environment.
SLA policies can be applied anywhere in the hierarchy stack: the SCVMM host, the cluster, host, or
virtual machine levels. The Rubrik cluster provides a variety of methods to recover virtual
machines and to restore protected data. Recover virtual machines and restore data by using
snapshots, replicas, and archival snapshots.
Rubrik supports any Hyper-V based Windows or Linux virtual machines using the Rubrik Backup
Service. The Rubrik Backup Service is a connector that self manages after initial deployment.
Hyper-V host refers to a Windows Server with the Hyper-V role installed.
Virtual machine protection

A Rubrik cluster provides protection for virtual machines through either individual assignment of
the virtual machine to an SLA Domain or through automatic protection. Automatic protection
occurs when the virtual machine derives the SLA Domain assignment of a containing folder,
cluster, or host.
The Rubrik cluster provides flexibility in the protection assignments made for virtual machines.
Virtual machines that are protected by individual assignment can be set to Do Not Protect or can
be set to inherit a protection setting.
An individual virtual machine, that is part of a group of virtual machines being automatically
protected, can be set to Do Not Protect, without moving the virtual machine out of the group.

Automatic protection
A Rubrik cluster provides automatic protection of virtual machines through inheritance of the SLA
Domain assigned to a parent object.
Objects from which a virtual machine can inherit are the following virtualization system entities:
Rubrik clusters support three Hyper-V hierarchies for protection:
 Hyper-V SCVMM > Hyper-V Cluster > Hyper-V Clustered Hosts > Hyper-V VMs on Clustered
Hosts
 Hyper-V Cluster > Hyper-V Clustered Hosts > Hyper-V VMs on Clustered Hosts
 Hyper-V Standalone Host > Hyper-V VMs on Standalone Host
The automatic protection mechanism simplifies assigning protection to large numbers of virtual
machines and provides an easy method to uniformly assign specific SLA Domains to groups of
functionally similar virtual machines.
The Rubrik cluster uses a specific set of automatic protection rules in the application of automatic
protection.
During SLA Domain assignment, the Rubrik cluster displays the objects that have individual
assignments which conflict with the new assignment. For each conflicting object, the Rubrik
cluster permits an administrator to choose to retain the individual setting or apply the new setting.
Rubrik Backup Service software for SCVMM

Microsoft provides System Center Virtual Machine Manager (SCVMM) to manage virtual machines
across multiple hosts. The Rubrik Backup Service should be installed on all hosts running SCVMM.
If SCVMM is highly available then the Rubrik Backup Service should be installed on all hosts within
the cluster to which SCVMM may fail over. The Rubrik Backup Service is then pushed automatically
from SCVMM to each Hyper-V host in order to take snapshots.
! IMPORTANT
The Rubrik Backup Service software can only be used with the Rubrik cluster from which
the software is obtained. Each Rubrik cluster generates a copy of the Rubrik Backup Service
software that includes authentication information specific to that Rubrik cluster. This
method ensures that the Rubrik cluster and a hosted deployment of the Rubrik Backup
Service can reliably authenticate each other.
Rubrik provides automatic upgrade of the Rubrik Backup Service software as part of a general
upgrade of the Rubrik cluster software. After upgrading the Rubrik cluster software, the Rubrik
cluster automatically upgrades the Rubrik Backup Service software on all protected hosts.
Rubrik CDM Version 5.0 User Guide Rubrik Backup Service software for SCVMM 248
Prerequisites
The following prerequisites are required for SCVMM hosts supported by Rubrik:
 Rubrik version 4.1 or later
 Hyper-V Server 2016 or later
 Hyper-V host must be joined to one of the Active Directory domains that the Rubrik cluster is a
member of
 Create a Run As Account that is a member of the local Administrators group on the Hyper-V
servers being managed
 Virtual machines must be Configuration 8 or later
For versions of Hyper-V that are older than Hyper-V 2016, use volume snapshots, or install the
Rubrik Backup Service on each virtual machine.
Obtaining the Rubrik Backup Service software through the Rubrik CDM web UI
Obtain the Rubrik Backup Service software from the Rubrik CDM web UI of the Rubrik cluster.
2. On the left-side menu, select Virtual Machines > Hyper-V VMs.
The VMs tab of the Hyper-V VMs page appears.
3. Click Add SCVMMs.
The Add SCVMM dialog box appears.
4. In the IP or Hostname field, type the IP address or Hostname of the SCVMM.
5. In the Run As Account field, specify the Run As account.
6. (optional) Click the Add Rubrik Backup Service to other hosts if you want the Rubrik Backup
Service to automatically install on hosts within SCVMM.
Next task — Install the connector software on SCVMM.
Obtaining the Rubrik Backup Service software by URL

Obtain the Rubrik Backup Service software from the Add SCVMM dialog box.
The Rubrik Backup Service software can only be used with the Rubrik cluster from which it is
obtained.
1. From the Add SCVMM dialog box, click Rubrik Backup Service.
A browser-specific dialog box appears to enable saving the package file.
2. Save the file to a temporary location.

Next task — Install the Rubrik Backup Service on SCVMM.
Installing the Rubrik Backup Service software on a SCVMM host

Install the Rubrik Backup Service software the SCVMM host.
1. Copy RubrikBackupServiceForScvmm.zip to a temporary directory on the Windows host.
2. Extract the files from the ZIP file.
The ZIP file contains four files:
• RubrikBackupService.msi, a Windows Installer Package.
• backup-agent.crt, a security certificate for the Rubrik Backup Service.
• scvmm_deploy_agent,crt, the Rubrik service that installs the Rubrik backup software agent
on hosts associated with SCVMM.
• ScvmmReadMe.txt, a read me file for installation of the Rubrik backup software agent on
the SCVMM host.
! IMPORTANT
When installing the Rubrik Backup Service software, the security certificate file must be
in the same folder as the Windows Installer Package.
3. Using an account that is a member of the local Administrators group, run the Windows Installer
Package, RubrikBackupService.msi.
The Windows Installer Package installs the Rubrik Backup Service software and incorporates
the security certificate into the installation.
4. Create a directory, RubrikBackupService.cr on a host that can access the virtual machine
manager console.
5. Copy the .msi, .crt, and ,cmd files to the RubrikBackup.cr folder.
6. Open the SCVMM console. Navigate to Library > Library Servers > MSSCVMMLibrary >
ApplicationFrameworks.
7. Right-click on ApplicationFrameworks and select Explore.
8. Copy the RubrikBackupService.cr folder and paste it into ApplicationFrameworks.
9. Right-click on ApplicationFrameworks and select Refresh. Confirm RubrikBackupService.cr
is listed as a custom resource.
Removing the Rubrik Backup Service from a Windows host

When the Rubrik Backup Service is no longer required on a Windows host it can be removed by
using Windows commands.
Note: Removing the Rubrik Backup Service from a Windows host also removes the connection
between the Windows host and the Rubrik cluster. The Rubrik cluster designates any retained
snapshots as relics. Use the Snapshot Retention page to manually manage the relics, as described
in Retention Management.
1. Log in to the Windows host using an account with local administrator privileges.
2. Right-click the Windows logo key and select Run.
The Run dialog appears.
3. Type appwiz.cpl, and press OK.
The Uninstall or change a program window appears.
4. Right-click Rubrik Backup Service, and click Uninstall/Change.
5. Follow the prompts to remove the application.
The uninstaller removes the Rubrik Backup Service software. The Rubrik cluster designates any
retained snapshots as relics.
Hyper-V host management

After installing the Rubrik Backup Service software on a SCVMM host or a Hyper-V host, add the
host to the Rubrik cluster.
Adding a host to the Rubrik cluster establishes a secure connection between the Rubrik cluster
and the Rubrik Backup Service that is running on the host. After the host is added, an entry for the
host appears in the Rubrik CDM web UI.
The Rubrik cluster identifies the host by an IPv4 address or a resolvable hostname. When the
value that is used to identify a host changes, edit the host information on the Rubrik cluster to
reflect the new value.
To stop managing the data on a host, delete the host from the Rubrik cluster. Deleting a host
removes that host from the Windows Hosts tab. A removed host cannot be paired with a fileset
and cannot be the target of an export. The Rubrik cluster moves the existing host filesets of the
removed host and all associated backups to the Snapshot Retention page.
Adding a Windows host

To begin managing a Hyper-V host, add the host to the Rubrik cluster.
Before you begin. Obtain and install the Rubrik Backup Service software on each host being
added.
3. Click Add Windows Hosts.
The Add Windows Hosts dialog box appears.
4. In IPs or Hostnames, type a comma-separated list of IPv4 addresses or resolvable
hostnames for the hosts being added.
IPv4 address or one hostname for each host being added.
5. Click Add.
The Rubrik cluster checks connectivity with the specified hosts and adds the host(s).
Hyper-V host configuration

In order to protect Hyper-V with a Rubrik cluster, the Failover Clustering feature must be enabled
on the Hyper-V host even if the Hyper-V host is not part of a Failover cluster.
Note: Hyper-V only supports RCT only if Failover Clustering is enabled.
To enable Failover Clustering, use the Windows Server Manager, then select the Add Roles and
Features Wizard to add the Failover Clustering feature.
The Failover Clustering Tools include the Failover Cluster Manager snap-in, the Failover Clustering
Windows PowerShell cmdlets, the Cluster-Aware Updating (CAU) user interface and Windows
PowerShell cmdlets, and related tools.
Rubrik Backup Service software for non SCVMM

For Hyper-V without SCVMM, the Rubrik cluster uses the same Rubrik Windows Backup Service
software that is used for Windows file system protection.
For Failover Clusters, the connector should be installed on all hosts and each host should be added
to Rubrik individually.
The Rubrik Backup Service software can be downloaded directly from the Rubrik cluster when it is
needed, or the software can be downloaded once and pushed to hosts as needed.
! IMPORTANT
Prerequisites
The following prerequisites are required for Hyper-V hosts (in a non SCVMM configuration)
supported by Rubrik:
 Hyper-V Server 2016 or later
member of
member of
 Create a Run As Account that is a member of the Domain Admins group
 Virtual machines must be Configuration 8 or later
For versions of Hyper-V that are older than Hyper-V 2016, use volume snapshots, or install the
Rubrik Backup Service on each virtual machine.
Rubrik CDM Version 5.0 User Guide Rubrik Backup Service software for non SCVMM 253
2. On the left-side menu, select Servers & Apps > Windows Hosts.
The Windows Hosts tab of the Windows Hosts page appears.
4. In the text of the dialog box, click Rubrik Backup Service.
Next task — Install the connector software on hosts.

Obtain the Rubrik Backup Service software directly by URL. The Rubrik cluster provides direct URL
links for the software package for Linux hosts and the software package for Windows hosts.
obtained.
1. Open a web browser.
2. Access the URL for Windows:
https://<RubrikCluster>/connector/RubrikBackupService.zip
Next task — Install the Rubrik Backup Service on Windows Server hosts.
Account used to run the Rubrik Backup Service on a Windows host

The Rubrik Backup Service must run as an account that is a member of the Administrators group
of the Windows Server host.
When first installed, the Rubrik Backup Service runs as a LocalSystem account. A LocalSystem
account includes the permissions that are provided by the local Administrators group.
Instead of running the Rubrik Backup Service as a LocalSystem account, the Rubrik Backup
Service can be configured to run as a member of the local Administrators group.
To run as a member of the local Administrators group, run the Rubrik Backup Service as a user
account that is one of the following:
 Local user account that is a member of the local Administrators group
 Domain user account that is a member of the local Administrators group
Installing the Rubrik Backup Service software on a Windows host

Install the Rubrik Backup Service software the Hyper-V host to provide the Rubrik cluster with the
ability to manage data on the Hyper-V host.
 Check that the most up-to-date Windows version of the Rubrik Backup Service software for the
correct Rubrik cluster is available in a temporary location that the Windows host can access.
 Choose or create an account to run the Rubrik Backup Service software, as described in
1. Copy RubrikBackupService.zip to a temporary directory on the Windows host.
The ZIP file contains two files:
! IMPORTANT
Package.
The Rubrik Backup Service software can also be push installed on multiple Windows hosts
using automation software, such as Puppet or Chef.
4. (Optional) Change the account used to run the Rubrik Backup Service.
Account used to run the Rubrik Backup Service on a Windows host describes the account
requirements.
Note: The default LocalService account does not provide sufficient privileges to permit the
Rubrik Backup Service to access data on network shares.
Next task — Add the Windows hosts that are running the Rubrik Backup Software to the Rubrik
cluster.

between the Windows host and the Rubrik cluster. The Rubrik cluster designates any retained
snapshots as relics. Use the Snapshot Retention page to manually manage the relics, as described
in Retention Management.
retained snapshots as relics.
Hyper-V host management

After installing the Rubrik Backup Service software on a Hyper-V host, add the host to the Rubrik
cluster.
removes that host from the Windows Hosts tab. A removed host cannot be paired with a fileset
and cannot be a target of an export. The Rubrik cluster moves the existing host filesets of the
removed host and all associated backups to the Retention Management page.
Adding a Windows host

To begin managing a Hyper-V host, add the host to the Rubrik cluster.
Before you begin — Obtain and install the Rubrik Backup Service software on each host being
added.
3. Click Add Hyper-V Hosts.
5. Click Add.
The Rubrik cluster checks connectivity with the specified hosts and adds the host(s).
Hyper-V host configuration

In order to protect Hyper-V with a Rubrik cluster, the client must enable Failover Clustering feature
on the Hyper-V host even if the Hyper-V host is not part of a Failover cluster.
Note: Hyper-V only supports RCT only if Failover Clustering is enabled.
To enable Failover Clustering, use the Windows Server Manager, then select the Add Roles and
Features Wizard to add the Failover Clustering feature.
The Failover Clustering Tools include the Failover Cluster Manager snap-in, the Failover Clustering
Windows PowerShell cmdlets, the Cluster-Aware Updating (CAU) user interface and Windows
PowerShell cmdlets, and related tools.
SLA Domain assignment

Provide protection for a virtual machine through an SLA Domain.
A virtual machine can be protected by assigning an SLA Domain setting individually to the virtual
machine. A virtual machine can also be protected by deriving an SLA Domain setting through
automatic protection.
Automatic protection occurs in one of the following ways:
 An administrator assigns an object that contains the virtual machine to an SLA Domain.
 An administrator moves the virtual machine into the hierarchy of an object that is assigned to
an SLA Domain.
Automatic protection uses the automatic protection rules to determine whether a setting applies to
an object. Rubrik Backup Service software for SCVMM describes these rules.
Assigning an SLA Domain setting to a virtual machine

Specify an SLA Domain for a virtual machine, set the virtual machine to inherit from a parent, or
specify Do Not Protect for the virtual machine.
Protect a set of virtual machines by assigning the selected set to an SLA Domain. Assigning virtual
machines to an SLA Domain protects the virtual machines by applying the data protection policies
of the SLA Domain.
1. Log in to the Rubrik CMDM web UI.
2. On the left-side menu, click Virtual Machines > Hyper-V VMs.
The Hyper-V VMs page appears, with the VMs tab selected.
Note: To go directly to the page for a single virtual machine, type the name of the virtual
machine in the search box on the top bar of the Rubrik CDM web UI and select the virtual
machine from the results list.
3. Select a virtual machine.

Select multiple virtual machines to assign the same setting to all of the selected virtual
machines.
To help find virtual machines, use the filters, sort the entries by column heading, or use the
search field. Finding protection objects describes these tools.
4. Click Manage Protection.
A dialog box with one or more warnings may appear.
The Manage Protection dialog box appears.
Rubrik CDM Version 5.0 User Guide SLA Domain assignment 258
5. Select an SLA Domain.

Manage Protection options describes the choices.
6. Click Submit.
The Rubrik cluster assigns the selection group to the SLA Domain.
Assigning an SLA Domain setting to a Hyper-V cluster or server

Specify an SLA Domain setting for Hyper-V host to have the setting applied to the objects and
virtual machines contained by the clusters and host.
2. On the left-side menu, click Virtual Machines > Hyper V-VMs.
The Hyper-V VMs page appears, with the VMs tab selected.
3. Select Hosts and Clusters.
The Hosts and Cluster tab appears.
4. Select a Hyper-V host or cluster.
Select multiple objects to apply the setting to more than one object in the hosts hierarchy.
7. Click Submit.
The Rubrik cluster applies the selected setting to the selected objects.
The automatic protection rules determine the application of the selected setting to virtual
machines contained by the selected objects. Rubrik Backup Service software for SCVMM
describes the automatic protection rules.
8. Click Done.
The Rubrik cluster applies the selected setting to the selected objects and resolves conflicts as
specified.
The automatic protection rules determine the application of the setting to the virtual machines
that are contained by the selected objects.
Manage Protection options

Select virtualization hierarchy entities and click Manage Protection to view the Manage Protection
dialog box for the selected entities. The Manage Protection dialog box provides several options for
the selected entities.
Table 41 describes the options available through the Manage Protection dialog box.
Table 41 Options available through the Manage Protection dialog box
Field Action Description
Search Search SLA Domains Predictive search for SLA Domains by using the
characters entered in the search field to match the
same sequence of characters anywhere in the SLA
Domain name.
Blue + icon Click to open the Create New Opens the Create New SLA Domain dialog box.
SLA Domain dialog box Create a new SLA Domain and assign that SLA
Domain to the selected group of objects.
SLA Domain list Select an SLA Domain Select an SLA Domain to assign to the selected group
of objects. The Rubrik cluster assigns the selected
SLA Domain individually to each of the selected
objects. The automatic protection rules determine
whether the Rubrik cluster assigns the selected SLA
Domain to objects contained by a selected object.
Do Not Protect Select to assign Individually assigns the Do Not Protect setting to each
of the selected objects.The automatic protection rules
determine whether objects that are contained by a
selected object inherit the Do Not Protect setting.
The Rubrik cluster does not create policy driven
snapshots for a virtual machine that is individually set
to Do Not Protect or that inherits the Do Not Protect
setting.
Removing an SLA Domain setting

Remove an individual SLA Domain setting from a virtual machine. After the task completes, the
virtual machine derives a setting based on the automatic protection rules.
The Virtual Machines page appears, with the VMs tab selected.

Select multiple virtual machines to remove the individual setting of every virtual machine in the
selection group.
5. Select Clear Existing Assignment.
6. Click Clear.
The Rubrik cluster removes the individual assignments for the selected group. Each virtual
machine in the selection group derives a protection setting based on the automatic protection
rules.
Finding protection objects

The Rubrik CDM web UI provides several tools for finding protection objects.
Displaying all discovered virtual machines

The Rubrik CDM web UI lists all of the virtual machines that have been discovered on the Hyper-V
VMs page. Access this page using one of several methods.
The following methods open the Hyper-V VMs page and display all discovered virtual machines:
 On the left-side menu, click Virtual Machines > Hyper-V VMs.
 On the Dashboard page, on the Hyper-V VMs card, click See All.
Displaying unprotected virtual machines from the Dashboard

From the Dashboard, display all unprotected virtual machines.
1. Open the web UI to the main Dashboard.
2. On the Hyper-V VMs card, in the Unprotected field, click Protect Now.
The Hyper-V VMs page opens, with the VMs tab selected, and filters the view to show All
Unprotected virtual machines
Displaying unprotected virtual machines from the Hyper-V VMs page

Use a filter to display all unprotected virtual machines.
2. In the left-side menu, click Virtual Machines > Hyper-V VMs.
The Hyper-V VMs page appears, with the VMs tab selected, and displays all the virtual
machines present in the system.
3. Click the Filter SLA drop-down menu.
4. On the Filter SLA drop-down menu, select one of the following filters:
• All Unprotected – Displays all unprotected virtual machines, both No SLA and Do Not
Protect.
• No SLA – Displays virtual machines that have not inherited an SLA Domain setting.
• Do Not Protect – Displays virtual machines that have inherited the Do Not Protect setting,
or have Do Not Protect individually assigned.
• All Protected– Displays virtual machines that have been associated with defined SLAs.
Rubrik CDM Version 5.0 User Guide Finding protection objects 262
The Rubrik CDM web UI displays the virtual machines that belong to the selected protection state.
Sorting virtual machines by using the SLA filter

Use the SLA filter to find specific virtual machines.
4. On the Filter SLA drop-down menu, select one of the named SLA Domains, or select a
protection state, either: No SLA or Do Not Protect.
The web UI displays the virtual machines that belong to the selected SLA Domain or to the
selected protection state.
Finding virtual machines by using the Search field

Use the Search field to find a specific virtual machine.
1. Log in to the Rubrik web UI.
2. In the Search field, at the top of all Rubrik CDM web UI pages, type the name of the virtual
machine.
The Rubrik cluster begins a predictive search and updates the results as letters are typed.
The search matches the characters entered in the search field with the same sequence of
characters anywhere in a name. Continue to type characters to narrow down the results until
the virtual machine appears.
3. When the name of the virtual machine appears in the displayed list, select the name.
The Rubrik CDM web UI displays the local host page for the virtual machine.
Finding entities by using the object tab

Use object tabs on the Virtual Machines page to define a hierarchical view to search and to
browse. Then, use the search field to find entities within the defined view, or to browse to entities
within the defined view.
3. In the tab bar, select a tab.
• VMs – Provides a virtual machines only view, with the hierarchical location of each virtual
machine displayed in the location column.
• Hosts and Clusters – Provides a list of Hyper-V hosts and Hyper-V clusters.
4. (Search Only) In the tab search field, begin typing an entity name.
the entity appears in the results.
5. (Search Only) Stop typing when the name of the entity appears on the page.
6. (Browse Only) Click the name of a top-level entity.
The Rubrik CDM web UI displays the entities within the selected entity.
7. (Browse Only) Continue clicking entity names to browse down the hierarchy to a specific entity.
Selecting data sources

Use the objects filter and tab search field to find and select data protection entities.
3. Use one of the search or sort methods to display the entities to be selected.
4. Select the entities.
A check mark appears next to each selected entity.
5. Select Manage Protection.
SLA Domain assignment describes how to assign an SLA Domain.
Protected warning
The Rubrik CDM web UI displays the protected warning when the Rubrik cluster detects that an
SLA Domain setting is already associated with a selected virtual machine.
The protected warning is “These VM(s) are already protected”.

When the protected warning appears, do one of the following:
 Continue the operation to assign the selected SLA Domain to the protected virtual machines.
 Cancel the operation and remove the virtual machines from the selection set.
Changing the SLA Domain of a virtual machine may result in immediate expiration of some
snapshots, as described in Changing the assigned SLA Domain.
Protection consequences
The SLA rules defined by an SLA Domain impact the protection of virtual machines in several
ways. SLA rules specify when snapshots are created, when snapshots expire, and where snapshot
data is stored.
A policy driven snapshot is a snapshot that is created automatically based on the SLA rules of an
SLA Domain. In most cases, the SLA Domain that manages a policy driven snapshot is the same
SLA Domain that created the snapshot.
Sometimes, the source virtual machine for a snapshot is assigned to another SLA Domain after the
snapshot is created. When this occurs the new SLA Domain becomes the managing SLA Domain
for the policy driven snapshot.
A policy driven snapshot can require manual management when it loses an association with the
SLA Domain.
Protecting a new virtual machine

A new virtual machine is one for which no policy driven snapshots exist. After a new virtual
machine is assigned to an SLA Domain, all of its snapshots, replicas and archival snapshots are
created and managed based on the SLA rules of the SLA Domain.
The following table provides a quick overview of the impact of assigning a new virtual machine to
an SLA Domain.
Table 42 Impact of SLA Domain properties on snapshots (page 1 of 2)
SLA Domain property Virtual machine snapshot impact
SLA rules Determines when policy driven snapshots are created and when they are
automatically expired.
Local Cluster Retention Period Determines how long snapshots are retained on the local Rubrik cluster.
When an archival account exists for the SLA Domain, policy driven
snapshots older than the Local Cluster Retention Period are automatically
copied to archival snapshots on an archival location.
Replication Retention Period Determines how long replicas are retained on a replication target cluster.
Rubrik CDM Version 5.0 User Guide Protection consequences 265


Maximum Retention Period Determines how long snapshots are retained by the system. The Rubrik
cluster automatically expires policy driven snapshots that are older than
the Maximum Retention Period.
Changing the assigned SLA Domain

A protected virtual machine may be assigned to another SLA Domain in order to satisfy specific
business requirements (for example, data governance policy changes or space management
requirements). Example 9 describes this situation.
Example 9 Assigning a protected virtual machine to another SLA Domain

Assume that a virtual machine was assigned to the SLA Domain D1 and later was assigned to the
SLA Domain D2. At the time of the reassignment, the virtual machine had existing policy driven
snapshots. After the reassignment, those existing policy driven snapshots are managed based on
the policies set in SLA Domain D2.
If D1 has a higher base frequency of snapshots than D2 (e.g. D1 was Gold and D2 was Bronze),
then existing policy-driven snapshots that are not required by the policies of D2 are deleted from
the system.
By doing this, the Rubrik cluster brings the snapshot history for the virtual machine into
compliance with the frequency and retention periods defined by D2.
Alternatively, if D2 specifies a higher base frequency of snapshots, (e.g. D2 was Gold and D1 was
Bronze) then the virtual machine will initially appear in the SLA Compliance reports as out of
compliance with D2’s SLA because the existing snapshots were insufficient to meet the new SLA
rules.
Removing protection from a virtual machine

For business reasons, a user might choose to remove protection from a virtual machine by
removing it from the assigned SLA Domain.
When a virtual machine is removed from an SLA Domain, no further policy driven snapshots for
virtual machine are created and no replication or archival activity occurs for the virtual machine.
All existing snapshots for the virtual machine must be managed manually.
Re-protecting a virtual machine

At times, a virtual machine that is protected by one SLA Domain may be temporarily set to Do Not
Protect, and then reassigned to another SLA Domain for protection.

When a reassignment occurs, the existing snapshots of the virtual machine are subject to the
retention policies of the currently assigned SLA Domain, including:
 Local cluster retention period
 Replication retention period
 Maximum retention period
Local host page

The local host page provides detailed information about the protection of a virtual machine, and
tasks related to the virtual machine. The local host page provides the following sections:
 Action bar
 Overview card
 Snapshots card
Viewing a local host page

Access a local host page to view information about a local virtual machine.
1. Virtual Machines > Hyper-V VMs.
2. In Name, click the name of a virtual machine.

The local host page for the selected virtual machine appears.
Rubrik CDM Version 5.0 User Guide Local host page 267
Action bar
For the selected local virtual machine, the action bar provides the actions described in Table 43.
Table 43 Actions available from the action bar
Action Description
Take On Demand Snapshot Adds an on-demand snapshot of the virtual machine to the task queue.
Note: Backup Window settings defined for the SLA Domain of the virtual
machine do not apply to on-demand snapshots. Only the maximum
retention and remote configuration settings of the associated SLA Domain
apply to on-demand snapshots.
Manage Protection Opens the Manage Protection page where the virtual machine can be
assigned to an SLA Domain for protection.
When the virtual machine is already assigned to an SLA Domain, a warning
appears. Click Continue to open the Manage Protection page. Click Cancel
to return to the local host page.
Overview card
The Overview card provides the information that is described in Table 44.
Table 44 Information available on the Overview card (page 1 of 2)
Field Description
SCVMM If SCVMM is part of the cluster, the IP address of the SCVMM Server.
Cluster If the Hyper-V Server is part of a cluster, the IP address of the Hyper-V Server that
manages the virtual machine.
Host IP address of the hypervisor that hosts the virtual machine.
SLA Domain Name of the SLA Domain that manages the protection of the selected virtual
machine.
Live Mounts Number of live mounts for snapshots associated with the selected virtual machine.
Oldest Snapshot Timestamp for the oldest snapshot associated with the selected virtual machine.
When the SLA Domain has an active archival policy, the oldest snapshot resides at
Latest Snapshot Timestamp for the most recent successful snapshot of the selected virtual machine.
Total Snapshots Total number of retained snapshots for the selected virtual machine, including both
the local Rubrik cluster and any archival location.
Table 44 Information available on the Overview card (page 2 of 2)

Field Description
Missed Snapshots Number of policy-driven snapshots that did not complete successfully. A missed
snapshot is included in the count until the period since the SLA Domain policy
required the snapshot exceeds the retention period of the SLA Domain.
Snapshots card
For the selected local virtual machine, the Snapshots card provides the ability to browse the
snapshots that reside on the local Rubrik cluster and on the archival location.
The Snapshots card provides access to snapshot information through a series of calendar views.
Each view uses color spots to indicate the presence of snapshots on a date and to indicate the
status of SLA Domain compliance for the virtual machine on that date.
The Snapshots card also provides the ability to search for files across all of the snapshots of the
virtual machine.
Table 45 lists the colors that the Snapshots card uses and describes the status that each color
represents.
Table 45 Status colors used on the calendar views
Color Status
Green All snapshots required by SLA Domain policy were successfully created.
Orange All snapshots required by SLA Domain policy were successfully created but at least one
snapshot caused a warning.
Red At least one snapshot required by SLA Domain policy was not successfully created.

View Description
Year The Year view displays snapshot creation information for an entire year. A color spot
indicator on a specific date indicates snapshot activity, and displays the SLA Domain
compliance status for that day.
Month The Month view displays snapshot creation information for an entire month. A color spot
Day The Day view displays the individual snapshots that were created on the selected day. The
Day view also provides the additional information and actions described in the following
section.
Information available on the day view for a local virtual machine

For a local virtual machine, the day view provides information about snapshots.
The day view provides the information that is described in Table 47 for each listed snapshot.
Table 47 Additional snapshot information in the day view

Category Description
Time Creation time of the snapshot.
Location For a snapshot that resides only on local storage the indicator field is empty.
The following icon indicates a snapshot that resides at an archival location.
The following icon indicates a snapshot that resides locally and at an archival location.
The following icon indicates a replica of the snapshot was sent to the target Rubrik cluster.
Status The following icon indicates a warning for the snapshot entry. Hover over the icon to see
additional information.
The following icon indicates the policy driven snapshot represented by the entry was not
completed successfully.
Source action The following icon indicates a policy driven snapshot.
The following icon indicates an on-demand snapshot.
Actions available on the day view for a local virtual machine

For a local virtual machine, the day view provides the ability to initiate various actions with
snapshots. Access the actions by clicking the ellipsis menu.
The ellipsis menu provides the actions described in Table 48 for snapshots that reside on the local
Rubrik cluster.
Table 48 Actions available for snapshots on the local Rubrik cluster
Command Description
Search by File Use the predictive search field to find file by typing the name.
Name
Mount Use the snapshot to create and mount a new virtual machine on a hypervisor host.
The new virtual machine is uniquely named within the virtualization management
system. The name of the recovered virtual machine is constructed as follows: name of
source virtual machine + timestamp of snapshot + incremented integer.
The new virtual machine is powered on but is disconnected from the network.
The local Rubrik cluster is the datastore for the new virtual machine.
Instantly Recover Restore a virtual machine into the production environment by using the selected
snapshot.
The new virtual machine is given the same name as the source virtual machine and is
powered on and connected to the network. The source virtual machine is powered off
and renamed.
The local Rubrik cluster serves as the datastore for the new virtual machine.
Export Use the snapshot to create and mount on an hypervisor host a new virtual machine,
that is a copy of the local virtual machine.
The hypervisor host is the datastore for the new virtual machine.
Browse Files Open a file browser view on the selected snapshot.
Use this view to find, select, and download a file or folder from the snapshot.
Restoring files or folders by download from notification message describes how to
download a file or folder.
Delete Delete the selected snapshot.
This command only appears for snapshots that are not created based on an SLA
Domain policy, such as:
• On-demand snapshots
• Retrieved snapshots
• Snapshots for an unprotected virtual machine
For snapshots that reside on an archival location, the ellipsis menu provides the actions described
in Table 49.
Table 49 Actions available for snapshots that reside on an archival location
Command Description
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that it is available
for additional local actions. The local Rubrik cluster provides a notification when the
download is completed.
Virtual machine snapshots

The Rubrik cluster provides protection for virtual machines by combining native snapshot
technology with the fast and scalable cloud data management platform of the Rubrik cluster.
Performance and scalability

The Rubrik cluster provides a high performance, highly scalable, integration with the Hyper-V
Windows Management Instrumentation (WMI) and Microsoft Volume Shadow Copy Service (VSS)
to back up virtual machines hosted on Hyper-V hypervisors.
By efficient use of VSS calls and by providing very fast data ingestion, the Rubrik cluster minimizes
the time that a virtual machine is quiescent during a backup. This reduces and, in most cases,
eliminates the application time-outs caused by many other backup products.
The time that a virtual machine is quiescent, sometimes referred to as virtual machine stun or
application stun, is the time between the following:
 The point where execution of the virtual machine is paused, at an instruction boundary, and all
in-flight disk input/output operations are completed.
 The point where execution resumes.
The period a virtual machine is quiescent, is very brief, just long enough to create a snapshot. The
virtual machine does not remain quiescent during the processing and ingestion of the snapshot
data.
! IMPORTANT
For best performance, use a 10 Gigabit Ethernet connection between the Rubrik cluster and
the Hyper-V environment. Also, for replication, provide a 10 Gigabit Ethernet connection
between the source Rubrik cluster and the target Rubrik cluster.
Rubrik CDM Version 5.0 User Guide Virtual machine snapshots 272
The Rubrik cluster uses a distributed job scheduler. The distributed job scheduler permits the
Rubrik cluster to schedule jobs to run on any node and on multiple nodes, as needed.
Since the distributed job scheduler can seamlessly schedule jobs on all available nodes and across
multiple nodes, adding nodes to a Rubrik cluster further increases ingestion and processing
efficiency.
Back up processes
A Rubrik cluster backs up a virtual machine by using VSS to create a snapshot of the virtual
machine.
When a Rubrik cluster begins protecting a virtual machine, the Rubrik cluster starts by creating a
first full snapshot of the virtual machine. This first full snapshot is a complete backup of the virtual
machine.
After the first full snapshot, the Rubrik cluster continues protection of the virtual machine by
creating incremental snapshots based on the change information provided by Resilient Change
Tracking (RCT). The Rubrik cluster creates each incremental snapshot very quickly because the
snapshot only includes the data blocks that have changed since the last snapshot.
The Hyper-V environment transmits the snapshot data to the Rubrik cluster using the SMB
protocol.
Snapshot window
An SLA Domain can be configured to include a snapshot window. A snapshot window determines
the period in a day when the Rubrik cluster can initiate policy-driven snapshots of the virtual
machines that the SLA Domain protects.
When using the snapshot window policy, the specified window must be long enough to
accommodate the number of virtual machines that are assigned to the SLA Domain. Monitor the
snapshot activity of the SLA Domain to ensure that all policy-driven snapshots are successfully
completed. When necessary, lengthen the period to permit all snapshots to be completed
successfully.
Protection exceptions
The Rubrik cluster cannot protect data that exists on any of the following:
 Failover clustering feature should always be installed on the host, even if it is a standalone
host. This is required because the WMI API for taking backups with RCT is tightly coupled with
this feature. The snapshots will fail if this feature is not enabled.
 Live mounted VMs will be discovered by Rubrik, but they cannot be backed up.
 For security reasons, the SMB share exposed for Live Mounts is only accessible to one host, the
host where the snapshot is being mounted. For live migration, the mounted virtual machine
can only reside on the storage which is accessible to that Host.
Backup consistency levels

By default, the Rubrik cluster provides the highest level of backup consistency that is available for
a virtual machine. The Rubrik cluster creates Application Consistent snapshots. If an Application
Consistent snapshot cannot be created, a Crash Consistent snapshot is used.
Application consistency
The Rubrik cluster supports application consistent snapshots for a variety of guest OS types and
application types.
The Rubrik cluster supports application consistent snapshot for applications such as Microsoft
Exchange Server, Microsoft SQL Server, Microsoft Active Directory, Microsoft SharePoint, and
Oracle Database (RDBMS) running on certain versions of Windows Sever guest OS.
! IMPORTANT
The Rubrik cluster does not support restore of an application consistent snapshot into an
availability group. Cluster consistency for the availability group cannot be ensured in this
situation and problems may occur.
Linux guest OS
A Rubrik cluster provides file system consistent snapshots on supported Linux guest OS types.
On-demand snapshots
In addition to policy-based snapshots, create virtual machine snapshots by using the on-demand
snapshot process.
A Rubrik cluster creates policy-based snapshots of protected virtual machines automatically,
according to the SLA rules of the associated SLA Domain.
Additional snapshots of protected virtual machines, and snapshots of unprotected virtual machines
can be created by using the on-demand snapshot process.
Creating an on-demand snapshot

Access the local host page for a virtual machine to create an on-demand snapshot.
1. In the web UI, on the left-side menu, click Virtual Machines > Hyper-V VMs.
2. Click the name of a virtual machine.
3. On the local host page, click Take On Demand Snapshot.
The Take On Demand Snapshot dialog box appears.
The Rubrik cluster uses only the maximum retention and remote configuration settings of the
associated SLA Domain to manage the on-demand snapshot. The selected SLA Domain can be
different from the SLA Domain that protects the virtual machine.
All on-demand snapshots can be manually managed through the Snapshot Retention page.
5. Click Take On Demand Snapshot.
The Rubrik cluster adds the specified on-demand backup to the task queue. The Activity Log
tracks the status of the on-demand backup task.
Archival snapshots
Archival snapshots provide long term storage of snapshot data outside of the local Rubrik cluster.
Archival location storage

The Rubrik cluster deduplicates and compresses the data in archival snapshots. The Rubrik cluster
uses client-side encryption to encrypt the archival snapshot data stored on all archival locations
except NFS exports.
Retention
The retention period assigned to the archival snapshot by the associated SLA Domain determines
the expiration of an archival snapshot. After the expiration of the retention period, the Rubrik
cluster marks the archival snapshot as expired and moves the snapshot data to garbage collection.
Rubrik CDM Version 5.0 User Guide Archival snapshots 275

To ensure that existing snapshots are always fully functional, the Rubrik cluster combines any
required data from expired incremental snapshots into the chain of existing incremental
snapshots. This permits each retained archival snapshot to be mounted as a fully functional virtual
machine.
Recovery and restore of virtual machine data

The Rubrik cluster provides a variety of methods to recover virtual machines and to restore
protected data.
Recover virtual machines and restore data by using snapshots, replicas, and archival snapshots.
When snapshot data exists in a local snapshot and in an archival snapshot, the Rubrik cluster
always uses the local snapshot to recover a virtual machine or to restore data. By using the local
snapshot, the Rubrik cluster reduces network impact and eliminates any archival data recovery
charges associated with a recovery operation or a restore operation.
Recovery of virtual machines

For a Rubrik cluster, recovery of a source virtual machine means to mount a point-in-time copy of
the source virtual machine.
A virtual machine can be recovered by using any of the Rubrik data protection objects: snapshots,
replicas, and archival snapshots. Recover a virtual machine by using one of the available recovery
actions. The Rubrik cluster provides the following recovery actions for virtual machines:
 Instant Recovery
 Live Mount
 Export
Table 50 provides a description of the differences between the available recovery actions.
Table 50 Differences between recovery actions
Source
Name of recovered Power virtual
Action virtual machine Datastore state Network machine
Instant Recovery Assigned the name of the Local Rubrik On Connected Powered off
source virtual machine cluster (Optional) and renamed
Live Mount Compositea Local Rubrik On Disconnected No impact
cluster
Export Composite Datastore of On Disconnected No impact
hypervisor
Rubrik CDM Version 5.0 User Guide Recovery and restore of virtual machine data 276
a. The name of the recovered virtual machine is constructed as follows: name of source virtual machine + time-
stamp of snapshot + incremented integer. For example, the first mount of the snapshot of the virtual machine
“NitroN1” that was created at “08-04 06:48” is named “NitroN1 08-04 06:48 1”.
The recovery actions that the Rubrik cluster provides depend on the data protection object being
used. Table 51 lists the available recovery actions for each type of data protection object.
Table 51 Recovery actions available for data protection objects
Object Available recovery actions
Local snapshot Initiated from the local Rubrik cluster:
• Instant Recovery
• Live Mount
• Export
Replica Initiated from the target Rubrik cluster:
• Live Mount
• Export
Archival snapshot Initiated from the local Rubrik cluster, after the archival snapshot is downloaded to
the local Rubrik cluster:
• Live Mount
• Export
Selecting a snapshot or an archival snapshot

Use the local web UI to select a snapshot before applying a recovery action.
Alternatively, use the search box on the top bar of the Rubrik CDM web UI to directly access the
local host page when the name of the source virtual machine is known.
The Hyper-V VMs page appears with the VMs tab selected, and displays all the virtual machines
in the system.
To work with data from an unmanaged virtual machine on the Snapshot Retention page, click
Snapshot Retention from the left pane. Then, continue with the following steps from the
Snapshot Retention page instead of the Virtual Machines page.
4. Use the Snapshots card to navigate to a snapshot or an archival snapshot.
Local host page provides information about the Snapshots card and navigating to a snapshot.
Rubrik CDM Version 5.0 User Guide Recovery of virtual machines 277
Skip step 5 and step 6, except when recovering a virtual machine from an archival snapshot.
5. (Recovering archival snapshot only) Open the ellipsis menu for the snapshot.
6. (Recovering archival snapshot only) On the ellipsis menu, click Download.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears on the
Activity Log. Activity Log describes activity notifications.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot.
Manually delete a downloaded archival snapshot that is no longer required on local storage.
7. Perform one of the available recovery actions on the selected snapshot or restore files and
folders from the selected snapshot.
Selecting a replica
Use the Rubrik CDM web UI of the replication target Rubrik cluster to select a replica before
applying a recovery action.
1. Log in to the Rubrik CDM web UI on the replication target Rubrik cluster.
Note: Use the search box on the top bar of the Rubrik CDM web UI to directly access the
Remote VM Details page when the name of the source virtual machine is known.
2. On the left-side menu, click SLA Domains > Remote Domains.

3. Select a remote SLA Domain.
The page for the selected SLA Domain appears.
4. In the Virtual Machines section of the remote SLA Domain’s page, click the name of a virtual
machine.
The Remote VM Details page for the selected virtual machine appears.
5. Use the Snapshots card to navigate to a replica.
Snapshots card or Recovery Points card provides information about the Snapshots card and
navigating to a replica.
6. Perform one of the available recovery actions on the selected replica or restore files and folders
from the selected replica.
Virtual machine recovery

Recovery consists of selecting a data protection object (snapshot, replica, or archival snapshot)
and selecting an available recovery action (Instant Recovery, Live Mount, or Export). Recovery
using a replica cannot use the Instant Recovery action.
After performing a recovery action, the Rubrik cluster powers on the recovered virtual machine.
The recovered virtual machine can be powered off by using the Rubrik CDM web UI. It can also be
deleted through the Rubrik CDM web UI.
Live migration
After a recovery, the recovered virtual machine can be live migrated.
After live migration of a virtual machine that was recovered by the Instant Recovery or Live Mount
actions, the Rubrik cluster maintains metadata for the recovered virtual machine that should be
removed.
Delete the metadata for the recovered virtual machine through the Live Mounts page of the Rubrik
CDM web UI by using the Force Delete option, as described in Removing a virtual machine entry
after live migration.
Performing an Instant Recovery

An Instant Recovery replaces the source virtual machine with a fully functional point-in-time copy.
The Rubrik cluster powers off and renames the source virtual machine and assigns the name of
the source virtual machine to the recovered virtual machine. The Rubrik cluster powers on the
recovered virtual machine and connects the recovered virtual machine to the source network. The
Rubrik cluster is the datastore for the recovered virtual machine.
1. Select a snapshot or an archival snapshot.
Selecting a snapshot or an archival snapshot describes the selection task. For archival
snapshots, complete the download steps.
2. Open the ellipsis menu for the snapshot.
3. Click Instantly Recover.
The Instantly Recover Snapshot dialog box appears.
4. Select an Hyper-V host for the virtual machine.
5. (Optional) Click Remove virtual network device.
Select this option when networking changes or issues prevent the virtual machine from
starting.
The Rubrik cluster powers down the source virtual machine and renames it. Then the Rubrik
cluster mounts the snapshot on the selected Hyper-V host with the name of source virtual
machine, connects the recovered virtual machine to the network, and powers up the virtual
machine.
During the process, messages about the status appear in the Activity Log. The Rubrik cluster also
records the final result of the task in the Activity Log. The Rubrik cluster lists the recovered virtual
machine on the Live Mounts page of the Rubrik CDM web UI.
Optionally, move the recovered virtual machine back to the cluster. Use Hyper-V Manager to move
the instantly recovered virtual machine to any host in the cluster except the host of the source
virtual machine. Once moved, re-add the virtual machine to the cluster, using the Failover Cluster
Manager, which returns the virtual machine to its original state. The instantly recovered virtual
machine derives protection from parent objects. When the recovered virtual machine does not
obtain protection from any parent objects, add it to an SLA Domain. To protect it using the same
SLA rules and policies as the source virtual machine, add the recovered virtual machine to the
original SLA Domain. Alternatively, add the recovered virtual machine to another SLA Domain.By
default Instant Recover uses dynamic virtual disks, even if the original disk was a fixed virtual disk.
During storage migration, the disk can be reconfigured as a fixed virtual disk if this is preferred.
Performing a Live Mount

A Live Mount creates a new virtual machine from a point-in-time copy of the source virtual
machine. The recovered virtual machine uses the Rubrik cluster as its datastore.
The Rubrik cluster assigns a new name to the recovered virtual machine and powers it up. The
Rubrik cluster does not connect the recovered virtual machine to a network. The Rubrik cluster
sets the protection state of the new virtual machine to Do Not Protect.
1. Select a snapshot, an archival snapshot, or a replica.
Selecting a snapshot or an archival snapshot describes the selection task for snapshots and
archival snapshots. For archival snapshots, complete the download steps.
Selecting a replica describes the selection task for replicas.
2. Open the ellipsis menu for the snapshot or replica.
3. Click Mount.
The Mount Snapshot dialog box appears.
4. Select an Hyper-V host for the virtual machine.
starting.
6. Click Mount.
The Rubrik cluster mounts the snapshot on the selected Hyper-V host with a new name and
powers up the virtual machine. During the process, messages about the status appear in the
Activity Log. The Rubrik cluster records the final result of the task in the Activity Log.
Note: The Rubrik cluster sets the protection state of the Live Mount recovered virtual machine to
Do Not Protect. To protect the new virtual machine, add it to an SLA Domain, or remove the
individual assignment of Do Not Protect to permit it to inherit protection.
Performing an Export
An Export creates a new virtual machine from a point-in-time copy of the source virtual machine.
The datastore of the selected Hyper-V host is the datastore for the recovered virtual machine.
3. Click Export.
The Export Snapshot dialog box appears.
4. In Choose an Hyper-V Host, select an Hyper-V host for the virtual machine.
A list of the datastores that are associated with the select Hyper-V host appears.
5. In Choose a Datastore, select a datastore.
6. (Optional) Select Remove virtual network devices.
starting.
7. Click Export.
The Rubrik cluster creates a new virtual machine from the snapshot on the selected Hyper-V host,
transfers the virtual machine files to the datastore, and powers up the recovered virtual machine.
records the final result of the task in the Activity Log.
The Rubrik cluster initially sets the protection state of the exported virtual machine to Do Not
Protect. To protect the new virtual machine, add it to an SLA Domain, or remove the individual
assignment of Do Not Protect to permit it to inherit protection.
Powering off after Instant Recovery or Live Mount

Power off a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The
Live Mounts page lists all recovered virtual machines that were recovered by using Instant
Recovery or Live Mount from the local Rubrik cluster.
2. On the left-side menu, click Live Mounts.
The Live Mounts page appears.
3. Select a recovered virtual machine with the Powered On status.
4. Open the ellipsis menu for the recovered virtual machine.
5. Click Power Off.
6. Click Power Off.
The Rubrik cluster gracefully powers down the selected virtual machine.
Unmounting after Instant Recovery or Live Mount

Unmount a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The
1. Log in to the Rubrik CDM web UI on the local Rubrik cluster.
3. Select a recovered virtual machine.
5. Click Unmount.
The confirmation message includes the option Remove local entry even if Rubrik cannot
confirm Hyper-V configuration. Enable this option to remove a stale entry for a recovered
virtual machine that was live migrated, as described in Removing a virtual machine entry after
live migration. Otherwise, the option is not required.
6. Click Unmount.
The Rubrik cluster removes the selected virtual machine from the Hyper-v host (or cluster) and
deletes the recovered virtual machine files from the Rubrik cluster datastore. This action does
not remove data protection objects.
During the process, messages about the status appear in the Activity Log. The Rubrik cluster
also records the final result of the task in the Activity Log.
7. (After all live mounts are removed) Detach the Rubrik cluster datastore devices from the
associated Hyper-V host (or cluster).
The Rubrik cluster names the datastore devices using the following format:
<IP_NODE>_sdmount
where <IP_NODE> is the IPv4 address of one of the nodes of the Rubrik cluster.
Removing a virtual machine entry after live migration

After live migration of a recovered virtual machine the Rubrik cluster maintains an entry for the
recovered and migrated virtual machine on the Live Mounts page. Perform this task to remove the
entry from the Live Mounts page.
3. Select a recovered virtual machine that was live migrated.
5. Click Unmount.
6. Select Remove local entry after Storage vMotion.
7. Click Unmount.
The Rubrik cluster removes the metadata associated with the selected virtual machine and
removes the entry for the virtual machine from the Live Mounts page. This action does not remove
data protection objects and does not unmount the recovered and migrated virtual machine.
Recovery of folders and files

The Rubrik cluster provides file level restore (FLR) of files and folders from any local snapshot,
replica, or archival snapshot that was successfully indexed.
To restore a file or folder, search for the file or folder by name across all local snapshots. or browse
for the file or folder on a selected snapshot.
Searching for a file or folder

Use the Rubrik CDM web UI to search for a file or folder across all local snapshots of a virtual
machine.
1. Open the local host page for the virtual machine.
Viewing a local host page describes how to open a local host page for a virtual machine.
2. On the Snapshots card, type the name of the file or folder in the search field.
As characters are typed, the Rubrik CDM web UI immediately begins to display matching file
and folder pathnames.
Search matches the string of characters entered in the search field with the same string in any
portion of the pathname of a folder or file. Continue to type characters until the file or folder
appears in the results.
3. Select the file or folder.
The Download File Version dialog box appears. A cloud icon appears next to files or folders that
are on archival snapshots.
4. Select a version of the file or folder.
For supported Windows and Linux guest operating systems, the selection can be restored to the
original file system, or downloaded from a generated link. For other guest operating systems, the
selection can be downloaded from a generated link.
Rubrik CDM Version 5.0 User Guide Recovery of folders and files 284
Browsing for a file or folder

Use the Rubrik CDM web UI to browse for a file or folder in a data protection object (snapshot,
replica, or archival snapshot).
Note: The Rubrik cluster must download an archival snapshot before it can be browsed.
Searching by name for a file or folder on an archival snapshot does not require that the archival
snapshot be downloaded first.

2. Open the actions menu for the snapshot or replica by clicking the ellipsis icon.
3. Click Browse Files.
The browse dialog box appears.
4. Select a file or folder.
Restore files and folders directly to a guest file system

For supported Windows and Linux guest operating systems, the Rubrik cluster can restore files
and folders directly to the source file system.
The Rubrik CDM Compatibility Matrix provide the most up-to-date information about the guest
operating systems supported by this feature.
When restoring from a snapshot of a supported guest operating system, the Rubrik CDM web UI
provides the option to restore a file or folder directly to the source file system. When this option is
selected, the Rubrik CDM web UI provides a choice to overwrite the source file or folder, or to
restore the file or folder to another location.
A restored file or folder inherits the ACL of the parent folder and the same owner as the parent
folder. The restored file or folder retains the modification time (mtime) of the source file or folder
at the time of the snapshot.
To successfully restore directly to the source file system the Rubrik cluster must be provided the
following information:
 Resolvable hostname or IP address of the authentication server
 Username of an account with Administrator privileges for the target
 Password for the account
When the Rubrik cluster has previously accepted the service credentials of a guest operating
system, the restore job does not require additional credential information. This feature requires
that the Rubrik cluster has successfully used the service credentials for at least one backup prior to
the restore task. Otherwise, the credentials can be provided through the Restore File dialog during
the restore task.
Guest OS settings describes how to provide service credentials for a guest operating system.
Restoring files and folders directly to a guest file system

Search or browse for a file or folder and restore that file or folder to the source file system of a
supported Windows or Linux guest operating system.
Restore files and folders directly to a guest file system provides an overview of this feature.
1. Search or browse for a file or folder.
Searching for a file or folder and Browsing for a file or folder describe how to do this.
3. Click Restore.
The Restore button only appears for supported hosts.
The Restore Files dialog box appears.
Note: When the Rubrik cluster has previously accepted the service credentials of the host, the
credential fields do not appear.
4. (If available) (Windows only) In Domain, type the resolvable hostname or IP address of the
authentication server for the credential.
When the Windows guest OS performs Workstation Authentication of credentials instead of
Domain Authentication, leave the Domain field For a Linux guest, leave the Domain field
empty.
5. (If available) In Username, type a guest OS username for an account with sufficient privileges
on the host.
For a Windows guest, the account must have administrator privileges on the guest.
For a Linux guest, the account must have Write permission for the restore location.
6. (If available) In Password, type the password for the account.
7. Select one of the restore methods.
• Select Overwrite original to restore the selected file or folder to the original path. This
choice overwrites the existing file or folder.
• Select Restore to separate folder to restore the file or folder to another location.
8. (Restore to separate folder only) In Folder Path, type the full path of the restore location.
Note: Do not type the original path of the source file or folder. When Restore to separate
folder is selected, the object cannot be restored to a folder that contains an object of the
same name.
Use the correct path delimiter for the guest operating system.
For Windows use a back slash. For example:
C:\Users\jsmith\work
For Linux use a forward slash. For example:
/home/jsmith/work
9. (If available) (Optional) Select Store as service credential for all VMs.
When this setting is selected, the Rubrik cluster stores the credential. The stored credential can
be managed through the Service Credentials page, as described in Guest OS settings.
10.Click Restore.
The Rubrik cluster restores the file or folder to the specified location.
Restore files and folders by download

The Rubrik cluster generates download links to use for file level restore (FLR) of files and folders
from any local snapshot, replica, or archival snapshot that was successfully indexed.
Restore a file from a data protection object through the Rubrik CDM web UI. Browse the virtual
machine file system on the data protection object and select the file. The Rubrik cluster processes
the request and provides a link for download of the file.
Restore a folder from a data protection object through the Rubrik CDM web UI. Browse the virtual
machine file system on the data protection object and select the folder. The Rubrik cluster
generates a ZIP file containing the folder and all that the folder contains. The ZIP file retains the
hierarchy of the selected folder. The Rubrik cluster provides a link for download of the ZIP file.
Restoring files or folders by download from notification message

Search or browse for a file or folder and restore that file or folder by download from the
notification message.
Restore files and folders by download provides an overview of this feature.
3. For a file, click Download. For a folder, click Download Folder.
4. Click OK.
For a folder, the Rubrik cluster retrieves the folder and creates a ZIP file with the folder and all
files and folders within the selected folder. The ZIP file preserves the folder hierarchy.
5. In the Rubrik CDM web UI Activity Log, a ‘Downloaded’ message appears for the selected file
or folder.
6. Click the message.
8. (Folder only) Extract the folder using a ZIP utility.
Restoring files or folders by download from Activity Detail

Search or browse for a file or folder and restore that file or folder by download from the Activity
Detail dialog box.
3. Click Download.
5. On the messages card, select the ‘Link ready for download’ message.
Use the Recovery filter type to filter for this type of message.
The Activity Detail dialog box appears.
6. Click the download icon.
Configuring Chrome to ask for download location

Use the Google Chrome web browser to access the Rubrik CDM web UI and download recovered
files and folders. Change the default setting of the Chrome web browser to permit specifying the
local download location.
By default, Chrome saves downloaded files to the following locations:
 Windows: \Users\<username>\Downloads
 Mac: /Users/<username>/Downloads
 Linux: home/<username>/Downloads
To download files and folders to a specified location, change the default Chrome Download
setting.
1. In Chrome, click the customize icon.
The Chrome menu appears.
2. On the menu, click Settings.
The Chrome Settings page appears.
3. Click Show Advanced Settings.
Additional settings appear on the Settings page.
4. In the Downloads section, enable Ask where to save each file before downloading.
Chrome applies the new setting and opens a Save As dialog for selecting a download location
when a file is downloaded.
Unmanaged data
Manage file system data that is not subject to a retention policy through the Snapshot Retention
page of the Rubrik CDM web UI.
The Rubrik cluster views backups and snapshots that do not have a retention policy as
unmanaged snapshots. Unmanaged snapshots can be managed through the Snapshot Retention
Retention Management describes the Snapshot Retention page and how to perform tasks with
unmanaged snapshots.
Rubrik CDM Version 5.0 User Guide Unmanaged data 290

Chapter 9
AHV Virtual Machines
This chapter describes how to protect and manage data from Nutanix AHV virtual machines.
 Overview ............................................................................................................... 292
 Nutanix cluster management ................................................................................... 293
 Prerequisites .......................................................................................................... 293
 Nutanix limitations .................................................................................................. 294
 Configuring Nutanix support .................................................................................... 294
 Installing the Rubrik Backup Service......................................................................... 295
 Local host page ...................................................................................................... 309
 Virtual machine snapshots....................................................................................... 313
 Archival snapshots .................................................................................................. 318
 Recovery and restore of virtual machine data ........................................................... 318
 Recovery of folders and files.................................................................................... 321
 Unmanaged data .................................................................................................... 327
Rubrik CDM Version 5.0 User Guide AHV Virtual Machines 291
Overview
Acropolis (AHV) is a developed by Nutanix on top of KVM that can run on a Nutanix cluster.
Rubrik capitalizes on enhancements to Acropolis Block Services (ABS), such as
Challenge-Handshake Authentication Protocol (CHAP) support for connecting to iSCSI targets for
data ingest.
Additionally, the new REST 3.0 API is utilized to interact with Nutanix Changed Region Tracking
(CRT) to query the changed metadata regions given any two snapshots of a virtual disk or virtual
machine. This approach is valuable for taking incremental backups and even useful while taking
full backups because the API identifies regions that are zeroed, therefore saving on read
operations. This integration also leverages Nutanix VSS snapshots with Nutanix Guest Tools to
quiesce virtual machines as a part of the snapshot.
in an AHV environment. The Rubrik cluster can manage and protect virtual machines in an
environment with multiple Nutanix clusters and virtual machines.
SLA policies can be applied anywhere in the hierarchy stack: the cluster or virtual machine levels.
protected data. Recover virtual machines and restore data by using snapshots, replicas, and
archival snapshots.
An overview of Rubrik’s support of AHV is as follows:
 Automated protection and restore workflow
 Policy driven protection and retention operations
 Virtual machine granular backup and restore
 Auto-protect newly discovered virtual machines
 Export and recover virtual machines
 File browse and download
 Securely replicate or archive to other sites
 Rubrik Core Capabilities – global search, erasure coding, reporting
 Scale as you need
 Rubrik is uses iSCSI with CHAP for data ingest and export from Nutanix
Note: Live Mount is not supported for AHV.

Nutanix cluster management

Adding a Nutanix Cluster to the Rubrik cluster establishes a secure connection between the Rubrik
cluster and the Rubrik Backup Service. After the Nutanix Cluster is added, an entry for the Nutanix
Cluster appears in the Rubrik CDM web UI.
The Rubrik cluster identifies the Nutanix Cluster by an IPv4 address or a resolvable hostname.
To stop managing the data on a Nutanix Cluster, delete the Nutanix Cluster from the Rubrik cluster.
Deleting a Nutanix Cluster removes Nutanix Cluster from the Clusters tab. A removed Nutanix
Cluster cannot be a target of an export. The Rubrik cluster moves the existing virtual machines of
the Nutanix Cluster and all associated backups to the Unmanaged Objects page.
Prerequisites
In order for Rubrik CDM to support Nutanix, there are prerequisite requirements.
 AHV based environment listed in the Rubrik Compatibility Matrix
 Nutanix REST API version 3.0 or later
 IP configured for iSCSI Data Services
 Permissions within Nutanix for the Rubrik cluster to create and delete volume group, copy
container, create virtual machine, and create and delete snapshot
 TLS/SSL public key certificate has been generated for the Nutanix Cluster
 Highly available IP for Prism
 Obtain the Nutanix Cluster IP address of FQDN
 Obtain the Nutanix Cluster UUID
 Have a Nutanix Cluster account with administrative privileges with v3 API permissions. There
are two options that can be used.
• The Built-in Nutanix Prism admin account (specify lowercase)
• Use Active Directory. This requires that the Nutanix Cluster is linked to Active Directory. Map
the Active Directory account to the Cluster Admin role. Through the Prism self-service
portal, assign SSP administrator privileges to the user.
 Have a Rubrik account with administrative privileges
Rubrik CDM Version 5.0 User Guide Nutanix cluster management 293
 Have access to the public key certificate for the Nutanix Cluster
To determine the public key certificate use the following command:
openssl s_client -connect <IP>:<port> -tls1_2
where <IP> is the IP address of the Nutanix cluster and <port> is the web port of the Nutanix
cluster.
Note: For information on configuring Nutanix, see the Nutanix documentation.
Nutanix limitations
There are Nutanix limitations that impact Rubrik backup and restore functionality.
Table 52 describes the Nutanix limitations.
Table 52 Nutanix limitations
Limitation Description
Export of Nutanix backups If a Nutanix virtual machine has a bus type other than
are only supported on SCSI SCSI (for example SATA or IDE), the virtual machine is
bus types always exported with a SCSI bus type.
If the export is restored to a virtual machine that does not
have a SCSI bus type, the virtual machine might fail to
boot after a restore operation.
Export of Nutanix backups do If a Nutanix virtual machine has a bus type other than
not support CD-ROMs SCSI (for example SATA or IDE), the virtual machine is
always exported with a SCSI bus type.
If the export is restored to a virtual machine that does not
have a SCSI bus type, the virtual machine might fail to
boot after a restore operation.
Configuring Nutanix support

To begin managing AHV, add the Nutanix Cluster to the Rubrik cluster.
2. Click Nutanix Clusters.
The Nutanix Clusters dialog box appears.
3. In the right-side menu, select +.
The Add Nutanix Cluster page appears.
Rubrik CDM Version 5.0 User Guide Nutanix limitations 294

4. In the Nutanix Cluster field specify the Nutanix Cluster IP address or FQDN.
5. In the Cluster UUID field specify the UUID assigned to the Nutanix Cluster.
6. In the Username field specify a username that has administrative rights to the Nutanix
Cluster.
7. In the Password field specify the username password.
8. In the CA Certificate field specify CA certificate for the Nutanix Cluster.
9. Click Add.
The Rubrik cluster checks connectivity with the specified Nutanix Cluster and adds the Nutanix
Cluster.
Installing the Rubrik Backup Service

Installing the Rubrik Backup Service (RBS) provides support for VSS consistent backups. If VSS
consistent backups are not required, this service does not need to be installed.
To use RBS with AHV, install and register RBS on the Nutanix guest.
RBS on a Windows guest

The RBS provides the Rubrik cluster with the ability to provide VSS consistent snapshots for AHV.
The RBS also provides fast performance when restoring files and folders to the guest.
Rubrik provides automatic upgrade of the RBS software as part of a general upgrade of the Rubrik
cluster software. After upgrading the Rubrik cluster software, the Rubrik cluster automatically
upgrades the RBS software on all protected hosts.
The RBS software is deployed to Windows guests manually.
To use the manual method, complete the following tasks:
 Obtain the RBS software
 Select a qualified account to use when installing the software
 Install the software of the Windows guest
 Register the Rubrik Backup Software instance with the Rubrik cluster
Obtaining the RBS software through the Rubrik CDM web UI

Obtain the RBS software from the Rubrik CDM web UI of the Rubrik cluster.
The RBS software can be downloaded directly from the Rubrik cluster when it is needed, or the
software can be downloaded once and pushed to hosts as needed.
Rubrik CDM Version 5.0 User Guide Installing the Rubrik Backup Service 295
! IMPORTANT
The RBS software can only be used with the Rubrik cluster from which the software is
obtained. Each Rubrik cluster generates a copy of the RBS software that includes
authentication information specific to that Rubrik cluster. This method ensures that the
Rubrik cluster and a hosted deployment of the RBS can reliably authenticate each other.

The Save As dialog box appears.
Next task — Install the RBS software on Windows guests.
Obtaining the RBS software by URL

Obtain the RBS software directly by URL. The Rubrik cluster provides a direct URL link for the
software package for Windows hosts.
The RBS software can only be used with the Rubrik cluster from which it is obtained.
2. Access the URL:
Account used to run the RBS on a Windows host

The RBS must run as an account that is a member of the Administrators group of the Windows
Server host.
When first installed, the RBS runs as a LocalSystem account. A LocalSystem account includes the
permissions that are provided by the local Administrators group.
Instead of running the RBS as a LocalSystem account, the RBS can be configured to run as a
member of the local Administrators group.
To run as a member of the local Administrators group, run the RBS as a user account that is one of
the following:
Installing the RBS software on a Windows guest

Install the RBS software to provide the Rubrik cluster with the ability to manage data on the
Windows guest.
Before you begin. Choose or create an account to run the RBS software.
1. Copy RubrikBackupService.zip to a temporary directory on the Windows guest.
• backup-agent.crt, a security certificate for the RBS.
! IMPORTANT
When installing the RBS software, the security certificate file must be in the same folder
as the Windows Installer Package.
Package.
The Windows Installer Package installs the RBS software and incorporates the security
certificate into the installation.
The RBS software can also be push installed on multiple Windows hosts using automation
software, such as Puppet or Chef.
4. (Optional) Change the account used to run the RBS.
Account used to run the RBS on a Windows host describes the account requirements.
Note: The default LocalService account does not provide sufficient privileges to permit the RBS
to access data on network shares.
Next task — Register the Windows guests that are running the Rubrik Backup Software with the
Rubrik cluster.
Registering a guest
After installing the RBS on a guest OS, register the guest with the Rubrik cluster. Registering the
guest allows the Rubrik cluster to manage data on the guest.
Before you begin — Install the RBS software on the guest OS.
1. In the Rubrik CDM web UI, on the left-side menu, click Virtual Machines > AHV VMs.
The All VMs page appears, with the VMs tab selected.
3. Open the ellipsis menu, and select Register Rubrik Backup Service.
The Register Rubrik Backup Service modal appears.
4. Click Register.
The Rubrik cluster establishes an authenticated secure connection with the RBS running on the
guest.
Removing the RBS from a Windows host

When the RBS is no longer required on a Windows guest, it can be removed by using standard
Windows commands.
Note: Removing the RBS from a Windows guest also removes the connection between the
Windows guest and the Rubrik cluster. The Rubrik cluster designates any retained snapshots as
relics. Use the Snapshot Retention page to manually manage the relics, as described in Retention
Management.
The uninstaller removes the RBS software. The Rubrik cluster designates any retained snapshots
as relics.

occurs when the virtual machine derives the SLA Domain assignment from a Nutanix cluster.
protection.
Automatic protection rules

To provide consistency when applying automatic protection the Rubrik cluster adheres to a specific
set of rules.
A Rubrik cluster applies protection to a virtual machine using the following rules:
Rule One — The setting individually assigned to an object takes precedence.
Rule Two — An object that is not individually assigned a setting inherits the setting of the
hierarchically closest containing object that has a setting.
Rubrik CDM Version 5.0 User Guide Virtual machine protection 299

The Rubrik CDM web UI identifies virtual machines that are not protected by an SLA Domain.
Unprotected virtual machines can then be assigned to an SLA Domain.
Table 53 describes how the Rubrik CDM web UI represents unprotected virtual machines.
Table 53 Unprotected virtual machines in the Rubrik CDM web UI
Label Inherited Description
No SLA Yes There are no SLA Domains assigned to any of the parent objects of the
virtual machine, in the cluster hierarchy. The virtual machine inherits the No
SLA state. This can be changed by individually assigning an SLA Domain to
the virtual machine, by assigning an SLA Domain to a parent object, or by
moving the virtual machine beneath a protected parent object.
Do Not Protect Yes The Do Not Protect setting is individually assigned to a parent object of the
virtual machine. Based on the automatic protection rules, the virtual
machine inherits the setting from that parent object.
Do Not Protect No The Do Not Protect setting is individually assigned to the virtual machine.
Displaying unprotected virtual machines from the Dashboard describes how to use the Rubrik CDM
web UI to view all virtual machines that do not have the protection of an SLA Domain.

an SLA Domain.
an object. Automatic protection rules describes these rules.

of the SLA Domain.
The AHV VMs page appears, with the VMs tab selected.
machines.
5. Click Submit.
Assigning an SLA Domain setting to a Nutanix cluster

Specify an SLA Domain setting for Nutanix clusters to have the setting applied to the objects and
virtual machines contained by the clusters and server.
The AHV VMs page appears, with the VMs tab selected.
2. Select Clusters.
The Cluster tab appears.
3. Select a Nutanix cluster.

6. Click Submit.
The Rubrik cluster applies the selected setting to the selected objects.
machines contained by the selected objects. Automatic protection rules describes the
automatic protection rules.
7. Click Done.
specified.

Table 54 Options available through the Manage Protection dialog box (page 1 of 2)
characters entered in the search field to match the same
sequence of characters anywhere in the SLA Domain
name.
Blue + icon Click to open the Create New Opens the Create New SLA Domain dialog box. Create a
SLA Domain dialog box new SLA Domain and assign that SLA Domain to the
selected group of objects.
SLA Domain list Select an SLA Domain Select an SLA Domain to assign to the selected group of
objects. The Rubrik cluster assigns the selected SLA
Domain individually to each of the selected objects. The
automatic protection rules determine whether the Rubrik
cluster assigns the selected SLA Domain to objects
contained by a selected object.
Table 54 Options available through the Manage Protection dialog box (page 2 of 2)
Do Not Protect Select to assign Individually assigns the Do Not Protect setting to each of
the selected objects.The automatic protection rules
snapshots for a virtual machine that is individually set to
Do Not Protect or that inherits the Do Not Protect setting.

The Virtual Machines page appears, with the VMs tab selected.

selection group.
5. Click Clear.
rules.


The Rubrik CDM web UI lists all of the virtual machines that have been discovered on the AHV VMs
page. Access this page using one of several methods.
The following methods open the AHV VMs page and display all discovered virtual machines:
 On the left-side menu, click Virtual Machines > AHV VMs.
 On the Dashboard page, on the AHV VMs card, click See All.

1. Open the Rubrik CDM web UI to the main Dashboard.
2. On the AHV VMs card, in the Unprotected field, click Protect Now.
The AHV VMs page opens, with the VMs tab selected, and filters the view to show All Unprotected
virtual machines
Displaying unprotected virtual machines from the AHV VMs page

1. In the left-pane of the Rubrik CDM web UI, click Virtual Machines > AHV VMs.
The AHV VMs page appears, with the VMs tab selected, and displays all the virtual machines
present in the system.
• All Unprotected – Displays all unprotected virtual machines, both No SLA and Do Not
Protect.

protection state, either: Inherited or Do Not Protect.
The Rubrik CDM web UI displays the virtual machines that belong to the selected SLA Domain or
to the selected protection state.

machine.

browse. Then use the search field to find entities within the defined view, or to browse to entities
2. In the tab bar, select a tab.

• Clusters– Provides the Nutanix cluster(s).

Protected warning
The Rubrik CDM web UI displays the protected warning when the Rubrik cluster detects that an
SLA Domain setting is already associated with a selected virtual machine.
The protected warning is “These VM(s) are already protected”.
When the protected warning appears, do one of the following:

data is stored.
SLA Domain.

Table 55 provides a quick overview of the impact of assigning a new virtual machine to an SLA
Domain.



business requirements (e.g. data governance policy changes or space management
requirements).



Local host page

The local virtual machine page provides detailed information about the protection of a virtual
machine, and tasks related to the virtual machine. The local virtual machine page provides the
following sections:
 Action bar
 Overview card
 Snapshots card
Viewing a local virtual machine page

Access a local virtual machine page to view information about a local virtual machine.
Action bar
Action Description
Note: Backup Window settings defined for the SLA Domain of the
virtual machine do not apply to on-demand snapshots. Only the
maximum retention and remote configuration settings of the associated
SLA Domain apply to on-demand snapshots.
When the virtual machine is already assigned to an SLA Domain, a
warning appears. Click Continue to open the Manage Protection page.
Click Cancel to return to the local host page.
Overview card
Table 57 Information available on the Overview card
Field Description
Cluster The Nutanix cluster that manages the virtual machines.
machine.
Latest Snapshot Timestamp for the most recent successful snapshot of the selected virtual machine.
Total Snapshots Total number of retained snapshots for the selected virtual machine, including both
the local Rubrik cluster and any archival location.
Snapshots card
virtual machine.
represents.
Color Status
Orange All snapshots required by SLA Domain policy were successfully created but at least
one snapshot caused a warning.

View Description
Year The Year view displays snapshot creation information for an entire year. A color spot
Month The Month view displays snapshot creation information for an entire month. A color
spot indicator on a specific date indicates snapshot activity, and displays the SLA
Domain compliance status for that day.
Day The Day view displays the individual snapshots that were created on the selected
day. The Day view also provides the additional information and actions described in
the following section.

For a local virtual machine, the day view provides information about snapshots.
The day view provides the information that is described in Table 60 for each listed snapshot.

Rubrik cluster.
Table 61 Actions available for snapshots that reside on the local Rubrik cluster
Command Description
Export Use the snapshot to create and mount on AHV host for a new virtual machine, that is a
copy of the local virtual machine.
The AHV host is the datastore for the new virtual machine.
Browse Open a file browser view on the selected snapshot.

in Table 62.
Command Description
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that it is available
for additional local actions. The local Rubrik cluster provides a notification when the
download is completed.
Virtual machine snapshots

Performance and scalability

The time that a virtual machine is quiescent, sometimes referred to as virtual machine stun or
application stun, is the time between the following:
 The point where execution of the virtual machine is paused, at an instruction boundary, and all
in-flight disk input/output operations are completed.
 The point where execution resumes.
The period a virtual machine is quiescent, is very brief, just long enough to create a snapshot. The
virtual machine does not remain quiescent during the processing and ingestion of the snapshot
data.
! IMPORTANT
For best performance, use a 10 Gigabit Ethernet connection between the Rubrik cluster and
the Nutanix environment. Also, for replication, provide a 10 Gigabit Ethernet connection
between the source Rubrik cluster and the target Rubrik cluster.
The Rubrik cluster uses a distributed job scheduler. The distributed job scheduler permits the
Rubrik cluster to schedule jobs to run on any node and on multiple nodes, as needed.
Since the distributed job scheduler can seamlessly schedule jobs on all available nodes and across
multiple nodes, adding nodes to a Rubrik cluster further increases ingestion and processing
efficiency.
Back up processes
A Rubrik cluster backs up a virtual machine by creating a snapshot of the virtual machine.
machine.
creating incremental snapshots based on the change information provided by Changed Block
Tracking (CBT). The Rubrik cluster creates each incremental snapshot very quickly because the
The Nutanix environment transmits the snapshot data to the Rubrik cluster using iSCSI with CHAP
for authentication.
Snapshot window
successfully.

a virtual machine.
Table 63 describes backup consistency levels, and the levels of consistency provided by a Rubrik
cluster.
Table 63 Backup consistency levels (page 1 of 2)
Consistency
level Description Rubrik usage
Crash A point-in-time snapshot but without Provided when:
consistent quiescence. • Guest OS does not have Nutanix Guest
• Timestamps are consistent Tools installed
• Pending updates for open files are not • Guest OS has an out-of-date version of
saved Nutanix Guest Tools
• In-flight I/O operations are not
completed
The snapshot can be used to restore the
virtual machine to the same state that a
hard reset would produce.
Application A point-in-time snapshot with quiescence Provided when:
consistent and application-awareness. • Guest OS is Windows and the RBS is
• Timestamps are consistent not installed and registered
• Pending updates for open files are • The guest has an up-to-date version of
saved Nutanix Guest Tools. and application
• In-flight I/O operations are completed consistency is supported for the guest
• Application-specific operations are OS
completed.

Consistency
level Description Rubrik usage
VSS consistent A point-in-time snapshot with quiescence Provided when:
and application-awareness. • Guest OS is Windows
• Timestamps are consistent • RBS is installed and registered on the
• Pending updates for open files are Nutanix guest
saved
• In-flight I/O operations are completed
• Application-specific operations are
completed.
• Supports Exchange log truncation
Nutanix application consistent snapshots are supported.
The following configuration is required for application consistent snapshots:
 Nutanix Guest Tools must be installed on the target virtual machine.
 If the target virtual machine uses a Linux operating system, pre-freeze and post-thaw scripts
must be configured.
 In the Rubrik CDM web UI, confirm snapshot consistency is configured as Automatic (default
setting).
VSS Consistency
Nutanix VSS consistent snapshots are supported.
The following configuration is required for VSS consistent snapshots:
 Nutanix Guest Tools must be installed on the target virtual machine.
 RBS must be installed and registered on the Nutanix guest.
 In the Rubrik CDM web UI, confirm snapshot consistency is configured as Automatic (default
setting).
Configuring snapshot consistency

The Rubrik cluster allows you to select which level of snapshot consistency is used.
The All VMs page appears, with the VMs tab selected.

3. Open the ellipsis menu, and select Snapshot Consistency.
The Configure Snapshot Consistency dialog box appears.
4. Select the appropriate level of Snapshot Consistency: Automatic or Crash consistent
(if Automatic, the default setting, is selected, CDM will use the highest level of consistency
available, Application consistent or VSS consistent).
5. Click Update.
The Rubrik cluster applies the setting to all future backups of the virtual machine.
On-demand snapshots
snapshot process.
according to the SLA rules of the associated SLA Domain.


Archival snapshots
Archival snapshots provide long term storage of snapshot data outside of the local Rubrik cluster.
Archival location storage

The Rubrik cluster deduplicates and compresses the data in archival snapshots. The Rubrik cluster
uses client-side encryption to encrypt the archival snapshot data stored on all archival locations
except NFS exports.
Retention
The retention period assigned to the archival snapshot by the associated SLA Domain determines
the expiration of an archival snapshot. After the expiration of the retention period, the Rubrik
cluster marks the archival snapshot as expired and moves the snapshot data to garbage collection.
To ensure that existing snapshots are always fully functional, the Rubrik cluster combines any
required data from expired incremental snapshots into the chain of existing incremental
snapshots. This permits each retained archival snapshot to be mounted as a fully functional virtual
machine.
Recovery and restore of virtual machine data

protected data.
Rubrik CDM Version 5.0 User Guide Archival snapshots 318


actions. The Rubrik cluster provides the export recovery actions for virtual machines.

Use the local Rubrik CDM web UI to select a snapshot before applying a recovery action.
Note: Use the search box on the top bar of the Rubrik CDM web UI to directly access the local
host page when the name of the source virtual machine is known.
To work with data from an unmanaged virtual machine on the Unmanaged Objects page, On
the left-side menu, click Unmanaged Objects. Then, continue with the following steps from
the Unmanaged Objects page instead of the Virtual Machines page.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears on the
Activity Log. Activity Log describes activity notifications.
Manually delete a downloaded archival snapshot that is no longer required on local storage.
6. Perform the recovery action on the selected snapshot or restore files and folders from the
selected snapshot.
Selecting a replica
Use the Rubrik CDM web UI of the replication target Rubrik cluster to select a replica before
2. On the left-side menu of the Rubrik CDM web UI, click SLA Domains > Remote Domains.
machine.

and selecting Export.
3. Click Export.
4. A list of the containers that are associated with the selected Nutanix Cluster appears, select an
Nutanix Cluster for the virtual machine.
A list of the datastores that are associated with the select Nutanix host appears.
5. Power on the virtual machine.
6. Click Export.
The Rubrik cluster creates a new virtual machine from the snapshot on the selected Nutanix
cluster, transfers the virtual machine files to the datastore, and powers up the recovered virtual
machine. During the process, messages about the status appear in the Activity Log. The Rubrik
cluster also records the final result of the task in the Activity Log.
Recovery of folders and files


machine.
Viewing a local virtual machine page describes how to open a local host page for a virtual
machine.




and folders directly to the source file system through the Rubrik Backup Service (RBS).

3. Click Restore.
same name.
/home/jsmith/work
be managed through the Service Credentials page, as described in Guest OS settings.
7. Click Restore.

from any local snapshot, replica, or archival snapshot that was successfully indexed.
File and folder download links appear in a message in the notification area of the Rubrik CDM web
UI. This message provides a link to the download. The Rubrik cluster also provides the download
link on the Activity Detail dialog box for the download task.

4. Click OK.
5. In the Activity Log, a ‘Downloaded’ message appears for the selected file or folder.

Detail dialog box.
3. Click Download.
Viewing a local virtual machine page describes how to open a local virtual machine page for a
virtual machine.

setting.
Unmanaged data
The Rubrik cluster defines backups and snapshots that do not have a retention policy as
unmanaged snapshot objects. Unmanaged snapshot objects can be managed through the
Snapshot Retention page of the Rubrik CDM web UI.
unmanaged snapshot objects.

Chapter 10
vSphere Virtual Machines
This chapter describes how to protect and manage data from VMware vSphere virtual machines.
 Overview ............................................................................................................... 329
 Manage vCenters .................................................................................................... 332
 Virtual machine scripts ............................................................................................ 341
 Storage array integration......................................................................................... 343
 Exclude VMDK files ................................................................................................. 345
 Local host page ...................................................................................................... 353
 Snapshots .............................................................................................................. 359
 Linux guest ............................................................................................................ 363
 Windows guest ....................................................................................................... 364
 On-demand snapshots ............................................................................................ 370
 Recovering and restoring virtual machine data .......................................................... 371
 File and folder restore ............................................................................................. 383
 Unmanaged data .................................................................................................... 389
Rubrik CDM Version 5.0 User Guide vSphere Virtual Machines 328
Overview
in a VMware vSphere environment. The Rubrik cluster can manage and protect virtual machines in
an environment with multiple vCenter Servers and multiple ESXi hosts.
protected data. Recover virtual machines and restore data by using snapshots, replicas, and
archival snapshots.

occurs when the virtual machine derives the SLA Domain assignment of a containing folder,
cluster, or host.
The Rubrik cluster also permits protecting some of the VMDK files on a virtual machine while
designating other VMDK files on the virtual machine as unprotected.
Objects from which a virtual machine can inherit are the following virtualization system entities:
 Folders
 Clusters
 Hosts
protection.


set of rules.
A Rubrik cluster applies protection to a virtual machine using the following rules:
hierarchically closest containing object that has a setting.
Rule Three — The setting assigned to a containing folder takes precedence over the setting
assigned to a containing cluster or host.
Example 10 Automatic protection rules applied

To show the impact of automatic protection on the protection settings of a virtual machine,
consider the following fictitious virtual machine environment:
• Virtual machine is newly discovered and no protection has been assigned.
• Virtual machine resides on vSphere cluster C, cluster C has not been assigned protection.
• Virtual machine is contained by folder F1, and F1 is contained by top-level folder F2. Neither
folder has been assigned protection.
Administrator assigns the SLA Domain named ClusterProtection to C:
The virtual machine inherits the ClusterProtection assignment (Rule Two).
Administrator assigns the SLA Domain named Folder2Protection to F2:
The virtual machine inherits the Folder2Protection assignment (Rule Three). The expiration
settings of Folder2Protection apply to the snapshots taken while under ClusterProtection. Some
snapshots may be immediately marked as expired.
Administrator assigns the SLA Domain named Folder1Protection to F1:
The virtual machine inherits the Folder1Protection assignment (Rule Two). The expiration
settings of Folder1Protection apply to snapshots taken while under ClusterProtection and while
under Folder2Protection. Some snapshots may be immediately marked as expired.
Administrator changes the SLA Domain setting of folder F1 to Do Not Protect:
The virtual machine inherits the Do Not Protect setting and is unprotected (Rule Two).
Administrator individually assigns the virtual machine to the Gold SLA Domain:
The virtual machine is protected by the Gold SLA Domain (Rule One).
Administrator changes the SLA Domain setting of folder F1 to the Silver SLA Domain:
A conflict occurs between the individually assigned setting for the virtual machine and the
setting selected for F1. The Rubrik cluster displays the conflict. The administrator chooses to
remove the individually assigned setting and have the virtual machine inherit the new SLA
Domain setting of F1. The virtual machine is protected by the Silver SLA Domain.

The Rubrik CDM web UI identifies virtual machines that are not protected by an SLA Domain.
Unprotected virtual machines can then be assigned to an SLA Domain.
Table 64 describes how the Rubrik CDM web UI represents unprotected virtual machines.
Table 64 Unprotected virtual machines in the Rubrik CDM web UI
Label Inherited Description
No SLA Yes There are no SLA Domains assigned to any of the parent objects of the
virtual machine, in both the folder hierarchy and the cluster/host hierarchy.
The virtual machine inherits the No SLA state. This can be changed by
individually assigning an SLA Domain to the virtual machine, by assigning
an SLA Domain to a parent object, or by moving the virtual machine
beneath a protected parent object.
Do Not Protect Yes The Do Not Protect setting is individually assigned to a parent object of the
virtual machine. Based on the automatic protection rules, the virtual
machine inherits the setting from that parent object.
Do Not Protect No The Do Not Protect setting is individually assigned to the virtual machine.
Displaying unprotected virtual machines from the Dashboard describes how to use the Rubrik CDM
web UI to view all virtual machines that do not have the protection of an SLA Domain.
Virtual machine linking

When a Rubrik cluster protects virtual machines that are managed by vCenter Servers, certain
conditions can cause a previously protected virtual machine to show up as a new virtual machine
with no snapshot history. This can occur as the result of an instant recovery, or migration of a
virtual machine to another vCenter Server, or unregistering a virtual machine from the current
vCenter Server and then registering it back to the same vCenter Server. In these situations, the
previously protected virtual machine loses its association with previous snapshots and SLA
assignments. This results in a new full snapshot being taken during the next backup window. It
also compromises the ability to restore old data from the virtual machine.
For that reason, any time a virtual machine is added to a Rubrik cluster, the Rubrik cluster runs a
detection algorithm designed to identify whether that virtual machine was previously known to the
system.
If the optional automatic linking feature is turned on, the Rubrik cluster will link any duplicate
virtual machine occurrences it detects and present them as if they are the same virtual machine.
These linked virtual machines also retain an SLA Domain that is specifically assigned to the original
virtual machine.
The automatic linking feature is either turned on or off for an entire vCenter Server. You can make
this decision when the vCenter Server is added, or by editing the vCenter Server connection
properties.
Note: The automatic linking feature does not perform any retroactive processing. For example, if
the feature is turned off, and a virtual machine is deleted and re-registered with the same vCenter
Server, the re-registered virtual machine will be added as a new virtual machine. Even if automatic
linking is turned on after that occurs, the new virtual machine will not be linked to the previous
virtual machine.
Manage vCenters
The Rubrik cluster accesses virtual machine data through a connection with the VMware vCenter
Server that manages the hypervisor that is running the virtual machine. To successfully connect
with a vCenter Server, the Rubrik cluster requires connection information for that vCenter Server.
The Rubrik cluster provides access to vCenter Server information on the vCenter Servers page.
That page provides the FQDN or IP address, and the connection status, for every vCenter Server
that is added to the Rubrik cluster.
After connection information for a vCenter Server is added to a Rubrik cluster, the Rubrik cluster
requests relevant metadata from the vCenter Server. The Rubrik cluster uses the metadata to
display and work with the virtual machines on the vCenter Server.
The Rubrik cluster automatically refreshes the metadata from a vCenter Server every 30 minutes.
This is referred to as a light refresh. The Rubrik Edge appliance performs a light refresh of a
vCenter Server every six hours.
The Rubrik cluster automatically refreshes the metadata and rescans the VMDK files of a vCenter
Server every two hours. This is referred to as a full refresh. The Rubrik Edge appliance performs a
full refresh of a vCenter Server every 24 hours.
VMDK files are also automatically scanned as part of every create snapshot job.
A full refresh can be manually initiated at any time.
Rubrik CDM Version 5.0 User Guide Manage vCenters 332

vCenter Server privilege requirements

The vCenter Server role that is assigned to a Rubrik cluster must provide specific privileges on the
vCenter Server.
Minimum vCenter Server Privileges lists and describes the required privileges.
In order to provide data management and protection for virtual machines in a vSphere
environment, the vCenter Server role assigned to the Rubrik cluster must meet the minimum
requirements.
Adding vCenter Server connection information

Add connection information for a vCenter Server to a Rubrik cluster to permit the Rubrik cluster to
protect the virtual machines that are running on the hypervisors of the vCenter Server.
The Rubrik cluster attempts to initiate a connection with the vCenter Server using vCenter Server
6.0 or newer protocols, which require a trusted root certificate.
! IMPORTANT
When a trusted root certificate is not provided, the Rubrik cluster uses the trust on first use
(TOFU) standard to authenticate the vCenter Server. Depending on the network
environment, this might not ensure secure operation.

3. Click vCenter Servers.
The vCenter Servers page appears.
The Add vCenter dialog box appears.
5. In vCenter IP, type the resolvable hostname or IPv4 address of the vCenter Server.
6. In vCenter Username, type the username assigned to the Rubrik cluster.
7. In vCenter Password, type the password assigned to the Rubrik cluster.
8. (Optional) Turn on the automatic linking feature by clicking the Automatically link
discovered virtual machines checkbox.
9. Click Advanced Setting to add a Certificate Authority (CA) certificate for TLS validation.
The dialog box expands to show the Trusted Root Certificate field.

10.Paste the text of the trusted CA root certificate for the vCenter into the Trusted Root Certificate
field.
11.Click Add.
The Rubrik cluster tests the connection and saves the information.
Refreshing the metadata provided by a vCenter Server

Manually refresh the metadata provided by a vCenter Server.
Before you begin. Add information about the vCenter Server to the Rubrik cluster.
4. Select a vCenter Server.
Select multiple vCenter Servers to refresh all of the selected entries.
5. Open the ellipsis menu at the top of the page.
6. Click Refresh vCenter.
The Rubrik cluster starts a task to refresh the selected vCenters.
Editing vCenter Server connection information

Edit the vCenter Server connection information that is stored by a Rubrik cluster to change the IP
address, username, and password.
4. Open the ellipsis menu of a vCenter Server entry.
5. Click Edit.
The Edit dialog box appears.


7. (Optional) Turn on or turn off the automatic linking feature by clicking the Automatically link
discovered virtual machines checkbox.
8. Click Update.
The Rubrik cluster tests the connection and saves the information.
Deleting vCenter Server connection information

Delete the vCenter Server connection information that is stored by a Rubrik cluster to remove
protection of the virtual machines of that vCenter Server.
4. Open the ellipsis menu of a vCenter Server entry.
5. Click Delete.
6. Click Delete.
The Rubrik cluster deletes the information for the selected vCenter Server.
The Rubrik cluster provides management access to the data from the virtual machines of that
vCenter Server through the Snapshot Retention page.

an SLA Domain.
an object. Automatic protection rules describes these rules.

of the SLA Domain.
1. In the Rubrik CDM web UI, on the left-side menu, click Virtual Machines > vSphere VMs.
The vSphere VMs page appears, with the VMs tab selected.

machines.
A dialog box with one or more warnings may appear. Warning messages describes the potential
warnings.
5. Click Submit.
Assigning an SLA Domain setting to a vCenter Server folder

Specify an SLA Domain setting for a vCenter Server folder to have the setting applied to the
objects and virtual machines contained by the folder.
2. Select Folders.
The Folders tab appears.
3. Select an object within the vCenter Server folder hierarchy.
Click a value in the Name column to move down in the folder hierarchy.
Select multiple objects to apply the setting to more than one object in the folder hierarchy.
warnings. Click Continue Anyway to proceed or click Cancel to return to the Folders tab.
6. Click Submit.
When the SLA Domain selection will cause a change in the individual setting of a object that is
contained by one of the selected objects, the SLA Conflicts dialog box appears. Resolving SLA
conflicts describes how to use this dialog box.
When there are no SLA conflicts, the Rubrik cluster applies the selected setting to the selected
objects.
7. (SLA conflicts only) After resolving all SLA conflicts, click Done.
specified.
Assigning an SLA Domain setting to a vCenter Server cluster or host

Specify an SLA Domain setting for vCenter Server clusters and hosts to have the setting applied to
the objects and virtual machines contained by the clusters and hosts.
2. Select Clusters/Hosts.
The Clusters/Hosts tab appears.
3. Select an object within the vCenter Server hosts hierarchy.
To browse down the hosts hierarchy, click a value in the Name column.
Select multiple objects to apply the setting to more than one object in the hosts hierarchy.
warnings. Click Continue Anyway to proceed or click Cancel to return to the Folders tab.
6. Click Submit.
When the SLA Domain selection will cause a change in the individual setting of a object that is
contained by one of the selected objects, the SLA Conflicts dialog box appears. Resolving SLA
conflicts describes how to use this dialog box.
When there are no SLA conflicts, the Rubrik cluster applies the selected setting to the selected
objects.
7. (SLA conflicts only) After resolving all SLA conflicts, click Done.
specified.

Table 65 Options available through the Manage Protection dialog box
characters entered in the search field to match the
same sequence of characters anywhere in the SLA
Domain name.
Blue + icon Click to open the Create New Opens the Create New SLA Domain dialog box.
SLA Domain dialog box Create a new SLA Domain and assign that SLA
Domain to the selected group of objects.
SLA Domain list Select an SLA Domain Select an SLA Domain to assign to the selected group
of objects. The Rubrik cluster assigns the selected
SLA Domain individually to each of the selected
objects. The automatic protection rules determine
whether the Rubrik cluster assigns the selected SLA
Domain to objects contained by a selected object.
Do Not Protect Select to assign Individually assigns the Do Not Protect setting to each
of the selected objects.The automatic protection rules
snapshots for a virtual machine that is individually set
to Do Not Protect or that inherits the Do Not Protect
setting.
Resolving SLA conflicts

The Manage Protection setting of a selected object can conflict with the setting that is individually
assigned to an object contained by the selected object. When a conflict is detected, the Rubrik
cluster opens the SLA Conflicts dialog box to permit the conflict to be resolved.
When the SLA Conflicts dialog box appears, it lists each object that has an individual SLA setting
that conflicts with the setting being applied to a selected containing object. The SLA Conflicts
dialog box initially lists these objects in the Keep Current SLA column.
1. Assign an SLA Domain setting to an object, as described in Assigning an SLA Domain setting to
a vCenter Server folder.
2. When the SLA conflicts dialog box appears, do one of the following for each listed object:
• Leave that object in the Keep Current SLA column.
This retains the individual setting of the listed object.
• Move the object to the Inherit From Parent column.
The individual setting of the listed object is removed, and the object inherits the setting
selected in the Manage Protection dialog box. The setting that the object inherits can be a
specific SLA Domain assignment, the Inherit SLA setting, or the Do Not Protect setting
3. Click Done.


selection group.

warnings.
5. Click Clear.
rules.
Virtual machine scripts

The Rubrik cluster can be configured to run scripts on a guest OS before a snapshot, after the
snapshot, and after the Rubrik cluster completes the backup process.
Use this feature to put a guest OS in a specific state before a snapshot, change that state
immediately after the snapshot is completed on the host system, and perform other actions after
the Rubrik cluster completes the backup process.
To allow the Rubrik cluster to start scripts, provide Guest OS credentials with sufficient privileges.
Without adequate credentials, the Rubrik cluster cannot start the scripts. Guest OS settings
describes how to add Guest OS credentials.
For example, run a script to quiesce applications before a snapshot, another script to restore the
applications to their normal running status after the snapshot, and a final script to perform
clean-up at the end of the backup process.
The scripts can consist of any sequence of operations that can be run by the command line
interpreter of the guest OS. Table 66 describes the scripts.
Table 66 Virtual machine Pre/Post Scripts (page 1 of 2)
Name Description
Pre-Backup Script • Use Pre-Backup Script to prepare for a backup by quiescing the applications on the
virtual machine.
• Requires that a timeout value be specified.
• The Rubrik CDM web UI provides an option to cancel the backup task when the
Pre-Backup Script does not complete successfully.
Rubrik CDM Version 5.0 User Guide Virtual machine scripts 341
Table 66 Virtual machine Pre/Post Scripts (page 2 of 2)

Name Description
Post-Snap Script Must be idempotent, script may be invoked several times during a single backup task.
• Use Post-Snap Script to minimize stun time and resume all applications on the
virtual machine.
• Also, use Post-Snap Script to perform clean-up tasks if a backup task fails.
• Post-Snap Script runs immediately after the host snapshot task completes.
Post-Backup Must be idempotent, script may be invoked several times during a single backup task.
Script • Use Post-Backup Script to perform custom post-processing at the end of the backup
process.
• Post-Backup Script runs after: the snapshot is copied to the Rubrik cluster and
released on the virtual machine host, and the Rubrik cluster completes all data and
metadata processing tasks.
Enabling scripts
Configure the Rubrik cluster to run scripts when a virtual machine is backed up.

3. Open the ellipsis menu, and select Configure Pre/Post Scripts.
The Configure Pre/Post Scripts dialog box appears.
4. (Optional) In Pre-Backup Script Path, type the full path for the Pre-Backup Script.
The full path is relative to the root of the guest OS file system.
5. (Optional) Select Cancel Backup if Pre-Backup Scripts Fails.
6. (Required when available) In Timeout, type an integer value.
The value represents the number of seconds before the Rubrik cluster terminates the
Pre-Backup Script because the script cannot be completed.
Rubrik CDM Version 5.0 User Guide Virtual machine scripts 342
7. (Optional) In Post-Snap Script Path, type the full path for the Post-Snap Script.
8. (Required when available) In Timeout, type an integer value.
Post-Snap Script because the script cannot be completed.
9. (Optional) In Post-Backup Script Path, type the full path for the Post-Backup Script.
10.(Required when available) In Timeout, type an integer value.
Post-Backup Script because the script cannot be completed.
11.Click Apply.
The Rubrik cluster stores the information and runs the specified scripts for all subsequent backups
of the selected virtual machine. The Rubrik cluster provides entries in the Activity Log for errors
that occur when running the scripts as specified.
Storage array integration

A Rubrik cluster can integrate with a storage array to further reduce the time that a virtual
machine is quiescent during a snapshot operation. To qualify for storage array integration, all
datastores assigned to the virtual machine must reside on storage arrays.
Normally, a Rubrik cluster ingests the VMDK files of a virtual machine as part of the snapshot
process. During this time the virtual machine must be kept quiescent. A Rubrik cluster ingests the
VMDK files very quickly resulting in extremely short periods of quiescence. However, for large
VMDK files, the time that is required for ingesting the VMDK files can impact the virtual machine.
With storage array integration, a Rubrik cluster can use the API of the storage array to move
ingestion of the VMDK files out of the vSphere environment and onto the storage array. Using
storage array integration, a Rubrik cluster can release a virtual machine for normal operation
immediately after a hypervisor snapshot. The Rubrik cluster takes storage array snapshots and
uses those for ingestion of the VMDK files.
After releasing the virtual machine, the Rubrik cluster mounts the storage array level snapshots as
temporary datastores on the virtual machine host. The Rubrik cluster then attaches the VMDK files
from the temporary datastores to a proxy virtual machine. The Rubrik cluster completes the data
ingestion through the proxy virtual machine, and then removes the temporary datastore objects
and the proxy virtual machine.
Rubrik CDM Version 5.0 User Guide Storage array integration 343
Storage array integration can employ custom scripts running on the guest operating system to
provide application level quiescence or application consistency. A pre-backup script can prepare an
application for the brief quiescence and a post-snap script can resume the application immediately
after the snapshot./
Virtual machine scripts provides information about scripts.
Datastore requirements for storage array integration

To use storage array integration, all of the datastores assigned to a virtual machine must reside on
a single storage array or on multiple storage arrays of the same type.
Datastores that span multiple storage arrays of the same type are permitted.
Enabling storage array integration for a virtual machine

Enable storage array integration for a virtual machine to allow the Rubrik cluster to ingest VMDK
files directly from datastores on storage arrays. Storage array integration can reduce the
quiescence period for a virtual machine during snapshot operations.
 Ensure the datastores of the virtual machine reside on supported storage arrays.
 Add the storage arrays to the Rubrik cluster as described in Adding a storage array.
2. In the Name column, click the name of the virtual machine.

3. (Optional) Open the ellipsis menu on the top bar of the local host page and select Configure
Pre/Post Scripts.
The Configure Pre/Post Scripts dialog box appears.
4. (Optional) Enable the pre-backup script and the post-snap script for the virtual machine.
Enabling scripts describes how to enable scripts.
5. Open the ellipsis menu on the top bar of the local host page and select Enable Array
Integration.
The Enable Array Integration menu item only appears when the virtual machine is eligible for
storage array integration. After a storage array is added, the Rubrik cluster scans all virtual
machines to determine eligibility for storage array integration. The menu item will not appear
until the conclusion of the scanning period.
The message “Enabled array integration” appears in the Activity Log.
The Rubrik cluster stores the information and uses storage array integration for all subsequent
backups of the virtual machine.
Disabling storage array integration

Disable storage array integration for a virtual machine to prevent the Rubrik cluster from ingesting
VMDK files directly from datastores on storage arrays. Disabling storage array integration can
increase the quiescence period for a virtual machine during snapshot operations.
2. In the Name column, click the name of the virtual machine.

3. Open the ellipsis menu on the top bar of the local host page and select Disable Array
Integration.
The message “Disabled array integration” appears in the Activity Log.
The Rubrik cluster uses the normal snapshot work flow for the next scheduled or on demand
backup of the virtual machine and for all subsequent backups of the virtual machine.
Exclude VMDK files

Virtual machines can include some VMDK files that do not need to be protected. The Rubrik cluster
can be configured to ignore some of the VMDK files of a virtual machine while protecting the other
VMDK files of that virtual machine.
Rubrik CDM Version 5.0 User Guide Exclude VMDK files 345
Excluding VMDK files of a virtual machine

When backups are not required for some of the VMDK files of a virtual machine, exclude those
VMDK files from backups.
2. In the Name column, click the name of a virtual machine.

The local host page for the selected virtual machine appears. Local host page describes the
local host page.
3. Open the ellipsis menu on the top bar of the local host page and select Exclude VMDKs.
The Exclude VMDK dialog box appears.
4. Select the VMDK files to exclude.
5. Click Exclude.
The Rubrik cluster excludes the selected VMDK files from all future backups of the virtual machine.


The Rubrik CDM web UI lists all of the virtual machines that have been discovered on the VM
Protection page. Access this page using one of several methods.
The following methods open the VM Protection page and display all discovered virtual machines:
 On the Dashboard page, on the Virtual Machines card, click See All.
 On the left-side menu, click Virtual Machines > vSphere VMs.

1. Open the Rubrik CDM web UI to the main Dashboard.
2. On the Virtual Machines card, in the Unprotected field, click Protect Now.
The Virtual Machines page opens, with the VMs tab selected, and filters the view to show All
Displaying unprotected virtual machines from the VM Protection page

The vSphere VMs page appears, with the VMs tab selected, and displays all the virtual
• Unprotected – Displays all unprotected virtual machines, both No SLA and Do Not Protect.

protection state, either: No SLA or Do Not Protect.
The Rubrik CDM web UI displays the virtual machines that belong to the selected SLA Domain or
to the selected protection state.

machine.

browse. Then use the search field to find entities within the defined view, or to browse to entities
machines present in the system. In the tab bar, select a tab.
• Folders – Provides the vCenter Server folder hierarchy view, starting at the vCenter Server.
• Clusters/Hosts – Provides the vCenter Server cluster and host hierarchy view, starting at
the vCenter Server.

Warning messages
As part of the task of assigning SLA Domains, the Rubrik cluster may display warning messages.
For each type of warning, the Rubrik cluster offers the option to continue or to cancel the task.
The Rubrik cluster may display the following warning messages, individually or in combination:
 Assignment Conflicts
 These VM(s) are already protected
 VMware Tools not installed
Each of these warnings can appear separately, or together in a Multiple Warnings dialog box.
Assignment Conflicts
The Rubrik CDM web UI displays the Assignment Conflicts warning when the Rubrik cluster
detects a conflict in the SLA Domain setting for a selected object.
When a virtual machine within the hierarchy of a selected object inherits an SLA Domain
assignment from a vCenter Server cluster or host, and also from a vCenter Server folder, the
Assignment Conflicts warning appears. In this situation, the virtual machine always inherits the
policy of the vCenter Server folder, unless a SLA Domain setting is individually assigned to the
virtual machine.
When the Assignment Conflicts warning appears, do one of the following:
 Continue the operation to assign the selected SLA Domain setting to the selected objects.
 Cancel the operation and remove the selected objects from the selection set.
To prevent the Assignment Conflicts warning from appearing again, select Don’t show this
again.
Protected VMs warning

The Rubrik CDM web UI displays the protected VMs warning when the Rubrik cluster detects that
an SLA Domain setting is already associated with a selected virtual machine.
The protected VMs warning is “These VM(s) are already protected”.
When the protected VMs warning appears, do one of the following:
VMware tools warning

The Rubrik cluster displays the VMware tools warning when it detects that the correct version of
VMware Tools is not installed on a selected virtual machine.
The VMware tools warning is “VMware Tools not installed”.
The Rubrik cluster requires the current version of VMware Tools to perform administrative
operations and to enable application consistent snapshots. The vSphere environment specifies the
current version of VMware Tools for every virtual machine in the environment.
When the VMware tools warning appears, do one of the following:
 Cancel the operation and upgrade VMware Tools on each of the virtual machines in the
selection set.
VMware Tools version provides more information about the role of VMware Tools for application
consistent snapshots.
For information on installing VMware Tools on a guest OS, see:
https://kb.vmware.com/kb/1014294
data is stored.

SLA Domain.

Table 67 provides a quick overview of the impact of assigning a new virtual machine to an SLA
Domain.
Table 67 Impact of SLA Domain properties on snapshots

business requirements (e.g. data governance policy changes or space management
requirements). Example 11 describes this situation.
Example 11 Assigning a protected virtual machine to another SLA Domain

Assume that a virtual machine was assigned to the SLA Domain D1 and later was assigned to the
SLA Domain D2. At the time of the reassignment, the virtual machine had existing policy driven
snapshots. After the reassignment, those existing policy driven snapshots are managed based on
the policies set in SLA Domain D2.

If D1 has a higher base frequency of snapshots than D2 (e.g. D1 was Gold and D2 was Bronze),
then existing policy-driven snapshots that are not required by the policies of D2 are deleted from
the system.
By doing this, the Rubrik cluster brings the snapshot history for the virtual machine into
compliance with the frequency and retention periods defined by D2.
Alternatively, if D2 specifies a higher base frequency of snapshots, (e.g. D2 was Gold and D1 was
Bronze) then the virtual machine will initially appear in the SLA Compliance reports as out of
compliance with D2’s SLA because the existing snapshots were insufficient to meet the new SLA
rules.


Example 12 describes re-protecting a virtual machine.
Example 12 Re-protecting a virtual machine

Assume that a virtual machine is protected under SLA Domain D1, the virtual machine is removed
from D1, and then the virtual machine is protected again by assigning the virtual machine to SLA
Domain D2.
In this example, when the virtual machine is removed from protection, all its policy driven
snapshots must be managed manually.
When the virtual machine is assigned to SLA Domain D2, the policy driven snapshots for the
virtual machine are managed based on the policies defined in D2.

All existing and future snapshots for the virtual machine are subject to D2’s rules regarding local
cluster retention period, replication retention period and maximum retention period.
Local host page

The local host page provides detailed information about the protection of a virtual machine, and
tasks related to the virtual machine. The local host page provides the following sections:
 Action bar
 Overview card
 Snapshots card
Viewing a local host page

Access a local host page to view information about a local virtual machine.

Action bar
Table 68 Actions available from the action bar (page 1 of 2)
Action Description
Note: Backup Window settings defined for the SLA Domain of the
virtual machine do not apply to on-demand snapshots. Only the
maximum retention and remote configuration settings of the associated
SLA Domain apply to on-demand snapshots.
Table 68 Actions available from the action bar (page 2 of 2)

Action Description
When the virtual machine is already assigned to an SLA Domain, a
warning appears. Click Continue to open the Manage Protection page.
Click Cancel to return to the local host page.
Ellipsis menu > Delete All Only appears for an unprotected virtual machine. Deletes all local
Snapshots snapshots for the virtual machine. Archival snapshots and replicas are
not deleted.
Ellipsis menu > Exclude VMDKs Provides access to the Exclude VMDK dialog box, as described in
Exclude VMDK files.
Ellipsis menu > Configure Provides access to the Configure Application Consistency dialog box, as
Application Consistency described in Specifying crash consistent backups.
Ellipsis menu > Configure Provides access to the Configure Pre/Post Scripts dialog box, as
Pre/Post Scripts described in Snapshots.
Ellipsis menu > Enable Array Only appears when the virtual machine is eligible for storage array
Integration integration. Enables storage array integration for all subsequent
backups of the virtual machine, as described in Storage array
integration.
Register Rubrik Backup Service Establishes a connection between the Rubrik cluster and the Rubrik
Backup Service (RBS) software running on the guest OS of the virtual
machine.
Overview card
Field Description
vCenter IP address of the vCenter Server that manages the virtual machine.
Host Host–For virtual machines that are assigned to an SLA Domain without an
or Archival policy, shows the IP address of the hypervisor that hosts the virtual
Cloud Conversion machine.
Cloud Conversion–For virtual machines that are assigned to an SLA Domain
with an Archival policy, shows the Configure button and either:
• Disabled
• Name of the archival location
machine.
Live Mounts Number of live mounts for snapshots associated with the selected virtual
machine.
When the SLA Domain has an active archival policy, the oldest snapshot
resides at the archival location.
Latest Snapshot Timestamp for the most recent successful snapshot of the selected virtual
machine.
Total Snapshots Total number of retained snapshots for the selected virtual machine, including
both the local Rubrik cluster and any archival location.
Snapshots card
virtual machine.
represents.
Color Status
Orange All snapshots required by SLA Domain policy were successfully created but at least
one snapshot caused a warning.

View Description
Year The Year view displays snapshot creation information for an entire year. A color spot indicator on a
specific date indicates snapshot activity, and displays the SLA Domain compliance status for that
day.
Month The Month view displays snapshot creation information for an entire month. A color spot indicator
on a specific date indicates snapshot activity, and displays the SLA Domain compliance status for
that day.
Day The Day view displays the individual snapshots that were created on the selected day. The Day
view also provides the additional information and actions described in the following section.

For a local virtual machine, the day view provides information about snapshots, as described in
Table 72.

Rubrik cluster.
Table 73 Actions available for snapshots that reside on the local Rubrik cluster
Command Description
Search by File Name Use the predictive search field to find file by typing the name.
Mount Use the snapshot to create and mount a new virtual machine on a hypervisor host.
system. The name of the recovered virtual machine is constructed as follows:
name of source virtual machine + timestamp of snapshot + incremented integer.
The local Rubrik cluster is the datastore for the new virtual machine.
Instantly Recover Restore a virtual machine into the production environment by using the selected
snapshot.
The new virtual machine is given the same name as the source virtual machine
and is powered on and connected to the network. The source virtual machine is
powered off and renamed.
The local Rubrik cluster serves as the datastore for the new virtual machine.
Export Use the snapshot to create and mount on an hypervisor host a new virtual
machine, that is a copy of the local virtual machine.
system. The name of the recovered virtual machine is constructed as follows:
name of source virtual machine + timestamp of snapshot + incremented integer.
The hypervisor host is the datastore for the new virtual machine.
in Table 74.
Command Description
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that it is available for
additional local actions. The local Rubrik cluster provides a notification when the download is
completed.
Restoring files or folders by download from notification message describes how to download
a file or folder.
Snapshots
Back up processes
A Rubrik cluster backs up a virtual machine by creating a snapshot of the virtual machine by using
VADP, or for Windows guests, by using the VSS agent that is integrated into the Rubrik Backup
Service (RBS).
machine.
creating incremental snapshots based on the change information provided by Changed Block
Tracking (CBT). The Rubrik cluster creates each incremental snapshot very quickly because the
The vSphere environment transmits the snapshot data to the Rubrik cluster using the most
efficient available transport mode. Normally, the vSphere environment uses the NBD/NBDSSL
transport mode. The high efficiency of the Rubrik cluster eliminates data bottlenecks, allowing the
NBD/NBDSSL transport mode to provide data transmission rates that minimize the time that a
virtual machine is quiescent.
For VMDKs that are stored on a SAN, the Rubrik cluster can use the SAN transport mode. In this
mode, the Rubrik cluster uses the iSCSI protocol to obtain snapshot data over a direct connection
to the storage array resulting in very fast data transmission.
Rubrik CDM Version 5.0 User Guide Snapshots 359

Snapshot window
successfully.
Protection exceptions
The Rubrik cluster cannot protect data that exists on any of the following:
 VMDKs that are set to Independent-Persistent mode or to Independent-Nonpersistent
mode.
 Network drives that are mounted on the file system of a protected virtual machine.
 Any virtual machine for which the Rubrik cluster does not have snapshot creation permission
because of settings on the virtual machine or on a vSphere folder that contains the virtual
machine.
 Any virtual machine data that resides on raw disk mappings (RDMs), where the compatibility
mode of the RDMs is set to Physical.

a virtual machine.
Specifying crash consistent backups describes how to change the default backup consistency
setting.
Table 75 describes backup consistency levels, and the levels of consistency provided by a Rubrik
cluster.
Consistency level Description Rubrik usage
Inconsistent A backup that consists of copying each Not provided
file to the backup target without
quiescence.
• File operations are not stopped
The result is inconsistent timestamps
across the backup and, potentially,
corrupted files.


Consistency level Description Rubrik usage
Crash consistent A point-in-time snapshot but without Provided when:
quiescence. • Guest OS does not have VMware
• Timestamps are consistent Tools installed
• Pending updates for open files are • Guest OS has an out-of-date version
not saved of VMware Tools
• In-flight I/O operations are not
completed
The snapshot can be used to restore
the virtual machine to the same state
that a hard reset would produce.
File system consistent A point-in-time snapshot with Provided when the guest OS has an
quiescence. up-to-date version of VMware Tools
• Timestamps are consistent and:
• Pending updates for open files are • Application consistency is not
saved supported for the guest OS
• In-flight I/O operations are completed • Guest OS is Windows and the RBS
• Application-specific operations may is not installed and registered
not be completed.
Application consistent A point-in-time snapshot with Provided when:
quiescence and application-awareness. • Guest OS is Windows and the RBS
• Timestamps are consistent is installed and registered
• Pending updates for open files are
saved Note: If RBS is not installed and
• In-flight I/O operations are completed registered, application consistent
• Application-specific operations are backups will be attempted using
completed. VMware Tools.
• Guest OS is not Windows, the guest

has an up-to-date version of VMware
Tools. and application consistency is
supported for the guest OS

VMware Tools version

The Rubrik cluster determines whether a guest OS is running the most up-to-date version of
VMware Tools.
The Rubrik cluster requests the status of VMware Tools on a virtual machine from the vSphere
environment. When the vSphere environment replies that a virtual machine is not running the
most up-to-date version of VMware Tools, the Rubrik cluster displays a warning message. Warning
messages provides information about the warning message.
! IMPORTANT
To ensure file system consistent snapshots or application consistent snapshots for a virtual
machine, always install the most up-to-date version of VMware Tools.
For information on installing VMware Tools on a guest OS, see:

https://kb.vmware.com/kb/1014294
The Rubrik cluster supports application consistent snapshots for many guest OS types and
application types.
The Rubrik cluster supports application consistent snapshot for applications such as Microsoft
Exchange Server, Microsoft SQL Server, Microsoft Active Directory, Microsoft SharePoint, and
Oracle Database (RDBMS) running on certain versions of Windows Sever guest OS. To enable
application consistent snapshots for these applications, the RBS must be installed on the guest OS.
For Windows Guest OS, if RBS is not installed but VMware Tools is installed, the Rubrik cluster will
attempt to quiesce the Windows virtual machine using VMware Tools. Application consistency
cannot be assured under these circumstances but it will be attempted.
The Rubrik cluster does not support restore of an application consistent snapshot into an
availability group. Cluster consistency for the availability group cannot be ensured in this situation
and problems may occur.

Specifying crash consistent backups

By default, the Rubrik cluster initiates application consistent backups for a virtual machine when
the environment of the virtual machine meets the requirements of application consistent backups.
To further minimize the impact of virtual machine stun, configure the Rubrik cluster to only run
crash consistent backups of the virtual machine.
To prevent the Rubrik cluster from running application consistent backups of a virtual machine,
change the default behavior by specifying crash consistent backups for that virtual machine.
3. Open the ellipsis menu, and select Configure Application Consistency.
The Configure Application Consistency dialog box appears.
4. Select Crash Consistent.
5. Click Update.
The Rubrik cluster applies the setting to all future backups of the virtual machine.
Linux guest
A Rubrik cluster provides file system consistent snapshots on supported Linux guest OS types.
During snapshot creation, the Rubrik cluster uses VMware Tools to make guest OS kernel level
calls to quiesce (freeze) and to enable (thaw) the guest OS file system.
RBS on a Linux guest

Install the RBS on supported Linux guest OS virtual machines.
By using the RBS, the Rubrik cluster can provide significantly faster file and folder level restore
from indexed snapshots.
While using the RBS to facilitate restore provides performance improvements, using the RBS for
fileset backups of the Linux guest is not recommended. The VADP snapshots of a Linux guest
provide a more efficient method for backing up the Linux guest than the file system scanning
methods used for fileset backups. VADP snapshots only need to ingest changed blocks from the
Linux guest, but fileset backups require a full scan of the file system
Rubrik CDM Version 5.0 User Guide Linux guest 363

To provide performance improvements when restoring data to a Linux guest, install the RBS on
the Linux guest as described in Installing the Rubrik Backup Service software on a Linux or Unix
host.
Windows guest
A Rubrik cluster uses the RBS running on a Windows guest OS to provide application consistent
snapshots for Windows applications. The RBS has an integrated VSS provider to work with VSS on
the Windows OS.
Note: If RBS is not installed but VMware Tools is installed, the Rubrik cluster will attempt to
quiesce the Windows virtual machine using VMware Tools. Application consistency cannot be
assured under these circumstances but it will be attempted.
The RBS can be installed manually or automatically. In order to automatically install the RBS, the
Rubrik cluster must have valid guest OS credentials for the Windows guest and the Admin
Approval Mode must be disabled on the Windows guest.
For supported versions of Microsoft Exchange Server, the RBS truncates the transaction log after a
successful snapshot. Log truncation can significantly reduce the virtual machine space required by
the transaction log.
RBS on a Windows guest

The RBS provides the Rubrik cluster with the ability to provide application consistent snapshots for
Windows guests. The RBS also provides fast performance when restoring files and folders to the
guest.
Rubrik provides automatic upgrade of the RBS software as part of a general upgrade of the Rubrik
cluster software. After upgrading the Rubrik cluster software, the Rubrik cluster automatically
upgrades the RBS software on all protected hosts.
The RBS software can be deployed to Windows guests automatically or manually.
To use the automatic method, complete the task Automatically deploying the RBS.
To use the manual method, complete the following tasks:
 Obtain the RBS software
 Select a qualified account to use when installing the software
 Install the software of the Windows guest
 Register the Rubrik Backup Software instance with the Rubrik cluster
Rubrik CDM Version 5.0 User Guide Windows guest 364

Automatically deploying the RBS

When automatic deploy is enabled, the Rubrik cluster installs and registers the RBS on a
supported Windows guest at the next scheduled or on-demand backup of that Window guest.
After successfully installing the RBS on the Windows guest, all subsequent snapshots of the
Windows guest use the VSS provider that is integrated into the RBS.
1. Disable the Windows ‘Admin Approval Mode’ setting on each Windows guest.
Refer to Microsoft documentation for information on how to disable the Admin Approval Mode
setting.
2. Log in to the Rubrik CDM web UI of the Rubrik cluster.
The Guest OS Settings page opens, with the Guest OS Credentials tab selected.
6. Add a credential.
The credential must provide local administrator permissions for each Windows guest. This can
be provided by one or more separate credentials.
Multiple credentials can be added by click in the blue + sign on the dialog box. The Rubrik
cluster uses each stored credentials until access is obtained.
7. Click Add.
8. Select Connector Settings.
The Connector Settings tab opens.
9. In Rubrik Connector Deployment, select Automatic.
10.Click Update.
The Rubrik cluster stores the credential information. For each qualifying Windows guest, the
Rubrik cluster installs and registers the RBS on the Windows guest the next time a policy-based or
on-demand snapshot is initiated.

Obtaining the RBS software through the Rubrik CDM web UI

Obtain the RBS software from the Rubrik CDM web UI of the Rubrik cluster.
The RBS software can be downloaded directly from the Rubrik cluster when it is needed, or the
software can be downloaded once and pushed to hosts as needed.
! IMPORTANT
The RBS software can only be used with the Rubrik cluster from which the software is
obtained. Each Rubrik cluster generates a copy of the RBS software that includes
authentication information specific to that Rubrik cluster. This method ensures that the
Rubrik cluster and a hosted deployment of the RBS can reliably authenticate each other.

Next task — Install the RBS software on Windows guests.
Obtaining the RBS software by URL

Obtain the RBS software directly by URL. The Rubrik cluster provides a direct URL link for the
software package for Windows hosts.
The RBS software can only be used with the Rubrik cluster from which it is obtained.
2. Access the URL:

Account used to run the RBS on a Windows host

The RBS must run as an account that is a member of the Administrators group of the Windows
Server host.
When first installed, the RBS runs as a LocalSystem account. A LocalSystem account includes the
permissions that are provided by the local Administrators group.
Instead of running the RBS as a LocalSystem account, the RBS can be configured to run as a
member of the local Administrators group.
To run as a member of the local Administrators group, run the RBS as a user account that is one of
the following:
Installing the RBS software on a Windows guest

Install the RBS software to provide the Rubrik cluster with the ability to manage data on the
Windows guest.
Before you begin. Choose or create an account to run the RBS software.
1. Copy RubrikBackupService.zip to a temporary directory on the Windows guest.
• backup-agent.crt, a security certificate for the RBS.
! IMPORTANT
When installing the RBS software, the security certificate file must be in the same folder
as the Windows Installer Package.
Package.
The Windows Installer Package installs the RBS software and incorporates the security
certificate into the installation.
The RBS software can also be push installed on multiple Windows hosts using automation
software, such as Puppet or Chef.

4. (Optional) Change the account used to run the RBS.

Account used to run the RBS on a Windows host describes the account requirements.
Note: The default LocalService account does not provide sufficient privileges to permit the RBS
to access data on network shares.
Next task — Register the Windows guests that are running the Rubrik Backup Software with the
Rubrik cluster.
Registering a guest
After installing the RBS on a guest OS, register the guest with the Rubrik cluster. Registering the
guest allows the Rubrik cluster to manage data on the guest.
Before you begin — Install the RBS software on the guest OS.
3. Open the ellipsis menu, and select Register Rubrik Backup Service.
The Register Rubrik Backup Service modal appears.
4. Click Register.
The Rubrik cluster establishes an authenticated secure connection with the RBS running on the
guest.
Removing the RBS from a Windows host

When the RBS is no longer required on a Windows guest, it can be removed by using standard
Windows commands.
Note: Removing the RBS from a Windows guest also removes the connection between the
Windows guest and the Rubrik cluster. The Rubrik cluster designates any retained snapshots as
relics. Use the Snapshot Retention page to manually manage the relics, as described in Retention
Management.


The uninstaller removes the RBS software. The Rubrik cluster designates any retained snapshots
as relics.
Preserving Windows access control list values

The Rubrik cluster can acquire the access control list (ACL) values for files and folders in a
Windows guest file system. When the ACL values of an object are successfully acquired, the
Rubrik cluster can set the same ACL values on the object as part of a restore or an export.
The Rubrik cluster runs an ‘icacls’ command-line script in a hidden PowerShell session on the
Windows guest to acquire the ACL values for the objects in the Windows guest file system. To
successfully run the script, the requirements specified in Table 76 must be met.
Table 76 Requirements for acquiring Windows guest ACL values
Category Requirement
PowerShell Minimum required version is version 3, preferred is version 4 or newer.
To determine the current version, open a PowerShell window on the guest and type:
$PSVersionTable
PowerShell Must be set to the ‘unrestricted’ PowerShell execution policy.
execution policy To determine the current setting, open a PowerShell window on the guest and type:
Get-ExecutionPolicy
To set the value to unrestricted, type:
Set-ExecutionPolicy unrestricted
.NET Framework Version 4.5 or newer.
Microsoft provides instructions for determining the installed .NET Framework
versions in: How to: Determine Which .NET Framework Versions Are Installed.
When the ‘icacls’ script cannot be run, the Rubrik cluster can still restore objects in the Windows
guest file system, but the ACL values of the source objects will not be preserved in the restored
objects.

On-demand snapshots
snapshot process.
according to the SLA rules of the associated SLA Domain. Warning messages describes how to set
up policy-based snapshots for virtual machines.

Rubrik CDM Version 5.0 User Guide On-demand snapshots 370

Recovering and restoring virtual machine data

protected data.

actions. The Rubrik cluster provides the following recovery actions for virtual machines:
 Instant Recovery
 Live Mount
 Export
Table 77 provides a description of the differences between the available recovery actions.
Table 77 Differences between recovery actions
Source
Name of recovered Power virtual
Action virtual machine Datastore state Network machine
Instant Recovery Assigned the name of the Local Rubrik On Connected Powered off
source virtual machine cluster (Optional) and renamed
Live Mount Compositea Local Rubrik On Disconnected No impact
cluster
Export Composite Datastore of On Disconnected No impact
hypervisor
a. The name of the recovered virtual machine is constructed as follows: name of source virtual machine + time-
stamp of snapshot + incremented integer. For example, the first mount of the snapshot of the virtual machine
“NitroN1” that was created at “08-04 06:48” is named “NitroN1 08-04 06:48 1”.
Rubrik CDM Version 5.0 User Guide Recovering and restoring virtual machine data 371
The recovery actions that the Rubrik cluster provides depend on the data protection object being
used. Table 78 lists the available recovery actions for each type of data protection object.
Table 78 Recovery actions available for data protection objects
Object Available recovery actions
Local snapshot Initiated from the local Rubrik cluster:
• Live Mount
• Export
Replica Initiated from the target Rubrik cluster:
• Live Mount
• Export
Archival snapshot Initiated from the local Rubrik cluster, after the archival snapshot is downloaded to
the local Rubrik cluster:
• Live Mount
• Export

Use the local Rubrik CDM web UI to select a snapshot before applying a recovery action.
Note: Use the search box on the top bar of the Rubrik CDM web UI to directly access the local
host page when the name of the source virtual machine is known.
To work with data from an unmanaged virtual machine, go to the left-side menu and click
Snapshot Retention. Then, continue with the following steps from the Snapshot Retention
page instead of the Virtual Machines page.

The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears in the Activity
Log. Activity Log describes notifications related to archival tasks.
! IMPORTANT
Manually delete a downloaded archival snapshot that is no longer required on local
storage.
6. Perform one of the available recovery actions on the selected snapshot or restore files and
folders from the selected snapshot.
Selecting a replica
Select a replica from the Rubrik CDM web UI of the replication target Rubrik cluster before
2. On the left-side menu of the Rubrik CDM web UI, click SLA Domains > Remote Domains.
machine.

and selecting an available recovery action (Instant Recovery, Live Mount, or Export). Recovery
using a replica cannot use the Instant Recovery action.
Live migration
After a recovery, the recovered virtual machine can be live migrated using a process such as
VMware Storage vMotion.
After live migration of a virtual machine that was recovered by the Instant Recovery or Live Mount
actions, the Rubrik cluster maintains metadata for the recovered virtual machine that should be
removed.
Delete the metadata for the recovered virtual machine through the Live Mounts page of the Rubrik
CDM web UI by using the Force Delete option, as described in Removing a virtual machine entry
after live migration.
Virtual raw disk mappings

A data protection object from a virtual machine that has a virtual raw disk mapping (vRDM) can be
recovered.
When a virtual machine with vRDM mappings is recovered, the Rubrik cluster converts the vRDM
mappings to VMDKs.
Performing an Instant Recovery

An Instant Recovery replaces the source virtual machine with a fully functional point-in-time copy.
The Rubrik cluster powers off and renames the source virtual machine, and assigns the name of
the source virtual machine to the recovered virtual machine. The Rubrik cluster powers on the
recovered virtual machine and connects the recovered virtual machine to the source network. The
Rubrik cluster is the datastore for the recovered virtual machine.
Selecting a snapshot or an archival snapshot describes the selection task. For archival
snapshots, complete the download steps.
4. Select an ESXi host for the virtual machine.
To search the list of ESXi hosts, enter a search string in the search field.
starting.
6. (Optional) Click Preserve MAC addresses.
Select this option to use the MAC addresses from the snapshot instead of assigning new MAC
addresses.
The Rubrik cluster powers down the source virtual machine and renames it. Then the Rubrik
cluster mounts the snapshot on the selected ESXi host with the name of source virtual machine,
connects the recovered virtual machine to the network, and powers up the virtual machine.
records the final result of the task in the Activity Log. The Rubrik cluster lists the recovered virtual
machine on the Live Mounts page of the Rubrik CDM web UI.
Optionally, at this point the recovered virtual machine can be live migrated back to primary storage
by using a product such as VMware Storage vMotion.
The instantly recovered virtual machine derives protection from parent objects. When the
recovered virtual machine does not derive protection from any parent objects, add it to an SLA
Domain. To protect it using the same SLA rules and policies as the source virtual machine, add the
recovered virtual machine to the original SLA Domain. Or, add the recovered virtual machine to
another SLA Domain.
Creating a Live Mount of a virtual machine snapshot

A Live Mount creates a new virtual machine from a point-in-time copy of the source virtual
machine. The recovered virtual machine uses the Rubrik cluster as its datastore.
The Rubrik cluster assigns the recovered virtual machine a new name and powers on the virtual
machine. The Rubrik cluster does not connect the recovered virtual machine to a network. The
Rubrik cluster sets the protection state of the new virtual machine to Do Not Protect.
3. Click Mount.
4. Select Virtual Machine.
5. Click Next.
The Mount Snapshot dialog box advances to the ‘Target’ state. A list of ESXi hosts appears.
Search the list by entering a text string in the ‘Search’ field.
6. Select a restore target for the virtual machine.
starting.
8. (Optional) Click Preserve MAC addresses.
Select this option to use the MAC addresses from the snapshot instead of assigning new MAC
addresses.
9. Click Mount.
The Rubrik cluster mounts virtual machines on the selected ESXi host with a new name and
powers up the virtual machine. During the process, messages about the status appear in the
Activity Log. The Rubrik cluster records the final result of the task in the Activity Log.
The Rubrik cluster sets the protection state of the Live Mount recovered virtual machine to Do Not
Protect. To protect the new virtual machine, add the virtual machine to an SLA Domain or remove
the individual Do Not Protect assignment to enable the virtual machine to inherit protection
settings.
Creating a Live Mount of a virtual disk snapshot

A Live Mount creates a new virtual disk or disks from point-in-time copies of the disks on a source
virtual machine. The recovered virtual disks use the Rubrik cluster as the datastore.
The Rubrik cluster mounts the virtual disk to an existing virtual machine. The Rubrik cluster sets
the protection state of the new virtual disk to Do Not Protect.
3. Click Mount.
4. Select Virtual Disk.
A list of disks on the virtual machine appears.
5. Select a disk to mount from the list of disks.
To search the list of disks, enter a search string in the ‘Search by Name’ field.
6. Click Next.
The Mount Snapshot dialog box advances to the ‘Target’ state. A list of virtual machine hosts
appears.
7. Select a restore target for the virtual disk from the list of hosts.
To search the list of hosts, enter a search string in the ‘Search by Name’ field.
8. Click Mount.
The Rubrik cluster mounts virtual disks on the selected virtual machine. During the process,
messages about the status appear in the Activity Log. The Rubrik cluster also records the final
result of the task in the Activity Log.
The Rubrik cluster sets the protection state of the Live Mount recovered virtual disk to Do Not
Protect. To protect the new virtual disk, add the virtual disk to an SLA Domain or remove the
individual Do Not Protect assignment to enable the virtual disk to inherit protection settings.
IP address selection for Live Mounts

The Rubrik cluster provisions IP addresses to virtual machine live mounts based on the IP address
of the ESXi host and the routing configuration of the Rubrik cluster. In the absence of other
selection criteria, the Rubrik cluster provisions floating IP addresses preferentially over static IP
addresses. Example 13 describes the creation of a static route for a Live Mount.
Example 13 Creating a static route for a Live Mount

The Rubrik CLI provides several utilities to configure the routing for a Rubrik cluster. See the
Rubrik CLI Guide for a complete description on these commands and for instructions on
connecting to the Rubrik command-line interface.
To show the creation of a new static route, consider the following fictitious environment:
• A Rubrik cluster has a virtual interface defined as ‘bond0.1000’.
• The VLAN interface bond.1000 has no static route currently configured.
Administrator logs in to a node in the cluster over SSH.
Administrator uses the ‘route’ command:
The command displays the kernel routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.255 0.0.0.0 UG 0 0 0 bond0
1.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0 bond0.1000
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 bond0
13.4.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 bond0
Administrator uses the ‘add_static_route’ command to add an entry to the kernel routing table. At
the prompts, the administrator enters 12.42.0.0 as the subnet, 255.255.255.0 as the netmask,
bond0.1000 as the interface, and 12.42.1.12 as the gateway:
The CLI command prompts for the entries.
===================
Adding static route
===================
Network: 12.42.0.0
Subnet Mask: 255.255.255.0
Device: bond0.1000
Gateway: 12.42.1.12
Administrator uses the ‘route’ command:
The command displays the new kernel routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.255 0.0.0.0 UG 0 0 0 bond0
1.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0 bond0.1000
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 bond0
13.4.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 bond0
12.42.0.0 12.42.1.12 255.255.0.0 U 0 0 0 bond0.1000
The datastore of the selected ESXi host is the datastore for the recovered virtual machine.
3. Click Export.
4. In Choose an ESXi Host, select an ESXi host for the virtual machine.
A list of the datastores that are associated with the select ESXi host appears.
starting.
7. Click Export.
Exporting to a standalone host

A snapshot can be exported to an ESXi host that is not managed by vCenter by temporarily adding
a standalone ESXi host that is not already in the list of ESXi hosts. Snapshots of an existing
vCenter server can be recovered by temporarily using a standalone ESXi host to when the vCenter
server is unavailable. The initial steps are the same as for exporting to a known ESXi host.
3. Click Export.
4. In Choose an ESXi Host, click the plus sign near the upper right to add a standalone ESXi
host for the virtual machine.
The Add ESXi Host dialog box appears.
5. Enter the credentials for the new ESXi host:
• IP address or hostname
• Username of the user
• Password of the user
6. Click Submit to authenticate the new ESXi host.
The new host appears in the alphabetical list of ESXi hosts.
7. Select the ESXi host.
A list of the datastores associated with the new ESXi host appears.
starting.
10.Click Export.
The Rubrik cluster creates a new virtual machine from the snapshot on the selected ESXi host,
transfers the virtual machine files to the datastore, and powers up the recovered virtual machine.
After recovering a snapshot of a vCenter Server or Platform Services Controller, see the
documentation for VMware vCenter to restore an environment based on a vCenter Server image.
Powering off after Instant Recovery or Live Mount

Power off a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The
2. On the left-side menu of the Rubrik CDM web UI, click Live Mounts.
3. Select a recovered virtual machine with the Powered On status.
5. Click Power Off.
6. Click Power Off.
The Rubrik cluster gracefully powers down the selected virtual machine.
Unmounting after Instant Recovery or Live Mount

Unmount a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The
3. Select a recovered virtual machine.
5. Click Unmount.
The confirmation message includes the option Remove local entry after Storage vMotion.
Enable this option to remove a stale entry for a recovered virtual machine that was live
migrated, as described in Removing a virtual machine entry after live migration. Otherwise, the
option is not required.
6. Click Unmount.
The Rubrik cluster removes the selected virtual machine from the ESXi host and deletes the
recovered virtual machine files from the Rubrik cluster datastore. This action does not remove
data protection objects.
also records the final result of the task in the Activity Log.
7. (After all live mounts are removed) Detach the Rubrik cluster datastore devices from the
associated ESXi hosts.
The Rubrik cluster names the datastore devices using the following format:
<IP_NODE>_sdmount
where <IP_NODE> is the IPv4 address of one of the nodes of the Rubrik cluster.
The VMware Knowledge Base article: How to unmount a LUN or detach a datastore device
from ESXi hosts (2004605) describes how to detach a datastore device from an ESXi 5.0 or
newer host.
Removing a virtual machine entry after live migration

After live migration of a recovered virtual machine, for example through the VMware Storage
vMotion process, the Rubrik cluster maintains an entry for the recovered and migrated virtual
machine on the Live Mounts page. Perform this task to remove the entry from the Live Mounts
page.
3. Select a recovered virtual machine that was live migrated.
5. Click Unmount.
6. Select Remove local entry after Storage vMotion.
7. Click Unmount.
The Rubrik cluster removes the metadata associated with the selected virtual machine and
removes the entry for the virtual machine from the Live Mounts page. This action does not remove
data protection objects and does not unmount the recovered and migrated virtual machine.
File and folder restore


machine.
Rubrik CDM Version 5.0 User Guide File and folder restore 383



and folders directly to the source file system.
The Rubrik CDM Compatibility Matrix provides the most up-to-date information about the guest
operating systems supported by this feature.
To successfully restore directly to the source file system the Rubrik cluster must be provided the
following information:
 Resolvable hostname or IP address of the authentication server
 Username of an account with Administrator privileges for the target
 Password for the account
When the Rubrik cluster has previously accepted the guest OS credentials of a guest operating
system, the restore job does not require additional credential information. This feature requires
that the Rubrik cluster has successfully used the guest OS credentials for at least one backup prior
to the restore task. Otherwise, the credentials can be provided through the Restore File dialog
during the restore task.
Guest OS settings describes how to provide guest OS credentials for a guest operating system.

3. Click Restore.
When the Rubrik cluster has previously accepted the guest OS credentials of the host, the
credential fields do not appear.
4. (If available) (Windows only) In Domain, type the resolvable hostname or IP address of the
authentication server for the credential.
When the Windows guest OS performs Workstation Authentication of credentials instead of
Domain Authentication, leave the Domain field empty.
Note: With some ESXi hypervisors, the VMware API requires a single period character in the
Domain field to correctly pass the Workstation Authentication value to the Windows guest.
When an empty Domain field does not provide successful Workstation Authentication with the
Windows guest, add a period character in the Domain field.
For a Linux guest, leave the Domain field empty.

5. (If available) In Username, type a guest OS username for an account with sufficient privileges
on the host.
For a Windows guest, the account must have administrator privileges on the guest.
For a Linux guest, the account must have Write permission for the restore location.
6. (If available) In Password, type the password for the account.
same name.
/home/jsmith/work
be managed through the guest OS credentials page, as described in Guest OS settings.
10.Click Restore.

from any local snapshot, replica, or archival snapshot that was successfully indexed. The guest OS
of the source virtual machine must have a current version of VMware Tools running to enable
successful indexing.
File and folder download links appear in a message in the notification area of the Rubrik CDM web
UI. This message provides a link to the download. The Rubrik cluster also provides the download
link on the Activity Detail dialog box for the download task.

4. Click OK.
5. In the Rubrik CDM web UI Activity Log, a ‘Downloaded’ message appears for the selected file
or folder.


Detail dialog box.
3. Click Download.

setting.
Unmanaged data

Chapter 11
vCloud Director vApps
This chapter describes how to protect and manage data from VMware vCloud Director vApps.
 Overview ............................................................................................................... 391
 Protection hierarchy ................................................................................................ 394
 vCloud Director instances ........................................................................................ 396
 vApp management.................................................................................................. 399
 Recovery and restore of vApp data .......................................................................... 405
Rubrik CDM Version 5.0 User Guide vCloud Director vApps 390
Overview
Rubrik CDM provides SLA Domain protection and data management for VMware vCloud Director
vApps.
When a vCloud Director instance is added to a Rubrik cluster, the Rubrik cluster automatically
discovers all of the components of the vCloud Director deployment, including:
 Organizations
 Organization virtual datacenters
 vApps
 Virtual machines
The components appear in the Rubrik CDM web UI and provide the basis for assigning SLA
Domain protection to the vApps. Rubrik CDM manages and protects the data in vApps using the
same SLA Domain approach that it provides for vSphere virtual machines.
The SLA Domain assignment of a vApp can be derived from a higher level component or the
assignment can be directly specified. Assigning an SLA Domain at a higher level in the
organizational hierarchy, automatically assigns the policies of that SLA Domain to all vApps and
virtual machines that are beneath that level. Assigning an SLA Domain at a lower level in the
hierarchy overrides an assignment made at a higher level. Protection hierarchy describes this
hierarchy-based protection.
The Rubrik cluster provides full protection of vApps, backing up not just virtual machine data but
also vApp data and metadata, including networks, boot order, and access lists.
Rubrik CDM offers the option to enable or disable synchronized snapshots for a vApp. When
enabled, the Rubrik cluster attempts synchronization across the vApp by initiating snapshots of all
virtual machines in a vApp at the same time.
Protection and management features

In addition to full SLA Domain based protection of vApps, other features available for vSphere
virtual machine are also provided for vApps.
Table 79 describes the protection and management features that Rubrik CDM provides for vApps.
Table 79 Protection and management features provided for vApps (page 1 of 2)

Feature Description
Automatic protection vApps automatically derive the SLA Domain assignment made to vCloud Director
objects that are higher in the vCloud Director hierarchy, such as: organizations
and organization virtual datacenters.

Table 79 Protection and management features provided for vApps (page 2 of 2)

Feature Description
Synchronization When the synchronization setting is enabled, the Rubrik cluster requests that the
associated ESXi host initiate snapshots of the vApp virtual machines at the same
time. Actual snapshot start time depends on the availability of ESXi host
resources and the number of virtual machines in the vApp.
Instant Recovery - Full Using Instant Recovery, a protected vApp can be fully recovered from a snapshot
or partial or the vApp can be partially recovered. A partial recovery recovers one or more of
the virtual machines in the protected vApp. In a full or partial Instant Recovery,
the recovered virtual machines use the default storage profile of the organization
virtual datacenter. Optionally, the network interface cards of the recovered virtual
machines can be connected to any existing network.
Export - Full or partial Using Export, a vApp snapshot can be used to fully export a vApp to another
location, or to export one or more of the virtual machines from the vApp. The full
export can include the network configuration of the source vApp:
• Isolated vApp network
• Direct vApp network
• NAT routed network
To establish a direct vApp network or a NAT routed network, the associated
organization network must be available. After setting up the exported vApp
network, Export connects the virtual machine network interface cards to the
network.
Exclude virtual Optionally, individual virtual machines within a vApp can be excluded from
machines snapshots of the vApp.
Exclude VMDKs Optionally, individual VMDKs within a vApp can be excluded from snapshots of
the vApp.
Script support Pre-snapshot and post-snapshot scripts can be set up individually on each virtual
machine in a protected vApp.
File level download and Browse or search for files within a vApp snapshot and restore to the original
restore source location or download from the Rubrik cluster.
Custom reports Rubrik Envision custom object reports and task reports can be filtered for a
specific vCloud Director organization.
On-demand snapshots On-demand snapshots can be initiated for a vApp or for individual virtual
machines within the vApp.
Migration Virtual machine in a vApp that are protected individually can be migrated to
protection through the vApp. Migrating to vApp protection does not require a new
full snapshot of a virtual machine that was previously protected individually.
RBAC support End-users can select only organization virtual datacenters that have been
assigned to them.
Multitenancy support Multitenancy rules only permit tenant organization administrators to work with
assigned vCloud Director hierarchy components. For example, to assign an SLA
Domain to a vApp or to use a organization virtual datacenter as a recovery target
those components must first be assigned to the tenant organization
administrator.

Metadata protection
Rubrik CDM protection of vApps includes the metadata of the vApp.
Table 80 describes the vApp metadata that Rubrik CDM protects.
Table 80 Protected vApp metadata
Metadata Description
Networks Protects both isolated and routed networks. Also, can reconnect restored virtual machines
to the virtual datacenter network if the same network is available at restore time.
Boot order Protects the order that the virtual machines in the vApp are configured to start and stop.
Access list Protects the access list for the vApp.
Limitations
Rubrik CDM support for vApps works within specific limitations.
Table 81 describes the limitations of Rubrik CDM support for vApps.
Table 81 Limitations with vApp support
Limit type Description
Virtual machines in a vApp Maximum of 30 virtual machines in a vApp. To protect a vApp with more than
30 virtual machines, use the exclude function to reduce the number
protected.
Mounts The Rubrik cluster performs all mounts for vApps at the virtual machine level.
Backup exclusion Protection of vApps does not include vCloud Director Object Metadata.
Autodiscovery Rubrik CDM ignores the vCloud Director auto discovery feature.
Multitenancy and RBAC

Rubrik clusters supports role based access control and multitenancy deployments for vCloud
Director vApps.
User rights can be granted at the vApp level by using the privilege workflow that is described in
User Accounts.
vCloud Director organizations and vApps can be assigned to specific tenant by using the create or
modify tenant organization workflow described in Multitenant Organizations.

Protection hierarchy
SLA Domain protection can be applied to virtual machines within vApps by assigning the SLA
Domain at several different levels in the vCloud Director hierarchy. Protection can also be applied
by assigning an SLA Domain to an individual virtual machine within a vApp.
Figure 4 depicts the protection hierarchy – the hierarchical levels in a vCloud Director deployment
at which SLA Domain protection can be specified.
Figure 4 Protection hierarchy
Organization Virtual Data Center 1
vApp vApp vApp
VM VM VM VM VM VM
1
vCloud Director Instance
VM VM VM VM VM VM
2
Organization 1
3 Organization Virtual Data Center 2
vApp vApp vApp

Organization 2
VM VM VM VM VM VM
VM VM VM VM VM VM
Organization Virtual Data Center 3 Organization Virtual Data Center 4

4
vApp vApp vApp vApp vApp vApp
5
VM VM VM VM VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM VM VM VM
1. Protection at the vCloud Director instance level.

The Rubrik cluster applies the policies of the specified SLA Domain to all virtual machines
within the organizations controlled by the vCloud Director instance.
2. Protection at the organization level.
within the organization. Assigning an SLA Domain at this level overrides an SLA Domain
assignment at the vCloud Director instance level.
Rubrik CDM Version 5.0 User Guide Protection hierarchy 394

3. Protection at the organization virtual datacenter level.

within the organization virtual datacenter. Assigning an SLA Domain at this level overrides an
SLA Domain assignment at the vCloud Director instance level and the organization level.
4. Protection at the vApp level.
within the vApp. Assigning an SLA Domain at this level overrides an SLA Domain assignment at
the vCloud Director instance level, the organization level, and the organization virtual
datacenter level.
5. Protection at the virtual machine level.
The Rubrik cluster applies the policies of the derived or individually assigned SLA Domain
assignment to the specified virtual machine. Essentially, the Rubrik cluster ignores that the
virtual machine is part of a vApp. To do this, delete the vCloud Director instance from the
Rubrik cluster.
Interaction with vSphere protection hierarchy

An SLA Domain assignment made through the vCloud Director hierarchy prevents an SLA Domain
assignment through the vSphere hierarchy and overrides an existing assignment in the vSphere
hierarchy.
After an SLA Domain has been assigned to a vApp, either directly or through the vCloud Director
hierarchy, an SLA Domain cannot be assigned to the virtual machines in that vApp through the
vSphere hierarchy. Also, the SLA Domain assignment to the vApp overrides any existing SLA
Domain assignment made through the vSphere hierarchy for the virtual machines in the vApp.
Migration from virtual machine level protection

Virtual machines that are protected through an individual SLA Domain assignment can be moved
to protection through a containing vApp.
A virtual machine that is part of a vApp and has been protected outside of the vApp through an
SLA Domain assignment (derived or individual) can be migrated to be protected by snapshots of
the vApp. The existing snapshots of the virtual machine remain available, subject to their assigned
SLA Domain policies. The Rubrik cluster does not require a new full snapshot of the virtual
machine after migrating to vApp protection of the virtual machine.
Rubrik CDM Version 5.0 User Guide Protection hierarchy 395

vCloud Director instances

A Rubrik cluster works with vApps through vCloud Director instances.
Start working with vApps by providing access to a vCloud Director instance. Multiple vCloud
Director instances can be added to a Rubrik cluster.
After access is provided, the Rubrik cluster queries the vCloud Director instance and populates the
Rubrik CDM web UI with the instance hierarchy, including all vApps. The Rubrik CDM web UI
provides a view for each of the following levels of the hierarchy:
 vCloud Director instance
 vCloud Director organization
 Organization virtual datacenter
 vApps
For vCloud Director instances added to the Rubrik cluster, the Rubrik CDM web UI provides the
actions described in Table 82.
Table 82 Actions for vCloud Director instances
Action Description
Refresh Use the refresh action to request that the Rubrik cluster query the vCloud Director instance
for the most recent vApp information.
Edit Use edit to make changes to the account information for the selected vCloud Director
instance.
Delete Use delete to remove a vCloud Director instance. The Rubrik cluster marks the vApps from
that vCloud Director instance as relics. The Rubrik cluster no longer protects the vApps.
Adding a vCloud Director instance

To add a vCloud Director instance to a Rubrik cluster provide account information for the vCloud
Director instance.
3. Click vCD Instances.
The vCD Instances page appears.
The Add vCD Account dialog box appears.
Rubrik CDM Version 5.0 User Guide vCloud Director instances 396
5. In vCD Server Hostname, type the FQDN of the computer that hosts the vCloud Director
instance.
Use the format: vcdhost.example.com
6. In Username, type the name of an administrator account on the vCloud Director instance.
7. In Password, type the account password.
8. (Optional) Click Advanced Setting to add a certificate for TLS validation.
The dialog box expands to show the Trusted Root Certificate box.
9. In Trusted Root Certificate, paste the trusted root certificate of the vCloud Director
instance.
10.Click Add.
The Rubrik cluster adds the vCloud Director instance. After establishing a connection and
successfully completing authentication, the Rubrik cluster queries the vCloud Director instance for
all vApp information.
Refreshing vCloud Director instances

Refresh one or more vCloud Director instances to obtain the most recent vApp information for
those instances.
4. Select one or more vCloud Director instances.
5. Click the ellipsis on the title bar of the vCD Instance page.
6. Click Refresh vCD Instance.
The Rubrik cluster queues a task to refresh each selected vCloud Director instance.
Editing a vCloud Director instance

Edit a vCloud Director instance to make changes to the account information provided for that
vCloud Director instance.
4. Click the ellipsis next to a vCloud Director instance.
5. Click Edit.
The Edit vCD Account dialog box appears.
6. Make changes to the account information.
7. Click Update.
The Rubrik cluster stores the new account information and queues a task to refresh the selected
vCloud Director instance.
Deleting a vCloud Director instance

Remove vApp protection by deleting a vCloud Director instance from the Rubrik cluster. The Rubrik
cluster marks the vApps from that vCloud Director instance as relics.
4. Click the ellipsis next to a vCloud Director instance.
5. Click Delete.
6. Click Delete.
The Rubrik cluster deletes the account information for the vCloud Director instance and marks all
vApps from that instance as relics.
vApp management
After a vCloud Director instance is added, the Rubrik cluster provides methods for finding, viewing,
and protecting the vApps.
When the Rubrik cluster finishes querying the vCloud Director instance, the vApps and hierarchical
information appear on the vCD vAps page. From the vCD vApps page, or the local page for a
vApp, the Rubrik cluster can perform the tasks listed Table 83.
Table 83 Tasks available for vApps page
Task Description
Find a vApp View the listing for a specific vApp and use the listing to access the local page for
the vApp.
View the hierarchy View each part of the vCloud Director hierarchy that leads to any vApp.
Enable Enable synchronization for a vApp to request that the Rubrik cluster initiate
synchronization snapshots of all of the virtual machines in a vApp at the same time.
Exclude a virtual Select a vApp virtual machine and exclude it from all snapshots of the vApp.
machine
Perform virtual Select a vApp virtual machine and perform standard Rubrik CDM tasks with it:
machine tasks • Configure the application consistency setting
• Set up a pre-script and a post-script
• Exclude VMDKs from snapshots of the virtual machine
• Register the Rubrik Backup Service after it is installed on the virtual machine
Protect a vApp Assign the data protection policies of an SLA Domain to the vApp. The SLA
Domain can be inherited from any of the levels of the hierarchy or directly assigned
to the vApp.
Take an on-demand Initiate an on-demand snapshot of the selected vApp and assign the policies of any
snapshot SLA Domain to that snapshot.
Finding a vApp through global search

Go directly to the local page for a vApp by using the Rubrik CDM web UI global search field.
2. In Search by Name or Location, at the top of the Rubrik CDM web UI, type the name of the
vApp.
A portion of the name can be typed. The Rubrik cluster lists all objects that have a name that
matches the string that is typed.
3. When the name of the vApp appears in the search results, click the name.
The local page for the selected vApp appears.
Rubrik CDM Version 5.0 User Guide vApp management 399

Finding a vApp through vApp search

Find the listing for a vApp by using the vApp only search field on the vCD vApps page.
2. On the left-side menu, click Virtual Machines > vCD vApps.
The vApps page appears with the vApps tab selected.
3. Type the name of the vApp in the Search by Name field.
A portion of the name can be typed. The Rubrik cluster lists all vApps that have a name that
matches the string that is typed.
Finding a vApp through the vCD Organizations view

Find the listing for a vApp by using the vApp only search field on the vCD vApps page.
3. Click vCD Organizations.
The vCD Organizations tab appears.
4. In the Name column click each object in the hierarchy of the vApp until the vApp appears.
Opening the local page for a vApp

The local page of a vApp provides information about the SLA Domain assignment, virtual
machines, activities, and snapshots for a vApp. The local page also provide access to actions for
the vApp and the virtual machines in the vApp.
2. Use one of the provided methods to locate the listing for the vApp.
An alternative method, to go directly to the local page for a vApp, is to type the name of the
vApp in the global search box on the top bar of the Rubrik CDM web UI and select the vApp
from the results list.
3. In the Name column, click the name of the vApp.
The local page for the vApp appears.

Enabling synchronization
For a vApp that contains more than one virtual machine, enable synchronization to request that
the Rubrik cluster initiate snapshots of all of the virtual machines at the same time.
2. Open the local page of the vApp that contains the virtual machine.
Opening the local page for a vApp describes how to open the local page for the vApp.
3. Click the ellipsis on the title bar of the local vApp page.
4. Click Enable Synchronization.
5. Click Enable.
The Rubrik cluster enable synchronization for the vApp.
Excluding a virtual machine

Exclude a virtual machine from the snapshots of the containing vApp.
4. Click Exclude VMs.
The Exclude VMs dialog box appears.
Multiple virtual machines can be selected.
6. Click Exclude.
The selected virtual machines are excluded from snapshots of the vApp. After being excluded from
the vApp snapshots, the virtual machines start deriving SLA Domain protection through the
vSphere hierarchy.

Including an excluded virtual machine

Include a virtual machine, that was previously excluded, back into the snapshots of the containing
vApp.
4. Click Exclude VMs.
The Exclude VMs dialog box appears.
5. Clear the selection for a virtual machine.
Multiple virtual machines can be cleared.
6. Click Update.
The selected virtual machines are included in snapshots of the vApp.
Performing tasks with a vApp virtual machine

Perform the Rubrik CDM tasks that are available for vSphere virtual machines with a vApp virtual
machine. The tasks are: Configure Application Consistency, Configure Pre/Post Scripts, Exclude
VMDKs, and Register the Rubrik Backup Service.
3. On the Virtual Machines card, click the ellipsis menu next to a virtual machine entry.
4. Select one of the virtual machine tasks.
Choose one of the following tasks:
• Configure Application Consistency
• Configure Pre/Post Scripts
• Exclude VMDKs
• Register the Rubrik Backup Service

5. Complete the selected task.

The following sections describe the tasks:
• Specifying crash consistent backups
• Enabling scripts
• Excluding VMDK files of a virtual machine
• Registering a guest
Protecting a vApp through the vCloud Director hierarchy

Assign an SLA Domain to an object in the protection hierarchy of a vApp to begin protecting it. The
vApp derives protection from the next higher object in the hierarchy, that has an assigned SLA
Domain.
Protection hierarchy describes the objects that a vApp can derive protection from.
3. Click vCD Organizations.
The vCD Organizations tab appears.
4. In the Name column click each object in the hierarchy until the object appears.
5. Select the object.
Manage Protection options describes the options that are available in this dialog box.
8. Click Submit.
The Rubrik cluster assigns the SLA Domain to the vApp.

Protecting a vApp through the vApps tab

Assign an SLA Domain directly to a vApp through the vApps tab. A individual assignment of an SLA
Domain to a vApp takes precedence over any derived assignment.
3. Select a vApp.
Multiple vApps can be selected to apply a single SLA Domain assignment to the group.
6. Click Submit.
The Rubrik cluster assigns the SLA Domain to the selected vApps.
Protecting a vApp through the local page

Assign an SLA Domain directly to a vApp through the local page of the vApp. A individual
assignment of an SLA Domain to a vApp takes precedence over any derived assignment.
6. Click Submit.
The Rubrik cluster assigns the SLA Domain to the vApp.

Taking an on-demand snapshot of a vApp

Taking an on-demand snapshot of a vApp can be used to capture the vApp at specific point in time
and to manage the selected snapshot using the policies of an SLA Domain that is different from
the one assigned to the vApp.
To manually manage the snapshot as an Unmanaged Object, select Forever instead.
The Rubrik cluster creates an on-demand snapshot of the vApp and assigns it to the selected SLA
Domain.
Recovery and restore of vApp data

Use Instant Recovery, Export, or file level recovery to recover data from a vApp snapshot.
Table 84 describes the recovery operations that can be performed with vApp data.
Table 84 Recovery operations
Operation Description
Instant Recovery Fully or partially replace all of the virtual machines in the source vApp. Optionally,
install the virtual machine NICs unmapped or mapped, or delete all NICs.
Export Fully or partially export the vApp as a new vApp or into an existing vApp.
File level recovery Recover folders and files from virtual machines in a vApp through:
• Download through a web browser
• Overwrite of the source files
• Restore to a separate folder
Rubrik CDM Version 5.0 User Guide Recovery and restore of vApp data 405
Table 85 describes the network choices that can be made during Instant Recovery and Export.
Table 85 Network options during Instant Recovery and Export
Option Description
No mapping NICs in the recovered or exported virtual machines are restored with the settings
that they had at the time of the snapshot.
Delete NICs of all VMs The Rubrik cluster deletes the NICs from each virtual machine that is part of the
recovery or export operation.
Advanced Individually assign the NICs in each virtual machine that is part of the recovery or
export operation to any of the available networks in the organization.
Recovery workflow
Recovery provides a way to replace a virtual machine in a vApp with a snapshot of the virtual
machine from a snapshot of the vApp. An entire vApp or one or more virtual machines in a vApp
can be replaced through recovery.
Recovery of a vApp can be either:
Full – all of the vApp virtual machines and metadata are restored to replace the source vApp.
Partial – one or more selected virtual machines and their metadata are restored to the source
vApp.
Recovery can only be used to replace a virtual machine that exists in the target vApp. To restore a
virtual machine that does not exist in the target vApp, use Export.
To recover a virtual machine, the Rubrik cluster performs the following tasks:
1. Remove the virtual machine from the inventory of the vCenter Server.
The virtual machine is not removed from the datastore.
vCloud Director lists the removed virtual machine as missing from the vApp.
2. The Rubrik cluster mounts the snapshot of the virtual machine using the Rubrik cluster as the
datastore and adds the virtual machine to the vCenter Server.
Using the cloud.uuid field, the vCloud Director recognizes the mounted virtual machine and
establishes the link to the vApp.
3. The Rubrik cluster configures the network connections for the virtual machine.
4. (Optional) The Rubrik cluster powers on the virtual machine.
5. When the virtual machine is powered on, the Rubrik cluster initiates Storage vMotion to move
the datastore to a datastore in the vCloud Director.
If the Storage vMotion fails and the virtual machine was powered on after being mounted, the
Rubrik cluster maintains the Live Mount of the virtual machine and sends an email to the global
admin.
If there is a failure anywhere in the process, other than during Storage vMotion, the Rubrik cluster
adds the source virtual machine back to the vCenter Server. Normally, vCloud Director will link the
source virtual machine back into the vApp.
Performing an Instant Recovery of a full vApp

Use Instant Recovery to recover all of a vApp from a snapshot.
4. On the snapshots card, select a date with a snapshot.
5. In the Day view, open the ellipsis menu for a snapshot.
7. In Type, select Full vApp.
8. Click Next.
The Recovery Options panel appears.
9. (Optional) Click Manually power on vApp.
The Rubrik cluster powers on all of the virtual machines in the recovered vApp.
10.In NIC Mapping, choose one of the available options.
Choose:
• No Mapping
• Delete NICs of all VMs
• Advanced
11.(Advanced only) In Network, for each virtual machine NIC, select a network.
12.Click Finish.
The Rubrik cluster performs the actions described in Recovery workflow.
Performing an Instant Recovery of a partial vApp

Use Instant Recovery to recover some of the virtual machines in a vApp from a snapshot.
7. In Type, select Partial vApp.
A list of the virtual machines in the vApp snapshot appears.
8. Select the virtual machines to include in the Instant Recovery.
9. Click Next.
10.(Optional) Click Manually power on vApp.
11.In NIC Mapping, choose one of the available options.
Choose:
• No Mapping
• Advanced
13.Click Finish.
The Rubrik cluster performs the actions described in Recovery workflow.
Exporting a full vApp

Use Export to use a vApp snapshot to create a new vApp.
6. Click Export.
7. In Type, select Full vApp.
8. Click Next.
9. On the Destination pane, select the vCloud Director instance for the new vApp.
10.Select the organization for the new vApp.
11.Select the organization virtual datacenter for the new vApp.
12.Click Next.
14.In NIC Mapping, choose one of the options.
Choose:
• No Mapping
• Advanced
16.In Storage Profile, choose one of the options.
Choose:
• Default
• Custom
17.(Custom only) For each listed virtual machine, select a storage profile.
18.Click Finish.
The Rubrik cluster uses the data in the selected vApp snapshot to create the new vApp.
Exporting a partial vApp

Use Export to use some of the virtual machines from a vApp snapshot to create a new vApp or to
add to an existing vApp.
6. Click Export.
7. In Type, select Partial vApp.
8. In Target, select one of the options.
Choose:
• New vApp
• Existing vApp
9. Click Next.
10.On the Destination pane, select the vCloud Director instance for the export.
11.Select the organization for the export.

12.Select the organization virtual datacenter for the export.
13.(Export to existing vApp only) Select the existing vApp.
14.Click Next.
16.In NIC Mapping, choose one of the options.
Choose:
• No Mapping
• Advanced
18.In Storage Profile, choose one of the options.
Choose:
• Default
• Custom
19.(Custom only) For each listed virtual machine, select a storage profile.
20.Click Finish.
The Rubrik cluster uses the data in the selected vApp snapshot to create a new vApp or to add to
the selected existing vApp.
Recovering folders and files for download

Recover folders and files from one of the virtual machine snapshots in a vApp snapshot and
download them through a web browser.

6. Click Recover Files.
The Choose the VM to browse dialog box appears.
7. Select a virtual machine to browse for files.
The Recover Files dialog box appears.
9. (Optional) In the list view, select folders and files at the top level of the virtual machine.
10.(Optional) Use the Search field to find and select folders and files at any level in the file
system.
Selected folders and files appear in Selected and can be removed by clicking X next to a
selection.
11.Click Next.
12.On the Recover Files pane, in Recovery Type, select Download.
13.Click Finish.
The Rubrik cluster creates a ZIP file with the selected folder and files.
14.In the Rubrik CDM web UI Notifications area, a ‘Downloaded’ message appears.
15.Click the message.
16.Select a download location for the file, and click Save.
The web browser retrieves the zip file from the Rubrik cluster and saves it to the selected location.
Recovering folders and files to overwrite originals

Recover folders and files from one of the virtual machine snapshots in a vApp snapshot to
overwrite the original folders and files on the source virtual machine.
system.
selection.
11.Click Next.
12.On the Recover Files pane, in Recovery Type, select Overwrite original.
13.In Recovery Method, choose an option.
Choose:
• Use Rubrik Backup Service
• Use VM tools
14.(Use VM tools only) In Service Credential, provide the domain, username, and password for
an account on the source virtual machine that has write permissions for the recovery paths.
15.(Optional for Use VM tools only) Select Store as Service Credentials for All VMs.
16.Click Finish.
The Rubrik cluster writes the recovered folders and files from the snapshot into the specified
folder, preserving the hierarchy.
Recovering folders and files to a new location

Recover folders and files from one of the virtual machine snapshots in a vApp snapshot to a new
location on the source virtual machine.
system.
selection.
11.Click Next.
12.On the Recover Files pane, in Recovery Type, select Restore to separate folder.
13.In Folder Path, type a full path to a folder for the recovery.
The Rubrik cluster creates the folder if it does not exist at the specified location.
14.In Recovery Method, choose an option.

Choose:
• Use Rubrik Backup Service
• Use VM tools
15.(Use VM tools only) In Service Credential, provide the domain, username, and password for
an account on the source virtual machine that has write permissions for the recovery paths.
16.(Optional for Use VM tools only) Select Store as Service Credentials for All VMs.
17.Click Finish.
The Rubrik cluster writes the recovered folders and files from the snapshot into the specified
folder, preserving the hierarchy.
Chapter 12
CloudOn for AWS
This chapter describes how to use the Rubrik CloudOn for AWS feature.
 Overview ............................................................................................................... 417
 Configuration and setup workflow ............................................................................ 422
 Permissions ............................................................................................................ 422
 VM Import service role ............................................................................................ 429
 Security group ........................................................................................................ 429
 Cloud conversion settings ........................................................................................ 431
 Cloud instance management.................................................................................... 435
Rubrik CDM Version 5.0 User Guide CloudOn for AWS 416
CloudOn for AWS
Overview
Rubrik CloudOn for AWS converts a local or archived snapshot into an Amazon Machine Image
(AMI) that is used to launch an EC2 instance. Rubrik supports instantiating on-premise VMware
virtual machines to AWS. Rubrik also supports instantiating Hyper-V virtual machines to AWS.
Contact Rubrik Support to enable this capability on your Rubrik cluster.
Support describes how to contact Rubrik Support.
Rubrik CloudOn for AWS supports the following scenarios:
 Instantiating of VMware virtual machine for testing and development – Launch on-premise
virtual machines to enable sandbox testing and development needs in AWS.
 Migrating on-premise virtual machines to AWS – Lift-and-shift migration of virtual machines to
AWS.
 Disaster recovery (DR) to AWS – Failover to AWS using archived data when the on-premise
data center fails.
Prerequisites
Before deploying a virtual machine using AWS CloudOn, meet all preliminary requirements.
For successful deployment of AWS CloudOn, ensure that the following prerequisites are met:
 Rubrik uses the AWS VM Import Service to convert an on-premise VMware virtual machine to
an AMI. Therefore, all the prerequisites and limitations applicable to AWS VM Import/Export
service are also applicable to Rubrik CloudOn for AWS. Ensure that the source virtual machine
meets the Import/Export Requirements specified on the following Amazon documentation
page:
VM Import/Export Requirements
 Virtual machine import supports ENA drivers for Linux. ENA support will be enabled only when
the original virtual machine has ENA and/or NVMe drivers installed. Rubrik recommends the
installation of the latest drivers. Install ENA drivers on the Linux source virtual machines if you
wish to use an AWS instance type that uses ENA by default.
 AWS accounts and archive location setup
Follow the steps in the following sections to configure resources on all combinations of AWS
accounts and regions.

CloudOn for AWS
 VPC connectivity to the on-prem network hosting the Rubrik cluster

There are three ways to establish connectivity between the on-premise network and the VPC in
AWS
• Public IP address and Internet gateway
• Private IP address and NAT instance
• Private IP address and NAT gateway
To override using a private IP and communicate with the Rubrik cluster over a public IP, contact
Rubrik Support.
• Connectivity to S3
If public internet is not available on the VPC, Rubrik recommends that you configure an S3
VPC endpoint to the VPC. This VPC endpoint secures the access to S3 without public
internet access. Information on how to configure an S3 VPC endpoint can be found at:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints-s3.html
If the S3 bucket is encrypted with KMS and VPC does not have internet connectivity, Rubrik
recommends adding the KMAS endpoint to the VPC. Information on how to configure an
AWS endpoint on a VPC can be found at:
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoints.html
When a VPC is configured to provide access from the Rubrik cluster to S3, the Rubrik cluster
prompts for the VPC ID of the VNet and the subnet ID of a subnet within the VPC.
Information about VPC can be found at:
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-vpc-sub
net

CloudOn for AWS
 Security group
Create a security group with appropriate rules, as described in Creating a security group for
AWS CloudOn. This enables secure access to the transient instance within the VPC that the
customer specified.
 IAM roles
• Create one IAM role for all CloudOn permissions. Information about IAM roles can be found
at:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
• Create a virtual machine import service role to download disk images from an Amazon S3
bucket, as described in VM Import service role. Information on how to create a virtual
machine import service role can be found at:
https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html
 Pre-configuration on source virtual machine
Pre-configure the source virtual as described in Table 86.
Table 86 Source virtual machine pre-configuration
Setting Description
Linux configuration • Enable secure shell for remote access.
• Ensure that the host firewall (such as Linux iptables) grants access to SSH.
• Ensure that the Linux virtual machine has GRUB or GRUB2 as its
bootloader.
• Ensure that there is 500 MB space on the root disk.
Windows configuration • Enable Remote Desktop Protocol (RDP).
• Ensure that the RDP port is enabled on the firewall.
• For instantiation, ensure that there is 900 MB free space on the root disk.
 Supported and unsupported virtual machine configurations

Table 87 describes the supported and unsupported virtual machine configurations.
Table 87 Supported and unsupported virtual machine configuration
Setting Description
Supported disk partitioning scheme • Master Boot Record (MBR) and GUID partition table
on both Windows and Linux.
Supported file systems • Windows - NTFS
• Linux - EXT3, EXT4, XFS

CloudOn for AWS

Setting Description
Supported OS disk formats • Standard
• LVM
• LDM
Supported boot volume • Boot volume using MBR partitioning cannot exceed 2
TB.
Supported non-boot volume • Non-boot volumes using GPT cannot exceed 4 TB.
Supported single disk size • Cannot exceed 4 TB for instantiations.
Supported number of disks on virtual machines • Virtual machines with up to 10 Disks can be
instantiated.
Supported Windows language packs • English
Unsupported virtual machine configurations • Virtual machines with 32-bit configuration
• Desktop OS
• UEFI/EFI boot partitions
• Incremental conversion to enable faster RTOs is not
supported on Linux virtual machines in AWS and
Windows virtual machines in Azure
• Multiple network interfaces
• Virtual machines with encrypted root disk
• Custom kernel
AWS AMI tags

Your AWS console can be used to find all resources created with your AWS account as part of
CloudOn. Rubrik tags all resources with the following keys and value pairs.
The CloudOn for AWS feature also uses AMI tags to store information in resources relevant for the
cluster.
Table 88 describes the tags that the feature adds.
Table 88 AMI tags (page 1 of 2)
Tag Description
rk_cluster_id The user friendly name of the source virtual machine. This name is the same for
all resources that are launched within the same cluster. However, this does not
include instances launched by another Rubrik reader cluster or promoted owner
cluster.
rk_job_id The job ID used when launching the resources.
rk_instance_class Transient Rubrik Bolt Instance

CloudOn for AWS
Table 88 AMI tags (page 2 of 2)

Tag Description
rk_version The cluster version when the resource is launched.
rk_host_name The name of the vCenter Server, SCVMM host, or Hyper-V host.
rk_snapshot_time The 13 digit Unix Epoch timestamp for the time at which the AMI was created.
rk_snappable_id The ID of the data source,
rk_object_name The name of the data source.
snappable_type The type of the data source.
The CloudOn for AWS feature also adds tags to transient compute instances that are launched in
your AWS account to perform conversion of virtual machines.
The table below describes the tags that are added to transient compute instances used to convert
Windows virtual machines in AWS.
Table 89 describes the tags that are added to transient compute instances used to convert
Windows virtual machines in AWS.
Table 89 Transient compute instance tags (page 1 of 2)
Resource Tag Key Tag Value
Bolt and Converter Instance rk_instance_class TransientStormInstance
storm_type BOLT/LINC/WINC
rk_storm_instance_handle_id storm_handle_id
EBS volumes created by Rubrik rk_instance_class CloudSnapshotBasedVolume/Em
ptyVolume
rk_snappable_id snappable_id
rk_object_name snappableName
rk_instance_class VolumeGeneratedCloudSnapshot
Temporary instance, AMI and rk_instance_class ImageConversionTemporaryInsta
instance launched nce
provider provider_id
rk_requester_id user-id who launched the job
rk_snappable_id snappable_id
rk_snapshot_id snapshotId

CloudOn for AWS
Table 89 Transient compute instance tags (page 2 of 2)

Resource Tag Key Tag Value
rk_host_name vcenterName
rk_snapshot_time snapshot time
location_unique_id uniqueLocationId
snappable_type snappableType
Configuration and setup workflow

Successful implementation of AWS CloudOn requires the completion of the configuration and
setup tasks in the specified order.
Complete all of the tasks in the following workflow to enable AWS CloudOn:
1. Enable all of the required permissions.
• Create an S3 bucket for archiving and cloud instantiation.
• Create a security policy for cloud instantiation.
• Create a user account with access to the selected bucket.
2. Create and configure a VM Import service role.
3. Obtain access to the Rubrik AMI.
4. Create a security group.
5. Assign the security group to the archival location object on the Rubrik cluster.
Permissions
AWS CloudOn requires a bucket level and site level security policy, and a user account with access
to the specified bucket.
The process of preparing the required AWS objects is similar to the process described in Preparing
to use Amazon S3 as an archival location. The main difference is the additional set of permissions
that must be granted by the security policy that is used for cloud instantiation.
Instead of creating a new bucket for cloud instantiation, a bucket that is already in use as an
archival location can be used. To use an existing bucket, modify the security policy that is applied
to the existing bucket and provide the additional permissions described in Creating a security
policy for AWS CloudOn.
Rubrik CDM Version 5.0 User Guide Configuration and setup workflow 422
CloudOn for AWS
Creating an S3 bucket for archiving and cloud instantiation

Create an Amazon S3 bucket to use as the target for archiving and for cloud instantiation.
1. Log in to your AWS account.
2. In the AWS Services list, in the Storage section, select S3.
The Amazon S3 page appears.
3. Click + Create bucket.
The Create bucket modal appears.
4. In Bucket name, type a name for the new bucket.
To see the bucket naming requirements, click the information icon next to the Bucket name.
5. In Region, select the region for the bucket.
6. Click Create.
AWS creates the new bucket, and the bucket appears in the list.
7. Select the new bucket.
A dialog box with the properties, permissions, and management values for the bucket appears.
8. Click Copy Bucket ARN.
9. Paste the Bucket ARN into a plain text scratch file.
Keep this scratch file for use in later tasks.
10.Close the dialog box.
Creating a security policy for AWS CloudOn

Create a security policy for the selected bucket. Include the permissions that are required for cloud
instantiation.
2. In the AWS Services list, in the Security, Identity & Compliance section, select IAM.
The Identity and Access Management page appears.
3. On the left-side menu, select Policies.
4. Click Create policy.
The Create Policy workspace opens with the Visual Editor tab active.
5. Click the JSON tab.
The JSON text editor appears.
Rubrik CDM Version 5.0 User Guide Permissions 423

CloudOn for AWS
6. Paste the JSON text from the following into the JSON editor.
Size constraints in the formatting of this PDF force the JSON example in this guide to break into
two parts. Paste the entire permission sets into the JSON editor. Alternately, copy the text from
the S3 Security Policy Example.1
When a KMS key is used, the following permission set for an IAM Policy for CloudOn with
permissions to add archival locations using a KMS key is required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKey",
"kms:DescribeKey",
"ec2:DescribeInstances",
"ec2:CreateKeyPair",
"ec2:CreateImage",
"iam:CreateRole",
"ec2:CopyImage",
"iam:PutRolePolicy",
"ec2:DescribeSnapshots",
"ec2:DeleteVolume",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:DescribeExportTasks",
"ec2:DescribeAccountAttributes",
"ec2:ImportImage",
"ec2:DescribeKeyPairs",
"ec2:DetachVolume",
"ec2:CancelExportTask",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:CreateVolume",
1. The S3 security policy example is available on GitHub at:

https://raw.githubusercontent.com/rubrik-devops/aws-cloud-on/master/s3_security_policy.json

CloudOn for AWS
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeSubnets",
"ec2:AttachVolume",
"ec2:DeregisterImage",
"ec2:ImportVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:CreateInstanceExportTask",
"ec2:TerminateInstances",
"ec2:ImportInstance",
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"ec2:DescribeTags",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:CancelImportTask",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:RestoreObject"
],
"Resource": [

CloudOn for AWS
"arn:aws:s3:::*"
]
}
]
}
When a RSA key is used, the following permission set for an IAM Policy for CloudOn with
permissions to add archival locations using a RSA key is required:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateImage",
"iam:CreateRole",
"ec2:CopyImage",
"iam:PutRolePolicy",
"ec2:DeleteVolume",
"ec2:DescribeExportTasks",
"ec2:DescribeAccountAttributes",
"ec2:ImportImage",
"ec2:DetachVolume",
"ec2:CancelExportTask",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:DescribeImportSnapshotTasks",
"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:DeleteTags",
"ec2:DescribeInstanceAttribute",

CloudOn for AWS
"ec2:CreateSnapshot",
"ec2:DescribeInstanceStatus",
"ec2:CreateInstanceExportTask",
"ec2:TerminateInstances",
"ec2:ImportInstance",
"s3:CreateBucket",
"ec2:DescribeTags",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:DescribeVpcs",
"ec2:CancelImportTask",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
! IMPORTANT
Pay close attention to the JSON formatting, including opening and closing braces and
brackets.

CloudOn for AWS
7. In the JSON editor, replace mys3bucket with the name of the selected bucket.
Make the replacement for both of the ARN references in that resource.
8. Click Review Policy.
9. In Name, type a name for the policy.
10.(Optional) In Description, type a description for the policy.
11.Click Create policy.
AWS creates the security policy and returns to the policy list page.
Creating a user account with access to the bucket

Create an IAM user account with policy-based access to the bucket.
3. On the left-side menu, click Users.
The list of users appears.
4. Click Add user.
The Add user page appears.
5. In the Set user details section, in User name, type a name for the user account.
The user account will be used by the Rubrik cluster to access the bucket.
6. In the Select AWS access type section, in Access type, select Programmatic access.
7. Click Next: Permissions.
The Set Permissions page appears with various methods for setting the permissions of the user
account.
8. Click Attach existing policies directly.
A list of the available policies appears.

CloudOn for AWS
9. Select the security policy that was created for the bucket, and click Next: Review.
Select the security policy that was created in Creating a security policy for AWS CloudOn.
The Review page appears.
10.Click Create user.
AWS creates the user, and a success message appears.
11.Click Download CSV.
The web browser opens a Save As dialog box.
12.Save the file credentials.csv.
The file contains the Access key ID and Secret access key for the user account and should be
securely stored. Use these values when configuring the Rubrik cluster to use this AWS bucket as
an archival location. The file can be renamed.
VM Import service role

To permit an AWS account to use the VM Import/Export service to create AMIs from the VMDK
files, AWS requires that the account have an IAM policy that is attached to the VM Import service
role.
Amazon provides detailed instructions about how to create the VM Import service role and attach
an IAM policy in the following documentation section: VM Import Service Role
Complete the four steps in the section. When following the instructions, replace the value
expressed by the variable disk-image-file-bucket with the name of the bucket being used for cloud
instantiation.
Security group
The Rubrik cluster must have the ID of an AWS security group to assign to the transient Rubrik
working instance. Create an AWS security group and assign the ID of the security group to the
archival location that will be used for the cloud instantiation.
The Rubrik cluster assigns the security group ID to the transient Rubrik working instance each
time that it is instantiated.
Providing the ID of the AWS security group to a Rubrik cluster requires two steps:
 Create the security group by using the AWS console.
 Assign the security group ID to the archival location on the Rubrik cluster.
Rubrik CDM Version 5.0 User Guide VM Import service role 429
CloudOn for AWS
Alternatively, contact Rubrik Support and provide the security group ID. Rubrik Support then
attaches the security group ID to the selected Rubrik cluster archival location.
Security group requirements

Create a security group that provides specific and limited inbound access.
When creating the security group, specify the most restricted inbound source range as possible.
The source range must include the IP address of the Rubrik cluster that is the source of the
archival snapshots.
For the best security, inbound access should only come from a limited range of hosts with VPN
access to the virtual private cloud of the archival location.
Information on all necessary ports for CloudOn can be found in the "Ports" appendix of the Rubrik
CDM User Guide. Outbound access should not be blocked.
Creating a security group for AWS CloudOn

Use the AWS console to create a security group with the required limited inbound access.
1. Log in to the AWS console.
2. On the AWS services page, click EC2.
The EC2 dashboard appears.
3. On the left-side menu, under Network & Security, click Security Groups.
The Security Groups page appears.
4. Click Create Security Group.
The Create Security Group modal appears.
5. In Security group name, type a name for the group.
6. (Optional) In Description, type a description.
7. In VPC, select the virtual private cloud for the archival location.
8. With the Inbound tab selected, click Add Rule.
The rule fields appear.
9. In Type, select Custom TCP Rule.
10.In Port Range, type a port number.
Information on all necessary ports for CloudOn can be found in the "Ports" appendix of the
Rubrik CDM User Guide.
11.In Source, select Custom.
Rubrik CDM Version 5.0 User Guide Security group 430

CloudOn for AWS
12.In the Source text field, type a CIDR, IP, or security group ID that includes the Rubrik cluster.
13.Click Create.
AWS creates the security group, and displays the security group page.
14.Find the new security group and copy the group ID.
15.Paste the group ID into a plain text scratch file.
Configuring S3 Endpoints
Configure specific endpoints in your VPC to address situations when public internet connection is
not available. This ensures that the subnet that the Bolt is configured to launch in can still be used
when no public internet connection is available.
When Rubrik cluster reads data from the S3 archive, the Rubrik cluster launches transient
instances within a VPC over public internet. You can launch AWS resources into a specified subnet.
When a public subnet for resources is used but the subnet is not connected to the internet, you
can use an S3 VPC endpoint to gain secure access to S3 without public internet access.
Information on how to configure an S3 VPC endpoint can be found at:
https://docs.aws.amazon.com/AmazonVPC/latest/userguide/vpc-endpoints-s3.html
If public internet is not available on the VPC, the Rubrik cluster cannot perform CloudOn for
snapshots on a KMS-encrypted S3 archive. You can configure an AWS KMS endpoint to connect
directly to AWS KMS through a private endpoint in your VPC instead of connecting over the
internet. Information on how to configure an AWS KMS endpoint can be found at:
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html
Cloud conversion settings

To speed up instantiation of virtual machine snapshots, the Rubrik cluster can be configured to
convert snapshots to AMIs before an instantiation request is made. The Rubrik cluster provides the
ability to specify conversion settings at the virtual machine level.
The settings choices only appear for vSphere virtual machines that are assigned to qualified SLA
Domains. Qualified SLA Domains are ones that are configured with an archival location that meets
all of the following requirements:
 Amazon S3 archival location.
 Bucket security policy and IAM account correctly configured, as described in Permissions.
 VM Import service role correctly set up, as described in VM Import service role.
Rubrik CDM Version 5.0 User Guide Cloud conversion settings 431
CloudOn for AWS
Each vSphere virtual machine that is assigned to a qualified SLA Domain can be configured with
one of the settings described in Table 90.
Table 90 Cloud conversion settings
Setting Description
Disabled The Rubrik cluster converts the snapshots from the virtual machine into AMIs
only when cloud instantiation is requested.This setting requires the creation of
an AMI from the VMDKs of the selected snapshot after instantiation is initiated
and so takes longer to complete.
This is the default value.
Cloud conversion without The Rubrik cluster starts converting the most recent virtual machine snapshot
keeping older AMIs as soon as it has been archived. The Rubrik cluster combines the chain of
incremental snapshots leading to the last full snapshot and the AMI is created
from the resulting snapshot. The Rubrik cluster automatically removes the
previously stored AMI from cloud storage.
For all snapshots except the most recent, this setting requires the creation of
an AMI from the VMDKs of the selected snapshot after instantiation is
initiated, and takes longer to complete.
Cloud conversion with The Rubrik cluster starts converting the most recent virtual machine snapshot
keeping older AMIs as soon as it has been archived.The Rubrik cluster combines the chain of
incremental snapshots leading to the last full snapshot and the AMI is created
from the resulting snapshot. The Rubrik cluster does not automatically remove
previously created AMIs from cloud storage. Removing those AMIs requires
user action.
This setting normally does not require the creation of an AMI from the VMDKs
of the selected snapshot after instantiation is initiated. Since the AMI already
exists, the instantiation task is much faster.
Incremental snapshot conversion

Rubrik supports incremental conversions of snapshots for Windows virtual machines. Rubrik needs
three transient compute instances in the AWS account for incremental conversion jobs to run
successfully. All these compute instances will be launched in the same AWS region where virtual
machine data has been archived.
Incremental snapshot conversion works through the following process.
1. Rubrik CDM prepares the snapshot chosen to be instantiated in the cloud.
2. If a snapshot to be converted is located in the on-premises Cluster, CDM will upload the deltas
to the archive location where the prior snapshots in the chain reside.
3. CDM checks if a Bolt and a Converter instance has already launched that it can reuse. If none
exists, CDM will launch new Bolt and Converter instances.
4. New disks are created, corresponding to the disks in the VMDK to be converted, and attached
to the Converter instance. Bolt instance reads data from the Archive location and copies data
from the archived snapshot to the Converter instance.
CloudOn for AWS
5. The Converter instance creates snapshots of its attached disks and download drivers required
for Windows instances in AWS.
6. A temporary instance is launched using the newly created snapshots and if necessary, OS
drivers are installed.
7. The temporary instance will be used to validate successful conversion and to create an AMI in
AWS. For Windows virtual machines, the temporary instance will be used to inject AWS
required drivers prior to creation of the AMI.
The transient compute properties are described in Table 91.
Table 91 Transient compute properties
Transient AWS Instance types
Compute Description used
Bolt Instance Reads archived data from Cloud Storage. M52xlarge
Convertor Reads incremental data from Bolt and writes to EBS volumes. M4.xlarge
Instance It also copies drivers for Windows virtual machines that will be
required on the user virtual machine in AWS.
Temporary For Windows, drivers are installed by temporary instance as T2.xlarge
Instance they are required for online installation in AWS.
Configuring cloud conversion

Configure cloud conversion settings for a vSphere virtual machine.
 Meet all of the preliminary requirements described in Prerequisites.
 Configure an SLA Domain to use an archival location bucket that was created for cloud
instantiation.
 Assign at least one vSphere virtual machine to the selected SLA Domain.
2. On the left-side menu, click Virtual Machines > vSphere VMs.
The local host page for the selected virtual machine appears, as shown in Figure 5.
CloudOn for AWS
Figure 5 Local host page for a virtual machine
When the Overview card does not contain the Cloud Conversion field, shown in Figure 5, there
are two possible causes:
• The SLA Domain is not correctly configured for cloud instantiation.
• The selected virtual machine is not a vSphere virtual machine.
4. On the Overview card, in the Cloud Conversion field, click Configure.
5. Assign one of the three possible configurations.
• Disabled–In Cloud Conversion, move the slider to the off position. This is the default
configuration and only needs to be set when the virtual machine previously had another
setting applied.
• Cloud Conversion without keeping older AMIs–In Cloud Conversion, move the slider to
the on position and clear Keep older AMIs.
• Cloud Conversion with keeping older AMIs–In Cloud Conversion, move the slider to the
on position and select Keep older AMIs.
Rubrik cluster retains the converted AMIs for all the snapshots of this virtual machine,
including expired snapshots
6. Click Submit.
The Rubrik cluster applies the specified configuration to the selected virtual machine.
CloudOn for AWS
Cloud instance management

The Rubrik CDM web UI provides features to permit management of cloud instances.
Use the Rubrik CDM web UI to do all of the following:
 Instantiate a qualifying virtual machine on the cloud.
 View all running instances on the cloud.
 Remove instances that are running on the cloud.
 View the AMIs that are stored on the cloud.
 Remove an AMI that is stored on the cloud.
Instantiating a virtual machine on the cloud

Select a vSphere snapshot to use for cloud instantiation. The snapshot can be local or at the
archival location. An AMI for the snapshot can exist or can be created during the task.
Note: Instantiating Windows VMs with BitLocker-enabled volumes is not supported by AWS
CloudOn.

4. Browse to a snapshot.
5. Open the ellipsis menu for the snapshot, and select Launch on Cloud.
The Launch on Cloud modal appears.
6. In Location Name, select the name of an archival location.
The virtual machine will be instantiated in the storage for the selected location.
7. In Instance Type, select the type of AMI instance to use for the instantiated virtual machine.
The Rubrik cluster examines the source virtual machine and provides a recommended AMI
instance type.
Rubrik CDM Version 5.0 User Guide Cloud instance management 435
CloudOn for AWS
! IMPORTANT
The Rubrik cluster makes a AMI instance type recommendation based on a 64-bit
operating system. The recommendation, from the m4 series, will be unsuitable for a
32-bit operating system. When the instantiated virtual machine has a 32-bit operating
system, choose Custom Instance Type and specify a 32-bit AMI instance type.
8. (Optional) In Instance Type, select Custom Instance Type.

The Custom Instance Type field appears.
9. (For Custom Instance Type only) In Custom Instance Type, type the name of an AMI
instance type.
The name must be typed in the exact form that Amazon uses. Be sure that the selected
instance type is appropriate for the operating system of the instantiated virtual machine.
10.In Subnet (VPC), select a virtual private cloud.
The field lists the virtual private cloud subnets that are available at the selected archival
location. To see a list in this field, first select an archival location.
11.In Security Group, select an available security group.
The field lists the security groups that are available for the selected virtual private cloud. To see
a list in this field, first select a virtual private cloud subnet.
12.Click Submit.
The Rubrik cluster begins the instantiation task. When the task completes, the instantiated virtual
machine appears on the Cloud Mounts page of the Rubrik CDM web UI.
Powering off a cloud instance

Use the Cloud Mounts page of the Rubrik CDM web UI power off instantiated virtual machines.
2. On the left-side menu, click Cloud Mounts > AWS.
The cloud mounts page appears, with the Instances tab selected.
3. Open the ellipsis menu next to the selected instance.
4. Click Power Off.
The Rubrik cluster powers off the selected instance. The instance remains as a powered down
instance on the AWS account.
CloudOn for AWS
Removing entry
Use the Cloud Mounts page of the Rubrik CDM web UI to remove the virtual machine.
Rubrik cluster stops managing the virtual machine once it has been removed. Manage this virtual
machine from the AWS console.
4. Click Remove entry.
The Rubrik cluster removes the selected virtual machine instance.
Launching AMIs
Launch an individual AMI image from the AWS Cloud Mount page.
3. Click the AMIs tab.
The list of available AMIs appears.
4. Open the ellipsis menu next to a selected AMI.
5. Click Launch AMI.
The Rubrik cluster launches the selected AMI.
Removing cloud instances

Use the Cloud Mounts page of the Rubrik CDM web UI to remove instantiated virtual machines.
4. Click Power Off.
The Rubrik cluster powers off the selected instance.
CloudOn for AWS
5. Open the ellipsis menu next to the selected instance again.

6. Click Terminate.
The Rubrik cluster removes the selected virtual machine instance.
Removing AMIs
Virtual machine snapshots that have been converted to AMIs appear on the Cloud Mounts page of
the Rubrik CDM web UI. Remove an individual AMI from the AWS Cloud Mount page.
3. Click the AMIs tab.
The list of available AMIs appears.
4. Open the ellipsis menu next to a selected AMI.
5. Click Delete AMI.
The Rubrik cluster removes the selected AMI.
Chapter 13
CloudOn for Azure
This chapter describes how to use the Rubrik CloudOn for Azure feature.
 Azure CloudOn overview ......................................................................................... 440
 Prerequisites .......................................................................................................... 440
 Azure CloudOn configuration and setup workflow...................................................... 444
 Downloading the Rubrik Cloud-On for Azure zip file................................................... 444
 Setting up and configuring the PowerShell in Cloud Shell ........................................... 445
 Configuring Azure Objects ....................................................................................... 446
 Configuring the subnet............................................................................................ 447
 Setting up permissions on Azure .............................................................................. 448
 Adding an Azure CloudOn configuration.................................................................... 453
 Cloud conversion settings ........................................................................................ 454
 Cloud instance management.................................................................................... 457
Rubrik CDM Version 5.0 User Guide CloudOn for Azure 439
CloudOn for Azure
Azure CloudOn overview

Rubrik CloudOn for Azure converts a local or archived snapshot into a Virtual Hard Disk (VHD) or
managed disk snapshot that is used to launch an Azure virtual machine. Rubrik supports
instantiating on-premise VMware virtual machines to Azure. To instantiate Hyper-V virtual
machines to Azure, contact Rubrik Support to enable this capability on your Rubrik cluster.
Rubrik CloudOn for Azure supports the following scenarios:
 Instantiating of VMware virtual machine for testing and development – Launch on-premise
virtual machines to enable sandbox testing and development needs in Azure.
 Migrating on-premise virtual machines to Azure – Lift-and-shift migration of virtual machines to
Azure.
 Disaster recovery (DR) to Azure – Failover to Azure using archived data when the on-premise
data center fails.
Prerequisites
For successful deployment of Azure CloudOn, ensure that the following prerequisites are met.
These prerequisites are applicable to on-premise VMware virtual machines, Rubrik cluster, and
Azure Archive.
 Connection between the Azure Virtual Network (VNet) and the on-premise network
Rubrik launches transient instances within the customer account to perform conversion. Rubrik
launches the transient instance in a VNet specified by the customer. This connection between
the VNet and the on-premise network requires the following:
• Connectivity from Rubrik cluster
As a security best practice, Rubrik cluster connects to the instances in the VNet over a
private IP. To establish private connectivity between Rubrik cluster and the VNet, a VPN
connection or an ExpressRoute circuit is required to ensure private connectivity between
the Rubrik cluster and Azure VNet.
Information on how to connect to VPN can be found at:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-reso
urce-manager-portal
Information on how to configure ExpressRoute can be found at:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-r
esource-manager
If your on-premise network is connected to an Azure VNet through VPN or an express
route, there are specific ports and URLs that must be opened for all CloudOn operations to
work successfully
Rubrik CDM Version 5.0 User Guide Azure CloudOn overview 440
CloudOn for Azure
The Bolt VNet must be configured with the VNet endpoint for Azure Storage.
Bolt Network Security Group (NSG) must be configured to allow Storage Service Tags
outbound on port 443.
If you are using an Azure ExpressRoute connection, configure it with Microsoft Peering.
Information on how to configure Microsoft peering can be found at:
https://docs.microsoft.com/en-us/azure/expressroute/how-to-move-peering
If you are using VPN or ExpressRoute, the firewall routing must send Rubrik Archival
(CloudOut) traffic over VPN or ExpressRoute.
Information on the right solution in connecting an on-premise network to Azure can be
found at:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-netwo
rking/
• Connectivity to Blob Store
When Rubrik cluster reads data from the Azure archive, the Rubrik cluster launches
transient instances within a VNet over public internet in the same region.
Since Azure storage is available over public endpoints over public internet, if public internet
is not available on the VNet, it is recommended to use Azure VNet endpoint to securely
access the Azure storage. Information on how to configure VNet endpoints can be found
at:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-
resources
 Resource ID and subnet for VNet
If a VNet is granted the access from the Rubrik cluster and to the Blob store, the resource ID of
the VNet and a subnet within the VNet is required. Information on how to configure a new
VNet for Rubrik can be found at:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-res
ources#create-a-virtual-network
Perform this step with network administrator privileges.
 Azure Active Directory application with contributor permissions
Azure Active Directory (Azure AD) must be able to authenticate the Rubrik cluster. To enable
this, register the Rubrik cluster in Azure AD, as described in Setting up permissions on Azure.
This configuration provides contributor permissions to the Rubrik application.
CloudOn for Azure
Alternatively, instead of granting Contributor permissions to the Rubrik application, create a

custom role. Follow the same steps to associate the custom role with the Rubrik application
within your subscription, as described in Setting up permissions on Azure. Information on how
to create a custom role can be found at:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Information on the set of limited permissions for a custom role can be found at Configuring the
subnet.
 Network Security Group
To securely access the transient instance in which data is read from the archive, associate the
instance with a Network Security Group (NSG) that has the appropriate rules.
Perform this step with network administrator privileges.
Information on how to create this NSG can be found at:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account?t
abs=portal
Configure the NSG for the virtual machines within the same VNet to allow communications
between the virtual machine and the VNet. Information on how to configure NSG can be found
at:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
 Resource group
Create a resource group that can be used to launch the transient compute instance and the
user instance.
In the Rubrik CDM web UI, specify the resource groups from the "Launch on cloud" option in
the Virtual Machines > vSphere VMs menu.
When upgrading from previous Rubrik CDM version that does not have a resource group
specified in the archival location, Rubrik cluster creates a default resource group which is used
to launch the transient compute instance, as described in Creating a resource group.
Alternatively, edit the archival location and specify a different resource group to be used for
such instances.
 General purpose storage account V2
Rubrik cluster converts virtual machine snapshots into an Azure native format (Page Blobs).
These Page Blobs can only be stored on a General purpose (V2) storage account. Rubrik
recommends using a General purpose V2 storage account and a standard LRS storage account
for archival and creating a new storage account for CloudOn that restricts other applications
from performing any activity on the account. Rubrik does not support Premium Storage
account with Azure CloudOn.
CloudOn for Azure
Rubrik uses the General purpose storage account to:

• Ensure backward compatibility with Rubrik CDM version earlier than 5.0.
• Store Bolt and Converter VHD.
• Store customer templates to launch virtual machines from these templates.
In a disaster recovery, when the Rubrik on-premise cluster is unavailable, users can launch
virtual machines directly from the Azure portal using these templates.
 Pre-configuration on source virtual machine
• Rubrik supports Azure CloudOn on Windows virtual machines with Widows Server 2008 R2,
Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 R2.
• Only VMware Generation 1 virtual machines are supported.
• The maximum size of a Virtual Machine Disk (VMDK) that can be successfully converted by
CloudOn is up to 1 TB. VMware virtual machine with up to 10 disks are supported by Azure
CloudOn.
• Linux virtual machines are not supported on Azure CloudOn.
Pre-configure the source virtual as described in Table 94.
Table 92 Source virtual machine pre-configuration
Setting Description
Windows configuration • Enable Remote Desktop Protocol (RDP).
• Ensure the RDP port is enabled on the firewall.
• For instantiating on Azure, ensure that there is 200 MB free space on the
root disk.
• For Windows 2016, make that the following update:
https://support.microsoft.com/en-us/help/4073562/update-to-the-virtual-n
etwork-service-for-windows-10-version-1607
 Supported and unsupported virtual machine configurations

Table 93 describes the supported and unsupported virtual machine configurations.
Setting Description
Supported disk partitioning scheme • Master Boot Record (MBR) and GUID partition table
on Windows.
Supported file systems • Windows - NTFS
Supported OS disk formats • Standard
• LDM
CloudOn for Azure

Setting Description
Supported boot volume • Boot volume using MBR partitioning cannot exceed 1
TB.
Supported non-boot volume • Non-boot volumes using GPT cannot exceed 1 TB.
Supported single disk size • Cannot exceed 1 TB for instantiations.
Supported number of disks on virtual machines • Virtual machines with up to 10 Disks can be
instantiated.
Supported Windows language packs • English
Unsupported virtual machine configurations • Virtual machines with 32-bit configuration
• Desktop OS
• UEFI/EFI boot partitions
• Multiple network interfaces
• Virtual machines with encrypted root disk
Azure CloudOn configuration and setup workflow

Successful implementation of Azure CloudOn requires the completion of the configuration and
setup tasks in the specified order.
To configure and set up Azure CloudOn, complete the tasks in the following order:
 Downloading the Rubrik Cloud-On for Azure zip file
 Setting up and configuring the PowerShell in Cloud Shell
 Configuring Azure Objects
 Configuring the subnet
 Setting up permissions on Azure
 Adding an Azure CloudOn configuration
Downloading the Rubrik Cloud-On for Azure zip file

Download and expand the Rubrik Cloud-On for Azure zip file.
Depending on the entitlements associated to your account, the Rubrik CDM release page provides
the available software downloads.
1. Click Download.
The Accept EULA page appears.
Rubrik CDM Version 5.0 User Guide Azure CloudOn configuration and setup workflow 444
CloudOn for Azure
2. Review the EULA.

3. Select Accept and Download.
4. Click Accept and Download.
The file download page appears.
5. Click the zip file.
A browser-specific download of the zip file begins. The browser downloads the zip file to the
default download folder or to the location you select.
6. Extract the contents of the zip file.
The package includes the rkazurecli_cloud_on.ps1 script and the rkazurecli_util.ps1
script.
Setting up and configuring the PowerShell in Cloud Shell

Use the PowerShell in the Azure Cloud Shell to manage Azure resources.
The PowerShell is supported on Windows platform.
As part of this task, you will copy three values into a temporary file for later use.
1. Log in to the Azure Portal.
2. On the top menu of the Azure Portal, click the Cloud Shell Icon, as shown in Figure 6.
Figure 6 Azure Cloud Shell icon
When Cloud Shell has been previously set up, the Cloud Shell session opens at the bottom of
the page. For the first use, the Persist account files dialog box appears.
3. (First use of Cloud Shell only) In the Persist account files dialog box, select an Azure
subscription for the Cloud Shell, and click Create storage.
Information about Cloud Shell can be found at:
https://docs.microsoft.com/en-us/azure/cloud-shell/overview
The Cloud Shell session opens at the bottom of the page.
4. If the shell is not set with PowerShell as the command processor, at the top of the Cloud Shell
window, click the shell control, and select PowerShell.
Rubrik CDM Version 5.0 User Guide Setting up and configuring the PowerShell in Cloud Shell 445
CloudOn for Azure
The PowerShell prompt appears in the Cloud Shell window, as shown in Figure 7.
Figure 7 PowerShell prompt in Cloud Shell window
Configuring Azure Objects

If it is the first time the Cloud Shell is launched, the Cloud Shell prompts for the one-time creation
of a resource group, storage account, and Azure Files share.
1. Type the following command to navigate to the cloud drive to check if all files were uploaded:
cd $home\clouddrive
The working directory changes to the cloud drive directory.
.\rkazurecli_cloud_on.ps1
The Azure CloudOn CLI starts and a numbered setup menu appears.
3. At the prompt, type 1.
4. Decide on a region for the resource group and, at the prompt, type the number of that region.
Use this region throughout this task.
5. Decide on a storage account, at the prompt, type the number of that storage account.
Alternatively, type 0 and a storage account name to create a new storage account.
6. Decide on a resource group for the storage account, at the prompt, type the number of that
resource group.
Alternatively, type 0 and a resource group name to create a new resource group for the
storage account.
7. At the prompt, type the name of a container group from the list of available container groups.
The container group is where converted VHDs of VMware virtual machines converted by
CloudOn are stored.
Rubrik CDM Version 5.0 User Guide Configuring Azure Objects 446
CloudOn for Azure
8. Type the virtual network ID number for a virtual network. The Virtual Network Resource ID is
not displayed in the Azure portal. You can obtain the Resource ID of any resource in Azure by
executing the the following command in Powershell or in Cloud Shell:
Get-AzureRmResource -Name “Name of the resource”
9. Type the subnet ID number from the list of available subnets.
The list of subnets is based on the virtual networked selected.
10.Type the network security group number from the list of available network security groups.
Alternatively, type 0 and a network security group name to create a new network security
group.
11.Type the resource group number for the network security group from the list of available
resource groups.
12.Type the Application ID number and the secret key.
Alternatively, type 0 and a name for the application to create a new application.
The rkazurecli script checks and creates the CloudOn configuration prerequisites. The script
generates a JSON text file to capture the configuration prerequisites. The text of this JSON is used
in later configuration to complete Azure CloudOn configuration steps in the Rubrik CDM web UI.
When the script completes the configuration, it closes.
Configuring the subnet

Azure CloudOn launches a temporary single-node Rubrik instance called Bolt on a specified
subnet. The Rubrik cluster must have private connectivity to instances within this subnet. This
subnet must be configured to have VPN access from the Rubrik cluster.
Information on all necessary ports for CloudOn can be found in the "Ports" appendix of the Rubrik
CDM User Guide.
All other inbound ports must be closed. Outbound access must be enabled.
Information on how to create a virtual network and subnet by using the Azure Portal can be found
at:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-vnet-classic-pport
al
As part of this task, you will copy two values into a temporary file for later use.
2. On the Azure Portal menu, select Virtual networks.
The Virtual networks page appears with a list of all available subnets.
Rubrik CDM Version 5.0 User Guide Configuring the subnet 447
CloudOn for Azure
3. In the resource groups filter, clear all resource groups except the resource group created for
Azure CloudOn.
Clear Select All to clear all selections, then select only the resource group that you copied to
your temporary file in Configuring Azure Objects.
4. Copy the name into your temporary file as the subnet ID.
5. Click the name of the subnet.
The blade for that subnet opens.
6. In the subnet blade menu, select Properties.
7. In Resource ID, click the copy button to copy the resource ID value.
8. Paste the resource ID value into your temporary file.
9. Configure the new subnet to have VPN access to the Rubrik cluster.
For information about setting up VPN access, refer to this Microsoft Azure article:
Create a Site-to-Site connection in the Azure portal
Setting up permissions on Azure

Azure Active Directory (Azure AD) must be able to authenticate the Rubrik cluster. To enable this,
register the Rubrik cluster in Azure AD.
One of the tasks accomplished by the rkazurecli_cloud_on.ps1 script is the creation of a JSON file
that contains the Application ID, Subscription ID, Region, General Purpose Storage name, General
Purpose Storage Container Name, Virtual Network ID, Subnet ID and Security Group name.
As part of this task, you will copy four values into a temporary file for later use.
2. On the Azure Portal menu, click Azure Active Directory.
The Azure Active Directory page for your account appears.
3. Click App Registrations.
The App Registrations blade appears.
4. On the App Registrations blade, click +New application registration.
The Create blade appears.
5. In Name, type a name for the Rubrik cluster application.
6. In Application type, select Web app / API.
Rubrik CDM Version 5.0 User Guide Setting up permissions on Azure 448
CloudOn for Azure
7. In Sign-on URL, type a valid URL.

Type any valid URL value. The Sign-on URL value is not used by the Rubrik cluster.
8. Click Create.
The Registered app blade for the Rubrik cluster application appears.
9. On the Registered app blade, find the Application ID value.
10.Copy the application ID value into your temporary file.
11.Click Settings.
The Settings panel appears.
12.Click Keys.
The Keys blade appears.
13.In Key Description, type a description for this key.
The key is assigned to the Rubrik cluster application. The description should identify this
purpose.
14.In Duration, select a duration.
Rubrik recommends that you select Never expires to avoid problems with changing the key
at the end of a specified duration period.
15.Click Save.
The Azure portal generates a key value and the key value appears in the Value field.
! IMPORTANT
The key value cannot be retrieved after leaving the Keys blade. Store the key value in a
secure location.
16.Select and copy the key value.

17.Paste the key value into your temporary file.
18.On the Azure Portal menu, click Azure Active Directory.
The Azure Active Directory page for your account appears.
19.On the Azure Active Directory page menu, select Properties.
The Properties blade for the Azure Active Directory appears.
20.In Directory ID, click the copy button to copy the directory ID value.
Microsoft documentation also refers to the directory ID as the tenant ID.
CloudOn for Azure
21.Paste the directory ID value into your temporary file.

22.On the Azure Portal menu, click Subscriptions.
In some cases, the menu path may be Cost Management + Billing > Subscriptions.
The Subscriptions page appears.
23.Select a subscription to assign the Rubrik cluster application to.
The Rubrik cluster application must be added as a contributer to a subscription. You can use an
existing subscription or create a new one.
The Subscription blade for the selected subscription appears.
24.In the Subscription blade menu, click Access control (IAM).
The Access control (IAM) blade appears.
25.On the Access control (IAM) blade, click +Add.
The Add permissions blade appears.
26.In Role, select Contributor.
27.In Assign access to, select Azure AD user, group or application.
28.Add the application ID value from your temporary file.
29.Click Save.
The subscription is updated to add the Rubrik cluster application.
30.Type the name of the subscription into your temporary file.
Creating a custom role

Create an IAM user account with policy-based access to the account.
Rubrik can work with contributor-role based access on your Azure subscription. However, if you
cannot provide Contributor access to Rubrik, then create a custom role with a minimal set of
permissions.
1. Copy the text from the following JSON file and write it to the CloudShell storage by executing
"cd $home" and the "nano RubrikCloudOnMinimalPermissions.json" command. Then, paste the
text, save and exit the CloudShell.
Information on how to create a custom role in Azure documentation can be found at
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles. Use the JSON
text with limited permissions provided in the following.
{
“Name”: “Rubrik CloudOn 5_0",
CloudOn for Azure
“IsCustom”: true,
“Description”: “Can Launch VMs from archived snapshots”,
“Actions”: [
“Microsoft.Compute/snapshots/*“,
“Microsoft.ClassicCompute/virtualMachines/detachDisk/action”,
“Microsoft.ClassicCompute/virtualMachines/attachDisk/action”,
“Microsoft.Compute/images/read”,
“Microsoft.Compute/images/write”,
“Microsoft.Compute/images/delete”,
“Microsoft.Compute/disks/*“,
“Microsoft.Compute/locations/*/read”,
“Microsoft.Compute/skus/read”,
“Microsoft.Compute/virtualMachines/deallocate/action”,
“Microsoft.Compute/virtualMachines/delete”,
“Microsoft.Compute/virtualMachines/extensions/*“,
“Microsoft.Compute/virtualMachines/instanceView/read”,
“Microsoft.Compute/virtualMachines/powerOff/action”,
“Microsoft.Compute/virtualMachines/read”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Compute/virtualMachines/runCommand/action”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/vmSizes/read”,
“Microsoft.Compute/virtualMachines/write”,
“Microsoft.Network/networkInterfaces/*“,
“Microsoft.Network/networkSecurityGroups/join/action”,
“Microsoft.Network/networkSecurityGroups/read”,
“Microsoft.Network/networkSecurityGroups/securityRules/read”,
“Microsoft.Network/publicIPAddresses/read”,
“Microsoft.Network/publicIPAddresses/write”,
“Microsoft.Network/publicIPAddresses/join/action”,
“Microsoft.Network/publicIPAddresses/delete”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Resources/deployments/*“,
“Microsoft.Resources/subscriptions/read”,
“Microsoft.Resources/subscriptions/resourcegroups/*/read”,
CloudOn for Azure
“Microsoft.Resources/subscriptions/resourcegroups/deployments/*“,
“Microsoft.Resources/subscriptions/resourcegroups/write”,
“Microsoft.Storage/*/read”,
“Microsoft.Storage/storageAccounts/blobServices/containers/read”,
“Microsoft.Storage/storageAccounts/blobServices/containers/write”,
“Microsoft.Storage/storageAccounts/listkeys/action”,
“Microsoft.Storage/storageAccounts/read”
],
“NotActions”: [
],
“AssignableScopes”: [
“/subscriptions/<subscription-id>”
]
}
2. Replace <subscription-id> with the Azure Subscription ID for the subscription where the App
Registration was created.
3. Save and exit the nano.
4. At the Cloud Shell prompt, type "az role definition create --role --definition
./RubrikCloudOnMinimalPermissions.json".
The Azure CloudOn CLI creates the Rubrik IAM role in the subscription.
5. On the Azure portal menu, select Subscriptions and choose your subscription.
6. Click Access control (IAM).
7. Click +Add.
8. Type the name of the role created in the Cloud Shell.
This will be "Rubrik CloudOn" if the Name field has not been changed in the JSON above.
9. Verify that the Assign access to is set to Azure AD user, group or application.
10.In the Search field, search and select the Rubrik application.
This step selects the Rubrik application to which the role is to be assigned to.
11.Click Save.
Azure creates the Rubrik role with minimal permissions.
CloudOn for Azure
Adding an Azure CloudOn configuration

Add the Azure CloudOn configuration to the Rubrik cluster to complete the Azure CloudOn setup,
as described in Adding Microsoft Azure as an archival location.
When the Rubrik cluster executes the rkazurecli_cloud_on.ps1 script, it generates the JSON output
file that contains the application ID, application secret key, tenant ID, subscription ID, region,
general purpose storage name, general purpose storage container name, resource group name,
virtual network ID, subnet ID, and security group name.
Rubrik cluster imports these values to the Rubrik CDM web UI and auto-fills them to the Advanced
Settings when configuring the Cloud Compute Setting for Azure CloudOn, as described in Adding
Microsoft Azure as an archival location.
An existing Azure archival location can be edited to add support for Azure CloudOn, as described in
Editing a location to add Azure CloudOn.
Editing a location to add Azure CloudOn

Edit an existing Azure archival location to add support for Azure CloudOn.
This task uses values obtained from the tasks Configuring Azure Objects, Configuring the subnet,
and Setting up permissions on Azure and stored in your temporary file.
3. Click Archival Location.
4. On the card for an existing Azure archival location, open the ellipsis menu and click Edit.
5. Click Advanced Settings.
6. In App Id, paste the application ID from your temporary file.
7. In App Secret Key, paste the key value from your temporary file.
8. In Tenant Id, paste the directory ID value from your temporary file.
9. In Subscription, select the subscription name that matches the subscription name in your
temporary file.
10.In Region, select the region that matches the region listed in your temporary file.
Rubrik CDM Version 5.0 User Guide Adding an Azure CloudOn configuration 453
CloudOn for Azure
11.In General Purpose Storage, select the name of the storage account that matches the
storage account name in your temporary file.
12.In General Purpose Storage Container Name, type a name for the Azure container that
will store the VHDs.
Use a name that meets the Azure requirements for container names:
• 3-64 characters
• Lowercase
• Alphanumeric characters and the dash symbol
13.(For CloudOn) In Resource Group, type the name of a resource group.
This resource group specifies where the temporary Rubrik Bolt cloud cluster instance will be
launched.
14.In Virtual Network ID, copy and paste the resource ID of the virtual network from your
temporary file.
15.In Subnet ID, copy and paste the name of the virtual network from your temporary file.
16.In Security Group ID, copy and paste the resource ID of the security group.
17.Click Add.
The Rubrik cluster modifies the archival location configuration to add support for Azure CloudOn.
Cloud conversion settings

To speed up instantiation of virtual machine snapshots, the Rubrik cluster can be configured to
convert snapshots to VHDs before an instantiation request is made. The Rubrik cluster provides
the ability to specify conversion settings at the virtual machine level.
The settings choices only appear for vSphere virtual machines that are assigned to qualified SLA
Domains. Qualified SLA Domains are ones that are configured with an archival location that meets
all of the following requirements:
 Azure archival location.
 Azure CloudOn correctly configured and set up.
CloudOn for Azure
Each vSphere virtual machine that is assigned to a qualified SLA Domain can be configured with
one of the settings described in Table 94.
Table 94 Cloud conversion settings
Setting Description
Disabled The Rubrik cluster converts the snapshots from the virtual machine into VHDs
only when cloud instantiation is requested.This setting requires the creation of
a VHD from the VMDKs of the selected snapshot after instantiation is initiated
and so takes longer to complete.
This is the default value.
Cloud conversion without The Rubrik cluster starts converting the most recent virtual machine snapshot
Keep older VHDs as soon as it has been archived. The Rubrik cluster combines the chain of
incremental snapshots leading to the last full snapshot and the VHD is created
from the resulting snapshot. The Rubrik cluster automatically removes the
previously stored VHD from cloud storage.
For all snapshots except the most recent, this setting requires the creation of a
VHD from the VMDKs of the selected snapshot after instantiation is initiated,
and takes longer to complete.
Cloud conversion with The Rubrik cluster starts converting the most recent virtual machine snapshot
Keep older VHDs as soon as it has been archived.The Rubrik cluster combines the chain of
incremental snapshots leading to the last full snapshot and the VHD is created
from the resulting snapshot. The Rubrik cluster does not automatically remove
previously created VHDs from cloud storage. Removing those VHDs requires
user action.
This setting normally does not require the creation of an VHD from the VMDKs
of the selected snapshot after instantiation is initiated. Since the VHD already
exists, the instantiation task is much faster.
Configuring cloud conversion

Configure cloud conversion settings for a vSphere virtual machine.
 Configure an SLA Domain to use an Azure container that was created for cloud instantiation.
 Assign at least one vSphere virtual machine to the selected SLA Domain.
The local host page for the selected virtual machine appears, as shown in Figure 8.
CloudOn for Azure
Figure 8 Local host page for a virtual machine
When the Overview card does not contain the Cloud Conversion field, shown in Figure 8, there
are two possible causes:
• The SLA Domain is not correctly configured for cloud instantiation.
• The selected virtual machine is not a vSphere virtual machine.
• The guest OS of the virtual machine is not Windows.
4. On the Overview card, in the Cloud Conversion field, click Configure.
5. Assign one of the three possible configurations.
• Disabled–In Cloud Conversion, move the slider to the off position. This is the default
configuration and only needs to be set when the virtual machine previously had another
setting applied.
• Cloud Conversion without Keep older VHDs–In Cloud Conversion, move the slider to the
on position and clear Keep older VHDs.
• Cloud Conversion with Keep older VHDs–In Cloud Conversion, move the slider to the on
position and select Keep older VHDs.
6. Click Submit.
The Rubrik cluster applies the specified configuration to the selected virtual machine.
CloudOn for Azure
Cloud instance management

The Rubrik CDM web UI provides features to permit management of cloud instances.
Use the Rubrik CDM web UI to do all of the following:
 Instantiate a qualifying virtual machine on the cloud using managed snapshots.
 Instantiate a quality virtual machine on the cloud using VHDs.
 View all running instances on the cloud.
 Remove instances that are running on the cloud.
 View the VHDs that are stored on the cloud.
 Remove a VHD that is stored on the cloud.
 Remove entry of the virtual machine.
Instantiating a virtual machine on the cloud using managed snapshots

Select a vSphere snapshot to use for cloud instantiation. The snapshot can be local or at the
archival location. A VHD for the snapshot can exist or can be created during the task.
Note: Instantiating Windows VMs with BitLocker-enabled volumes is not supported by Azure
CloudOn.

CloudOn for Azure
7. In Virtual Machine Size, select the type of VHD instance to use for the instantiated virtual
machine.
The Rubrik cluster examines the source virtual machine and provides a recommended VHD
instance type.
8. (Optional) In Virtual Machine Size, select Custom Instance Type.
9. (For Custom Instance Type only) In Custom Instance Type, type the name of a VHD
instance type.
The name must be typed in the exact form that Azure uses.
10.In VNet, select an Azure virtual network.
The field lists the virtual networks that are available at the selected archival location. To see a
list in this field, first select an archival location.
11.In Network Security Group, select an available security group.
The field lists the security groups that are available for the selected virtual network. To see a
list in this field, first select a virtual network.
12.In Resource Group, select an available resource group.
The field lists the resource groups that are available for the selected virtual network. To see a
This resource group specifies where the instantiated virtual machine will be launched.
13.Click Submit.
The Rubrik cluster launches the Rubrik Bolt cloud instance in the resource group associated with
the archive location to create a full snapshot.
Instantiating a virtual machine on the cloud using VHDs

Select a VHD to use for cloud instantiation. The snapshot can be local or at the archival location. A
VHD for the snapshot can exist or can be created during the task.
1. In the web UI, on the left-side menu, click Cloud Mounts > Azure.
The Azure VMs page appears, with the VMs tab selected.
CloudOn for Azure
6. In Virtual Machine Size, select the type of VHD instance to use for the instantiated virtual
machine.
The Rubrik cluster examines the source virtual machine and provides a recommended VHD
instance type.
7. (Optional) In Virtual Machine Size, select Custom Instance Type.
8. (For Custom Instance Type only) In Custom Instance Type, type the name of a VHD
instance type.
The name must be typed in the exact form that Azure uses.
9. In VNet, select an Azure virtual network.
The field lists the virtual networks that are available at the selected archival location. To see a
list in this field, first select an archival location.
10.In Network Security Group, select an available security group.
The field lists the security groups that are available for the selected virtual network. To see a
11.In Resource Group, select an available resource group.
The field lists the resource groups that are available for the selected virtual network. To see a
This resource group specifies where the instantiated virtual machine will be launched.
12.Click Submit.
CloudOn for Azure
Powering off a cloud instance

Use the Cloud Mounts page of the Rubrik web CDM UI power off instantiated virtual machines.
2. On the left-side menu, click Cloud Mounts > Azure.
The cloud mounts page appears, with the VMs tab selected.
4. Click Power Off.
The Rubrik cluster powers off the selected instance. The instance remains as a powered down
instance on the Azure account.
Terminating cloud instances

Use the Cloud Mounts page of the Rubrik CDM web UI to terminate instantiated virtual machines.
4. Click Power Off.
The Rubrik cluster powers off the selected instance.
5. Open the ellipsis menu next to the selected instance again.
6. Click Terminate.
The Rubrik cluster removes the selected virtual machine instance from the Azure account.
The Rubrik cluster removes the resources created by instantiation from the resource group once
the virtual machine is terminated.
Removing entry
Use the Cloud Mounts page of the Rubrik web UI to remove the virtual machine.
Rubrik cluster stops managing the virtual machine once it has been removed. Manage this virtual
machine from the Azure Portal.
1. Log in to the Rubrik CDM web UI, on the left-side menu, click Cloud Mounts > Azure.
CloudOn for Azure
3. Click Remove entry.

The Rubrik cluster removes the selected virtual machine from Rubrik cluster metadata and stops
managing it.
Launching virtual machines images

Virtual machine images appear on the Cloud Mounts page of the Rubrik CDM web UI. Launch an
individual virtual machine image from the Azure Cloud Mount page.
3. Click the VM Images tab.
The list of available virtual machine images appears.
4. Open the ellipsis menu next to a selected virtual machine image.
5. Click Launch VM Image.
The Rubrik cluster launches the selected virtual machine image.
Removing VHDs
Virtual machine snapshots appear on the Cloud Mounts page of the Rubrik CDM web UI. An
individual VHD can be selected from this page and removed from the Azure account storage.
3. Click the VHDs tab.
The list of available VHDs appears.
4. Open the ellipsis menu next to a selected VHD.
5. Click Delete VHD.
The Rubrik cluster removes the selected VHD from the Azure account.
CloudOn for Azure
Creating a resource group

Create resource groups to add, deploy, update, or delete resources as a group.
Resources can be grouped into a resource group. To assign resources to a resource group, you can
either assign all the resources, or only those to be managed as a group.To ensure the ease of
deployment, update, or deletion of a resource groups, Rubrik recommends that resources added
to a resource group share the same lifecycle.
A maximum of 800 resource groups can be created per Azure account subscription.
With a configured resource group, a virtual machine will be launched and instantiated in the
selected resource group.
When an existing archival location does not have a resource group, the local Rubrik cluster creates
a resource group called DefaultRubrikStormResourceGroup and uses it to launch Azure Storm
instances.
2. On the left-side menu, click Resource groups.
The Resource groups page appears.
3. On the top menu bar, click +Add.
The Resource groups blade appears.
4. In Resource group name, type a name for the resource group.
5. In Subscription, select the subscription account to use.
6. In Resource group location, select the resource group location.
7. Click Create.
Azure creates the resource group for the Azure account.
8. Click Refresh to see the newly added resource group.
9. (Optional) Create and deploy a resource to the resource group.
Information on how to create and deploy a resource can be found at:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-de
ploy-portal/#deploy-resources-from-marketplace
Removing a resource from a resource group does not remove the resource group.
10.Add the Azure CloudOn configuration to the Rubrik cluster and configure a new Azure archival
location to use Azure CloudOn, as described in Adding Microsoft Azure as an archival location.
CloudOn for Azure
11.Select a snapshot and instantiate a virtual machine, as describe in Instantiating a virtual

machine on the cloud using managed snapshots.
machine appears on the Cloud Mounts page of the Rubrik CDM web UI. When launched
successfully, the Rubrik cluster names the virtual machine with the local VMware as the prefix and
appends a disambiguation string to the prefix, such as SQL-server-001-<disambiguation string>.
Rubrik recommends using a disambiguation string to avoid potential conflicts that arise when a
string is ambiguous.
Removing a resource group

Remove resource groups manually on the Azure Portal.
! IMPORTANT
Removing a resource group deletes all resources associated in the resource group.
Before removing a resource group, verify that this resource group contains no resource that other
resource group depends upon.
2. On the left-side menu, click Resource groups.
The Resource groups page appears.
3. Select a resource group to be removed, click Delete on the top bar of the Resource groups
page.
Azure removes the selected resource group from the Azure account.
! IMPORTANT
Delete deployments to prevent the number of deployments per resource group to reach its
limit.
As part of the garbage collection tasks, Rubrik cluster deletes deployments with a prefix
“import-vm*” from the resource group being used to launch the transient compute instance and
user instances. Rubrik cluster deletes these deployments to avoid reaching the limit of 800
deployments per resource group and prevent instantiation failures.
As a result, Rubrik cluster also deletes non-Rubrik deployments with the same prefix of
“import-vm*” in the same resource group used for CloudOn that are already in a terminated state.
According to Microsoft, there is no impact of deleting deployments that are in a terminated state.
Information on resource group limits can be found on:
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#resource-group-limits
Chapter 14
Amazon EC2 Instance Backup
This chapter describes how to protect and manage the data in Amazon EC2 instances.
 Overview ............................................................................................................... 465
 Amazon EC2 instance protection .............................................................................. 465
 Configuring an AWS account and user...................................................................... 467
 Adding an AWS account .......................................................................................... 470
 Managing an existing AWS account .......................................................................... 472
 Assigning an SLA to an Amazon EC2 instance ........................................................... 473
 Excluding EBS volumes ........................................................................................... 473
 Taking an on-demand snapshot ............................................................................... 474
 Restoring Amazon EC2 instance snapshots ............................................................... 475
 Downloading files or folders from snapshots ............................................................. 476
Rubrik CDM Version 5.0 User Guide Amazon EC2 Instance Backup 464
Overview
Rubrik clusters enable the management and protection of Amazon Elastic Compute Cloud (Amazon
EC2) instances.
Table 95 describes the data management and protection features that a Rubrik cluster provides for
Amazon EC2 instances.
Table 95 Data management and protection provided for Amazon EC2 instances
Feature Description
Amazon EC2 instance Takes snapshots of Amazon EC2 instances.
backup
Indexing Enables file search and download within snapshots of Amazon EC2
instances.
Restore to different region Enables restoring an Amazon EC2 instance snapshots to regions other than
their original region.
Note: Amazon EC2 instances created by using a disk deployed from the AWS Marketplace do not
support indexing.
Protecting Amazon EC2 instances requires the AWS credentials for the account that owns the
instances.
Amazon EC2 instance protection

A Rubrik cluster provides protection for Amazon EC2 instances through either individual
assignment of the Amazon EC2 instance to an SLA Domain or through automatic protection.
Automatic protection occurs when the Amazon EC2 instance derives the SLA Domain assignment
of an associated AWS account.
The Rubrik cluster provides flexibility in the protection assignments made for Amazon EC2
instances. Amazon EC2 instances that are protected by individual assignment can be set to Do Not
Protect or can be set to inherit a protection setting.
An automatically protected AWS account can contain an individual Amazon EC2 instance that has
no protection.
The Rubrik cluster also permits protecting some of the EBS volumes on an Amazon EC2 instance
while designating other EBS volumes on the Amazon EC2 instance as unprotected.

A Rubrik cluster provides automatic protection of Amazon EC2 instances through inheritance of
the SLA Domain assigned to a parent object.
The automatic protection mechanism simplifies assigning protection to large numbers of Amazon
EC2 instances and provides an easy method to uniformly assign specific SLA Domains to groups of
functionally similar Amazon EC2 instances.
protection.

set of rules.
A Rubrik cluster applies protection to an Amazon EC2 instance using the following rules:
associated AWS account.
Example 14 Automatic protection rules applied

To show the impact of automatic protection on the protection settings of an Amazon EC2 instance,
consider the following fictitious environment:
• Amazon EC2 instance is newly discovered and no protection has been assigned.
• Amazon EC2 instance is owned by AWS account A. AWS account A has no assigned
protection.
Administrator assigns the SLA Domain named ClusterProtection to A:
The Amazon EC2 instance inherits the ClusterProtection assignment (Rule Two).
Administrator individually assigns the Amazon EC2 instance to the Gold SLA Domain:
The Amazon EC2 instance is protected by the Gold SLA Domain (Rule One).
Rubrik CDM Version 5.0 User Guide Amazon EC2 instance protection 466
Configuring an AWS account and user

An AWS account requires a particular configuration in order for a Rubrik cluster to protect the
Amazon EC2 instances owned by that account. The Rubrik CDM also requires a user account
created within the AWS account with the proper privileges.
Configuring the AWS account security policy

The AWS account that owns the Amazon EC2 instances requires a specific security policy to enable
Rubrik to protect the instances.
1. Log in to the AWS account.
The Create Policy workspace opens with the Visual Editor tab active.
5. Click the JSON tab.
The JSON text editor appears.
! IMPORTANT
In the next step, pay close attention to the JSON formatting, including opening and
closing braces and brackets.
Rubrik CDM Version 5.0 User Guide Configuring an AWS account and user 467
6. Paste the following text into the JSON editor:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteVolume",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ImportImage",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
7. (Optional) For an Amazon EC2 instance that contains encrypted volumes, add the following
section immediately following the “Statement”: [ line:
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ReEncryptFrom"
],
"Resource": [
"arn:aws:kms:<region>:<accountId>:key/<keyId>",
"arn:aws:kms:<region>:<accountId>:key/<keyId>"
]
},
Enter the correct region, account ID, and key ID for each encrypted volume in the “Resource”:
section.
8. Click Review Policy.
9. In Name, type a name for the policy.
10.(Optional) In Description, type a description for the policy.
11.Click Create policy.
AWS creates the security policy and returns to the policy list page.
Configuring the Rubrik CDM user

The Rubrik cluster requires a dedicated user account within the AWS account in order to protect
the Amazon EC2 instances.
1. Log in to the AWS account.
3. Click Users.
The list of users appears
4. Click Add user.
5. Enter a name for the user.

6. Select Programmatic Access in the “Select AWS access type” section.
A list of all the available policies in the AWS Account appears.
9. Select the policy created in Configuring the AWS account security policy.
10.Click Next: Review.
AWS creates the user and a success message appears.
12.Click Download .csv.
The browser downloads a CSV file that contains the Access Key and Secret Key for the new
user.
The Rubrik user account is now ready to provide the Rubrik cluster with access to the Amazon EC2
instances to protect.
Adding an AWS account

To protect Amazon EC2 instances, add the AWS account that owns the instances to the Rubrik
cluster.
2. On the left-side menu, click Cloud Workloads.
3. Under Cloud Workloads, click EC2 Instances.
The Instances tab appears.
4. Click Add AWS Account.
The Add Cloud Source dialog box appears.
5. In the Credentials tab, enter the following information:
• A name for the cloud source
• The AWS access key
• The AWS secret key
6. Select the regions that contain the instances to protect.
Rubrik CDM Version 5.0 User Guide Adding an AWS account 470
7. (Optional) Click the Indexing tab.
Note: Searching for a file within a cloud native snapshot and file-level recovery from a cloud
native snapshot require indexing.
8. (Optional) Move the slider to the right to enable indexing for a region.
9. (Optional) For each region with indexing enabled, select a VPC ID, Subnet ID, and Security
Group ID.
Note: The Rubrik cluster must be able to connect to instances in the selected VPC. Verify that
ports 2002 is open.
10.Click Add.
The Rubrik cluster connects to the AWS account and fetches a list of the Amazon EC2 instances in
the specified regions. The Rubrik cluster refreshes this list every 180 minutes. The Instances tab
displays the following summary information about the Amazon EC2 instances associated with the
AWS accounts that are added to the cluster:
Table 96 : Amazon EC2 Instance summary information
Column Description
Instance ID The unique identifier of the instance.
Instance Name The instance name.
Instance Type The Amazon EC2 type of the instance
Account The account that owns the instance.
Region The region of the instance.
SLA Domain The name of the SLA protecting the instance.
Assignment Specifies whether the SLA was assigned directly or inherited
from an account-wide SLA.
To search for a specific instance, enter a search string in the ‘Search by Name or Instance ID’ field.
To filter the list of instances by region, assigned SLA, or SLA assignment type, select a filter from
the drop-downs at the top right of the list.
Rubrik CDM Version 5.0 User Guide Adding an AWS account 471
Managing an existing AWS account

Details for AWS accounts that are added to the Rubrik cluster can be updated at any time. AWS
accounts can be assigned an SLA that is inherited by new instances created by that account.
4. Click Accounts.
The Accounts tab appears.
5. Select the account to manage.
To search for a specific account, enter a search string in the ‘Search by Name or Instance ID’
field. To filter the list of accounts by assigned SLA or SLA assignment type, select a filter from
the drop-downs at the top right of the list.
6. (Optional) To manage the account, click the ellipsis at the top right of the page.
The list of management options appears.
7. (Optional) Select a management option:
• Select Edit to update the account information.
• Select Delete to remove the account from the Rubrik cluster.
• Select Refresh to refresh the list of instances that are associated with the account.
8. (Optional) Click Manage Protection.
9. (Optional) Select an SLA from the list.
To search for a specific SLA, enter a search string in the ‘Search SLA domains’ field.
To create a new SLA domain, click the + button. See Creating a custom SLA Domain for
information on creating SLA domains.
10.(Optional) Click Submit.
The selected AWS accounts update with the new information.
Rubrik CDM Version 5.0 User Guide Managing an existing AWS account 472
Assigning an SLA to an Amazon EC2 instance

An individual Amazon EC2 instance can be assigned a specific SLA or inherit the SLA assigned to
the account that owns the instance. This procedure assigns an individual SLA.
4. Select an Amazon EC2 instance.
To search for a specific instance, enter a search string in the ‘Search by Name or Instance ID’
field. To filter the list of instances by region, assigned SLA, or SLA assignment type, select a
filter from the drop-downs at the top right of the list.
6. Select an SLA from the list.
7. Click Submit.
The instance is now protected by the selected SLA domain.
Excluding EBS volumes

Amazon EC2 instances can include EBS volumes that do not need to be protected. The Rubrik
cluster can be configured to ignore specified EBS volumes in an Amazon EC2 instance while
protecting the other EBS volumes in that Amazon EC2 instance.
Excluding EBS volumes from the protection assigned to an instance

When backups are not required for some of the EBS volumes of an Amazon EC2 instance, exclude
those EBS volumes from backups.
1. In the Rubrik CDM web UI, on the left-side menu, click Cloud Workloads > EC2 Instances.
Rubrik CDM Version 5.0 User Guide Assigning an SLA to an Amazon EC2 instance 473
Note: To go directly to the page for a specific Amazon EC2 instance, type the name of the
instance in the search box on the top bar of the Rubrik CDM web UI and select the instance
2. In the Name column, click the name of an Amazon EC2 instance.

To help find Amazon EC2 instances, use the filters, sort the entries by column heading, or use
the search field. Finding protection objects describes these tools.
The instance details page for the selected Amazon EC2 instance appears.
3. Open the ellipsis menu on the top bar of the local host page and select Exclude Volumes.
The Exclude Volumes dialog box appears.
4. Select the EBS volumes to exclude.
5. Click Exclude.
The Rubrik cluster excludes the selected EBS volumes from all future backups of the Amazon EC2
instance.
Taking an on-demand snapshot

An on-demand snapshot of an Amazon EC2 instance is a backup taken outside of the
specifications in the SLA that protects the instance.
4. In the Name column, click an instance name.
The Overview, Snapshots, and Status cards appear for that instance.
6. Select an SLA from the list.
Rubrik CDM Version 5.0 User Guide Taking an on-demand snapshot 474

tracks the status of the on-demand backup task. The Rubrik cluster manages the snapshot based
on the rules and policies of the selected SLA Domain.
Restoring Amazon EC2 instance snapshots

A snapshot of an Amazon EC2 instance can be restored to the original region or exported to a new
region.
5. In the Snapshots card, click on the date of the snapshot to restore.
Search in indexed snapshots by entering a filename string in the ‘Search by File Name’ field.
After selecting a date, a list of snapshots taken on that date appears in the Snapshots card.
6. Click the ellipsis next to the snapshot to restore.
7. Select the option that matches the desired restore type:
• Restore directly restores an instance snapshot, effectively rolling the instance back to the
time of the snapshot.
The restore job is queued.
• Export creates a new instance based on the snapshot. This new instance can be in the
original region or a new region.
8. (Export snapshot only) In the Export Snapshot dialog box, enter the following information:
• Name of the instance
• Instance type
• Region of the snapshot export
• Subnet
9. Click Export.
Rubrik CDM Version 5.0 User Guide Restoring Amazon EC2 instance snapshots 475
The Rubrik cluster queues the restore or export of the snapshot.
Downloading files or folders from snapshots

A snapshot of an Amazon EC2 instance can make individual files or folders available for download
when indexing is enabled.
5. In the Snapshots card, click on the date of the snapshot to restore.
Search in indexed snapshots by entering a filename string in the ‘Search by File Name’ field.
After selecting a date, a list of snapshots taken on that date appears in the Snapshots card.
6. Click the ellipsis next to the snapshot to restore.
7. Select Recover Files.
The Recover Files dialog appears.
8. Select the files to restore.
To search for files, enter a string in the ‘Search Files’ field.
9. Click Finish.
A download link for the files or folders appears.
10.Click the download link.
The files or folders are downloaded to the local system.
Rubrik CDM Version 5.0 User Guide Downloading files or folders from snapshots 476
Chapter 15
File Systems
This chapter describes how to protect and manage the data in the file systems of Linux, Unix, and
Windows hosts, and for NAS shares.
 Overview ............................................................................................................... 478
 Rubrik Backup Service software ............................................................................... 481
 Host management .................................................................................................. 488
 NAS host management............................................................................................ 491
 Filesets .................................................................................................................. 494
 Host filesets and share filesets................................................................................. 503
 Storage array integration......................................................................................... 506
 Backup scripts for Linux, Unix, or Windows hosts ...................................................... 507
 Local host pages and local share pages .................................................................... 509
 Data recovery from a host fileset or share fileset....................................................... 513
 Full Volume Protection for Windows ......................................................................... 520
 Unmanaged data .................................................................................................... 528
Rubrik CDM Version 5.0 User Guide File Systems 477

File Systems
Overview
A Rubrik cluster provides management and protection of file system data for supported Linux,
Unix, and Windows hosts, and for NAS shares. For Linux and Windows hosts, the supported
operating systems can be running on physical hardware or on a supported virtual machine. For
Unix, the supported operating systems can be running on physical hardware.
Table 97 describes the data management and protection features that a Rubrik cluster provides for
file systems.
Table 97 Data management and protection provided for file systems
Feature Description
Filesets Define the data to manage and protect by specifying paths, path segments,
and file types to include, exclude and exempt from exclusion.
Valid fileset path statements must begin with one of the following:
• Slash (/)
• Backslash (\)
• A single uppercase or lower case alpha character followed immediately by
a colon. For example, C:, e:, and so forth
Use wildcard characters to represent one or more characters in a path or path
segment.
Multiple filesets per host Refine protection by creating several different filesets for a host and assigning
each host fileset to an individually selected SLA Domain.
Filesets stored on Pure Back up filesets stored on Pure Storage FlashArray volumes on AIX hosts.
Storage volumes on AIX
hosts
SLA Domains Protect host filesets with the same SLA Domain functionality that is provided
for other workload types, including SLA rules and policies.
Backup indexing Backup indexes data from a host fileset during ingest. This enables full file
level search and browse of the backed up data when it is on the local Rubrik
cluster, on the replication target, or at the archival location.
Replication Assign a host fileset to an SLA Domain that has a replication policy and the
data backed up from that fileset is replicated according to that policy.
Archiving Assign a host fileset to an SLA Domain that has an archival policy and the
data backed up from that fileset is archived according to that policy.
Restore to original location Search or browse the indexed host fileset backup to find and restore files and
folders to the original location on the source host.
Export to a new location Search or browse the indexed host fileset backup to find and export files and
folders to a known host running the same operating system variant (Linux,
Unix, or Windows), or NAS type.

File Systems
Hosts and shares combined with filesets

For Linux, Unix, and Windows hosts, a Rubrik cluster provides data protection for file systems
through the pairing of the host with a fileset to form a host fileset. For NAS hosts, the Rubrik
cluster pairs a fileset with a NAS share to form a share fileset.
A single host or share can be paired with multiple filesets, and each host fileset or share fileset can
be assigned to a different SLA Domain. This provides the ability to apply different SLA rules to
each host fileset or share fileset.
Protection work flow for host filesets

To protect file system data on a Linux, Unix, or Windows host, complete the protection work flow.
The file system data protection work flow for Linux, Unix, and Windows hosts is:
1. Obtain and install the Rubrik Backup Service software on the host.
2. Add the host to the Rubrik cluster.
3. Create a fileset that defines the data to protect.
4. Assign the fileset to the host.
5. Assign the host fileset to an SLA Domain.
Protection work flow for storage array filesets

To protect file system data stored on Pure Storage FlashArray volumes on AIX hosts, complete the
protection work flow.
1. Add the storage array to the Rubrik cluster.
2. Obtain and install the Rubrik Backup Service software on the primary host and any alternate
backup hosts (one alternate backup host can be designated for each fileset).
The AIX hosts must use Fibre Channel ports to connect to the Pure Storage array.
3. Add each host to the Rubrik cluster.
4. Create an array-enabled fileset that defines the data to protect.
5. Assign the fileset to an SLA Domain.
Protection work flow for share filesets

To protect file system data on a NAS host, complete the protection work flow.

File Systems
The file system data protection work flow for NAS shares is:
1. Add the NAS host to the Rubrik cluster.
2. Add the NAS share to the Rubrik cluster.
3. Create a fileset that defines the data to protect.
4. Assign the fileset to the NAS share.
5. Assign the share fileset to an SLA Domain.
File system metadata

A fileset backup preserves the metadata that existed on the data source at the time of the backup.
When the data is restored, or exported, the Rubrik cluster includes the preserved metadata with
the data.
Table 98 describes the metadata that is preserved and included.
Table 98 Metadata preserved and include in restores and exports
Host type Preserved and included metadata
Linux Modification time (mtime), user ID (uid), group ID (gid), and permissions
Unix (AIX)
Solaris
NAS (NFS)
Windows Modification time (mtime), access time (atime), creation time (ctime), NTFS file attributes,
NAS (SMB) and access control list (ACL).
Note: The Rubrik cluster cannot access owner information for files when backing up a NAS
(SMB) share. When files are restored to the NAS (SMB) share, the Rubrik cluster sets the
owner of the files to be the account that is used to access the NAS (SMB) share. The Rubrik
cluster restores the originals of all other metadata, including the ACL.
Symbolic links and junctions

The Rubrik cluster does not follow symbolic links or junction points during a fileset backup.
When a symbolic link is included in a fileset, the Rubrik cluster backs up the symbolic link as a file.
The Rubrik cluster does not follow the link and does not back up the file or folder that the symbolic
link points to. The file or folder that a symbolic link points to must be directly included in a fileset
to be backed up.
Windows hosts and NAS hosts that use SMB use NTFS junction points as symbolic links to
directories. The Rubrik cluster backs up a junction point as a file. The Rubrik cluster does not
follow the junction and does not back up the directory that is referenced by the junction. To back
up a directory that is referenced by a junction, include that directory in a fileset.

File Systems
Open files
The operating system of the host determines how a Rubrik cluster handles files that are open at
the time of a fileset backup.
For Linux and Unix hosts, the Rubrik cluster backs up open files in the open state. Files that are
backed up in an open state can potentially be inconsistent.
For Windows hosts, the Rubrik cluster uses the Volume Shadow Copy Service (VSS). When the
Rubrik cluster successfully uses VSS, open files are backed up in a consistent state. When the
Rubrik cluster is unable to successfully use VSS, open files are not included in the backup.
Direct Archive
The protection of very large data sources can make challenging requirements on the storage of a
Rubrik CDM cluster. Because Direct Archive makes use of large-scale external archival storage,
snapshot replication is unavailable for data objects that use Direct Archive. The indexed metadata
for directly archived data objects is stored on the Rubrik cluster. The availability of the indexed
metadata enables the use of Rubrik CDM search and reporting features.
Direct Archive is available for Windows, Linux, and NAS filesets that are protected by an SLA that
specifies an archival location. The Rubrik CDM cluster does not apply the local retention settings of
the SLA to filesets that use Direct Archive. Archival consolidation is a best practice for optimizing
the storage use at the archival location. See Enabling archival consolidation for details.
Rubrik Backup Service software

The Rubrik Backup Service provides the Rubrik cluster with the ability to manage data on Linux,
Unix, and Windows hosts.
Note: The Rubrik cluster does not require the Rubrik Backup Service to protect data on NAS
shares.
The Rubrik Backup Service software can be downloaded directly from the Rubrik cluster when it is
needed, or the software can be downloaded once and pushed to hosts that are protected by that
cluster, as needed.
For Windows, the Rubrik cluster uses the same Rubrik Backup Service software for both file
system protection and protection of SQL Server databases.
Rubrik CDM Version 5.0 User Guide Rubrik Backup Service software 481
File Systems
! IMPORTANT
obtained.
2. On the left-side menu, select the path that is appropriate for the host operating system.
• For Linux, AIX, or Solaris, click Servers & Apps > Linux & Unix Hosts.
The Linux & Unix Hosts tab of the Linux & Unix Hosts page appears.
• For Windows, click Windows Hosts.
3. Click the button that is appropriate for the host operating system.
• For Linux, AIX, or Solaris, click Add Hosts.
The Add Hosts dialog appears.
• For Windows, click Add Windows Hosts.
The Add Windows Hosts dialog appears.
File Systems
4. In the text of the dialog, click the link that is appropriated for the host operating system.
• For Linux distributions that support the RPM package manager, click rpm.
• For Linux distributions that support the Debian Package package manager, click deb.
• For AIX 6.1, click 6.1.
• For Solaris 10 or 11, click tar.gz.
• For Windows, click Rubrik Backup Service.
A browser-specific dialog appears to enable saving the package file.

Obtain the Rubrik Backup Service software directly by URL. The Rubrik cluster provides direct URL
links for the software package for Linux hosts and the software package for Windows hosts.
obtained.
2. Access the URL that is appropriate for the host operating system.
• For Linux distributions that support the RPM package manager, use:
https://<RubrikCluster>/connector/rubrik-agent.x86_64.rpm
• For Linux distributions that support the Debian Package package manager, use:
https://<RubrikCluster>/connector/rubrik-agent.x86_64.deb
• For AIX 6.1, use:
https://<RubrikCluster>/connector/rubrik-agent-aix6.1.pcc.rpm
File Systems

• For Solaris 10 or 11, use:
https://<RubrikCluster>/connector/rubrik-agent-sunos5.10.sparc.tar.gz
• For Windows, use:
A browser-specific dialog appears to enable saving the package file.
Installing the Rubrik Backup Service software on a Linux or Unix host

Install the Rubrik Backup Service software on a Linux or Unix host to provide the Rubrik cluster
with the ability to manage data on the host.
Before you begin — Check that the most up-to-date Unix or Linux version of the Rubrik Backup
Service software for the correct Rubrik cluster is available in a temporary location that the host can
access.
1. Open a terminal session on the host.
2. Copy the software package to a temporary location on the host.
3. Change the working directory to the location of the package.
4. Use sudo to run the package manager command that is appropriate for the Linux, AIX, or
Solaris distribution and downloaded package type.
Note: If sudo access is unavailable, log in as root to run the package manager command.
• For Linux distributions that support the RPM package manager, run:
sudo rpm -i rubrik-agent.x86_64.rpm
• For Linux distributions that support the Debian Package package manager, run:
sudo dpkg -i rubrik-agent.x86_64.deb
• for AIX 6.1, run:
sudo rpm -ivh rubrik-agent-aix6.1.pcc.rpm
File Systems
• For AIX 7.1, run:

• For AIX 7.2, run:
• For Solaris 10 or 11, run:
$ tar xvf rubrik-agent-sunos5.10.sparc.tar
$ cd rubrik-agent-<version>-sparc/
$ ./install-rubrik
The package manager installs the Rubrik Backup Service software.
Note: The Rubrik Backup Service software can also be push installed on multiple hosts using
automation software, such as Puppet or Chef.
Next task — Add the hosts that are running the Rubrik Backup Software to the Rubrik cluster.

Installing the Rubrik Backup Service software on a Windows host

Install the Rubrik Backup Service software on a Windows host to provide the Rubrik cluster with
the ability to manage data on the Windows host.
File Systems

 Check that the most up-to-date Windows version of the Rubrik Backup Service software for the
correct Rubrik cluster is available in a temporary location that the Windows host can access.
 Choose or create an account to run the Rubrik Backup Service software, as described in
1. Copy RubrikBackupService.zip to a temporary directory on the Windows host.
! IMPORTANT
Package.
The Rubrik Backup Service software can also be push installed on multiple Windows hosts
using automation software, such as Puppet or Chef.
4. (Optional) Change the account used to run the Rubrik Backup Service.
Account used to run the Rubrik Backup Service on a Windows host describes the account
requirements.
Note: The default LocalSystem account does not provide sufficient privileges to permit the
Rubrik Backup Service to access data on network shares.
Next task — Add the Windows hosts that are running the Rubrik Backup Software to the Rubrik
cluster.
Removing the Rubrik Backup Service from a Linux or Unix host

When the Rubrik Backup Service is no longer required on a Linux or Unix host it can be removed
by using standard package manager commands.
File Systems
Note: Removing the Rubrik Backup Service from a host also removes the connection between the
host and the Rubrik cluster. The Rubrik cluster designates any retained host filesets as relics. Use
the Snapshot Retention page to manually manage the relics, as described in Retention
Management.

2. Use sudo to run the package manager command that is appropriate for the Linux, AIX, or
Solaris distribution and downloaded package type.
Note: If sudo access is unavailable, log in as root to run the package manager command.
• For Linux and AIX distributions that support the RPM package manager:
sudo rpm -e rubrik-agent
• For Linux distributions that support the Debian Package package manager:
sudo dpkg -P rubrik-agent
The package manager removes the Rubrik Backup Service software. The Rubrik cluster designates
any retained host filesets as relics.
Removing the Rubrik Backup Service from a Solaris host

When the Rubrik Backup Service is no longer required on a Solaris host it can be removed by using
standard package manager command, $ pkgrm RBKagnt.
Note: Removing the Rubrik Backup Service from a host also removes the connection between the
host and the Rubrik cluster. The Rubrik cluster designates any retained host filesets as relics. Use
the Snapshot Retention page to manually manage the relics, as described in Retention
Management.
1. Stop the bootstrap and backup agent services.

2. Remove the bootstrap and backup services subsystem definition from the subsystem object
class.
3. Remove the cron tab entries from system.
4. Remove the files from /usr/bin/rubrik.
5. Remove the files from /etc/rubrik except followings:
• /etc/rubrik/conf/uuid (so if agent rpm is reinstalled the host uses the same UUID).
• /etc/rubrik/keys/
File Systems

between the Windows host and the Rubrik cluster. The Rubrik cluster designates any retained host
filesets as relics. Use the Snapshot Retention page to manually manage the relics, as described in
Retention Management.
retained host filesets as relics.
Host management
After installing the Rubrik Backup Service software on a Linux, Unix, or Windows host, add the
host to the Rubrik cluster.
removes that host from the Linux & Unix Hosts tab or the Windows Hosts tab. A removed host
cannot be paired with a fileset and cannot be a target of an export. The Rubrik cluster moves the
existing host filesets of the removed host and all associated backups to the Snapshot Retention
page.
Rubrik CDM Version 5.0 User Guide Host management 488

File Systems
Adding a host
To begin managing and protecting a Linux, Unix, or Windows host, add the host to the Rubrik
cluster.
Before you begin — Obtain and install the Rubrik Backup Service software on each host that will
be added.
3. Click the button that is appropriate for the host operating system.
• For Linux, AIX, or Solaris, click Add Hosts.
The Add Hosts dialog appears.
• For Windows, click Add Windows Hosts.
The Add Windows Hosts dialog appears.
Linux and Unix hosts must be added in the Add Hosts dialog. Windows hosts must be added in
the Add Windows Hosts dialog.
5. Click Add.
The Rubrik cluster checks connectivity with the specified hosts and adds the hosts.
Editing the stored information for a host

When the IPv4 address or hostname of a host changes, the associated host entry should be edited
to provide the new address or hostname.

File Systems
3. Click the selection box next to the host.
4. Open the ellipsis menu, and select Edit.
The Edit Linux & Unix Host or the Edit Windows Host dialog appears. The dialog provides the
address or hostname that the Rubrik cluster has stored for the host.
5. Delete the existing information and type the new address or hostname.
The typed value must be an IPv4 address or a resolvable hostname.
6. Click Update.
The Rubrik cluster checks connectivity using the new host information and stores the information.
Removing a host
Delete a Linux, Unix, or Windows host from the Rubrik cluster.
3. Click the selection box next to a host.
A warning dialog appears.
5. Click Delete.
The Rubrik cluster removes the host from the Linux & Unix Hosts tab or the Windows Hosts tab.
The Rubrik cluster moves all the existing filesets for the host to the Snapshot Retention page.
The Rubrik cluster retains the backups and archival backups for filesets on the Snapshot Retention
page for the length of time specified by the retention SLA. The Rubrik cluster removes a host
fileset from the Snapshot Retention page when all the backups associated with the host fileset
have been manually deleted.

File Systems
Deleting snapshots for a data source describes how to manually delete the backups that are
associated with a fileset on the Snapshot Retention page.
NAS host management

The Rubrik cluster manages and protects data in NAS shares through the NAS host. Provide
connection information to the Rubrik cluster to add the NAS host.
When the NAS host uses access control, the Rubrik cluster must be provided with the credentials
of a user account that has sufficient privileges. To perform backups of a share fileset on the NAS
host the account must have the READ privilege for all the files and folders in the fileset. To restore
data into a share location the account must have the WRITE privilege for that location.
The credentials for account with the required privileges can be provided to the Rubrik cluster in
the NAS host connection information.
Alternatively, the account used for the NAS host connection can be granted only the privilege that
is required to view the shares on the NAS host. With this approach the READ/WRITE privileges for
a share fileset can be provided at the share fileset level.
Required Isilon privileges

The Rubrik CDM requires an account on the Isilon appliance with a specific set of privileges in
order to access the OneFS API. These privileges are listed in Table 99.
Table 99 Isilon OneFS privileges
Privilege Access level
Platform API Read-only
Auth Read-only
Cluster Read/Write
Job Engine Read/Write
NFS Read/Write
SMB Read/Write
Snapshot Read/Write
Rubrik CDM Version 5.0 User Guide NAS host management 491
File Systems
Adding a NAS host

Add a NAS host to the Rubrik cluster so that the data in the shares on the device can be managed
and protected.
Note: For Isilon appliances configured with multiple access zones, configure each zone as a
separate host.

2. On the left-side menu, click Servers & Apps > NAS Shares.
The NAS Shares page appears, with the Shares tab selected.
3. Click the Hosts tab.
The All NAS Hosts view appears.
4. Click Add NAS Host.
The Add NAS Host dialog appears, with the IP or Hostname menu selected.
5. In IP or Hostname, type the IPv4 address or resolvable hostname of the NAS host.
6. (Optional) On the left-side menu, click Share Credentials.
7. (Optional) In Domain, type the authentication domain for the user account that provides
access to the NAS host.
8. (Optional) In Username, type the name of a user account that provides access to the NAS
host.
9. (Optional) In Password, type the password for the specified user account.
10.(Optional) On the left-side menu, click Vendor API Credentials.
11.(Optional) In Host Type, select either Generic, Isilon or NetApp.
12.(Isilon only) Enter the username in the Isilon OneFS Username field.
13.(Isilon only) Enter the password in the Isilon OneFS Password field.
14.(Isilon with multiple access zones only) Enter the IPv4 address of the hostname or IPv4
address of the system zone in the System Zone Hostname or IP field.
Note: If the hostname or IPv4 address entered in step 5 is the hostname or IPv4 address of
the system zone, this step is optional.
15.(Optional, Isilon with multiple access zones using a release of the OneFS API prior to version 8)
Enter the name of the non-system zone associated with the system zone in the Non-System
Zone Name field.
File Systems
16.(NetApp only) Type the NetApp Username and NetApp Password.

17.(Isilon only) Generate the CA Certificate on the Isilon host, then copy and paste into the CA
Certificate field for TLS certificate validation
18.(NetApp only) Generate the CA Certificate on the NetApp host, then copy and paste into the
CA Certificate field for TLS certificate validation.
19.Click Add.
The Rubrik cluster adds the NAS host. The shares on the NAS host become available in the Add
NAS Share workflow.
20.With the Shares tab selected, click Add NAS Share.
The Add Share overview page appears.
21.Select a host to add Share to, and click Next.
The Add Share details page appears.
22.In Share Type, select either NFS or SMB.
23.(NFS Share only) Type the NFS Path, Domain name, Username, and Password.
24.(SMB Share only) Type the SMB Share Name, Domain name, Username, and Password.
25.Click Finish.
The Rubrik cluster adds the share to the NAS host.
Editing the stored information for a NAS host

When the connection information for a NAS host changes, the associated host entry should be
edited to provide the new information.
4. Open the ellipsis menu for the NAS host, and select Edit.
The Edit NAS Host dialog appears.
6. Click Update.
The Rubrik cluster checks connectivity using the new host information and stores the information.
File Systems
Removing a NAS host

Delete a NAS host from the Rubrik cluster.
5. Click Delete.
The Rubrik cluster removes the host from the NAS Hosts tab. The Rubrik cluster moves all the
existing share filesets for the NAS host to the Snapshot Retention page.
The Rubrik cluster retains the backups and archival backups for filesets on the Snapshot Retention
page for the length of time specified by the retention SLA. The Rubrik cluster removes a share
fileset from the Snapshot Retention page when all the backups associated with the share fileset
have expired.
Deleting snapshots for a data source describes how to manually delete the backups that are
associated with a fileset on the Snapshot Retention page.
Filesets
A fileset defines a set of files and folders on a host or NAS share. The Rubrik cluster uses the
filesets that are assigned to a host or share to determine the data to manage and protect.
Fileset fields, rules, and value types

The Rubrik cluster interprets a fileset based on the values provided in the Include, Exclude, and
Do Not Exclude fields. The Rubrik cluster applies a set of rules to the values provided in these
fields and permits several types of values to be added to the fields.
A fileset accepts full paths, path segments, and filename portions to define the objects to include,
exclude, and exempt from exclusion. The Do Not Exclude values specify objects that should not be
excluded from the fileset by the Exclude values.
Table 100 describes the fileset fields that the Rubrik cluster combines into a fileset definition.
These fields are common to all host types.
Table 101 describes additional fields that are available for some, but not all, host types.
Rubrik CDM Version 5.0 User Guide Filesets 494

File Systems
To specify the folders and files that are included in a fileset, type values into the Include, Exclude,
and Do Not Exclude fields. The Rubrik cluster can apply several different types of rules to several
different types of values.
Table 102 describes the rules that apply to fileset descriptions for all host types.
Table 103 describes the rules that apply to fileset descriptions for specific host types.
Table 104 describes the types of values that the Rubrik cluster accepts for fileset descriptions.
Example 15 and Example 16 provide examples that uses several different types of values.
Table 100 Fileset fields common to all host types
Field Required Description
Include Yes Comma-separated set of full path descriptions, path segments, and file
types, to include in the data specified by the fileset. Requires at least one
entry.
Exclude No Comma-separated set of full path descriptions, path segments, and file
types, to exclude from the data specified by the Include field.
Do Not Exclude No Comma-separated set of full path descriptions, path segments, and file
types, to exempt from the exceptions specified by the Exclude field. Paths
and files specified by this field will not be excluded from the data specified
by the Include field. Requires at least one value in Exclude.
Table 101 Fileset fields specific to some host types

Field Host type Description
Follow Network Shares Linux and By default, the Rubrik cluster does not include file systems that
Unix are mounted on a Linux or Unix host from a network share, for
example by using a protocol such as: NFS or SMB. Select Follow
Network Shares to override this default behavior and include
network shared file systems in the fileset.
Note: To address a network share that is mounted on a Windows
host, the Rubrik Backup Service requires the UNC path of the
network share, for example: \\networkshare\folder
Enable Backup of Linux, Unix, For Linux and Unix hosts, this option appears when Follow
Hidden Folders and NAS Network Shares is selected, and is enabled by default.
For Linux and Unix hosts, and for NAS, clear this setting to
exclude hidden folders from the fileset.
Note: On a Windows host, the Rubrik cluster backs up all hidden
files and system files that are within a fileset description.
Enable Pre/Post Scripts Linux, Unix, Select to configure a script to run before the backup and a script
and to run after the backup.
Windows

File Systems
Table 102 Fileset description rules common to all host types

Rule Description
Character set UTF-8
Wildcard – single asterisk: * Directory level wildcard. Substitute for zero or more
characters up to a directory delimiter.
Wildcard – double asterisk: ** Recursive wildcard, includes files in the specified
directory and all sub-directories. Substitute for zero
or more characters including directory delimiter
characters.
Multiple wildcards in a path description Allowed
Space characters in folder names Allowed
Single dot Not allowed. Indicates a reference to the current
directory.
Double dot Not allowed. Indicates a reference to the parent
directory.
Table 103 Fileset description rules specific to host types

Rule Linux, Unix, and NAS (NFS) Windows and NAS (SMB)
Case sensitivity Case sensitivea Case insensitive
Path delimiter Forward slash character: / Backslash character: \
Start of a file path File paths can be full or partial. A full File paths can be full or partial.
path starts with a forward slash. Paths Windows host – A full path starts with a
cannot include the single dot (.) or drive letter, a colon, and a back slash, e.g.
double dot (..) elements. C:\.
NAS share (SMB) – A full path starts with
a backslash.
Paths cannot include the single dot (.) or
double dot (..) elements.
End of a file path Paths that do not end with a single Paths that do not end with a single
asterisk (specifying all the contents of asterisk (specifying all the contents of the
the last named folder) are modified to last named folder) are modified to add \**
add /** to the end of the path. This to the end of the path. This includes all
includes all files and folder beneath the files and folder beneath the last specified
last specified folder. folder.
Network mounts Linux and Unix hosts – Select Follow Windows host – Specify the UNC path for
Network Shares and specify the full a network share, e.g.
path to the mount point. \\networkshare\folder or
NAS share (NFS) – Does not apply. \\192.168.1.64\folder. To get all shares of a
host, specify the host directly, e.g.
\\hostname\\**.
NAS share (SMB) – Does not apply.

File Systems
a. The mount or mount.cifs command can include the ‘nocase’ option. This option causes case insensitive path
name matching for the paths on the network share. Fileset rules applicable to a network share with the
‘nocase’ option should account for the case insensitivity.
Table 104 Value types

Category Linux, Unix, and NAS (NFS) Windows and NAS (SMB)
Paths Path description of a specified directory. Path description of a specified directory.
Paths that end in a directory include the Paths that end in a folder include the
specified directory and everything specified folder and everything
hierarchically beneath it. hierarchically beneath it.
Path descriptions must use the forward Path descriptions must use the backslash
slash character as the directory delimiter. character as the directory delimiter.Paths
Paths cannot include the single dot (.) or cannot include the single dot (.) or double
double dot (..) elements. dot (..) elements.
Path descriptions can include multiple Path descriptions can include multiple
single, or double, asterisk wildcards. single, or double, asterisk wildcards.
Path Segments Path description that does not start with a Path description that does not start with a
forward slash. The Rubrik cluster matches backslash. The Rubrik cluster matches the
the path segment wherever it occurs in the path segment wherever it occurs in the
directory hierarchy and presumes the full directory hierarchy and presumes the full
path from root to each occurrence. path from the root of the system drive to
Path segments that end in a directory each occurrence.
include the specified directory and Path segments that end in a directory
everything hierarchically beneath it. include the specified directory and
Path segments must: everything hierarchically beneath it.
• Start without a forward slash character. Path segments must:
• Use the forward slash character as the • Start without a backslash character.
directory delimiter. • Use the backslash character as the
Path segments can include multiple single, directory delimiter.
or double, asterisk wildcards. Path segments can include multiple single,
or double, asterisk wildcards.
File matching Use a portion of a filename with wildcards Use a portion of a filename with wildcards to
to match specific groups of filenames. match specific groups of filenames.
Specify a file type by using a single asterisk Specify a file type by using a single asterisk
wildcard and a file name extension. For wildcard and a file name extension. For
example, to include all PDF files, add *.pdf example, to include all PDF files, add *.pdf
as an entry in the Include field.a as an entry in the Include field.a
a. A file name extension indicates the file type, but does not determine the file type with certainty. The Rubrik
cluster does not look at file signatures (magic numbers) to ascertain file type.

File Systems
Example 15 Linux or Unix fileset with Include, Exclude, and Do Not Exclude
A Linux or Unix fileset is specified with the following values:
Include: /usr/local/**, /home/**
Exclude: /usr/local/tmp, /home/tmp, *.mov
Do Not Exclude: /home/tmp/logs/**, company*.mp4
The fileset defines the following protection rules:
• Protect the folder /usr/local and all that it contains, excluding the folder /usr/local/tmp and
its subfolders, and excluding any file with a filename that ends in .mov, but including any files
in /usr/local/tmp or its subfolders that have a filename that starts with company and ends
with .mp4.
• Protect the folder /home and all that it contains, excluding the folder /home/tmp and its
subfolders, and excluding any file with a filename that ends in .mov, but including the contents
of /home/tmp/logs and all of its subfolders and including any files in /home/tmp or its
subfolders that have a filename that starts with company and ends with .mp4.
Example 16 Windows fileset with Include, Exclude and Do Not Exclude

A Windows fileset is specified with the following values:
Include: C:\Users\**,E:\Working Files\*, \\archive\shared
Exclude: C:\Users\AppData\**, \\archive\shared\*\personal\**
Do Not Exclude: **\logs\**, company*.mp4
The fileset defines the following protection rules:
• Protect the folder C:\Users, everything it contains, and everything hierarchically beneath it and
excluding anything contained by C:\Users\AppData, but including back in the fileset any files
contained in any folder named logs and any MP4 files with a filename that starts with the string
company and ends with the string .mp4.
• Protect the contents of the folder E:\Working Files but do not include any data that is in
folders that are hierarchically beneath E:\Working Files.
• Protect the contents of the SMB mounted drive folder \\archive\shared and everything
hierarchically beneath it, excluding anything contained by a folder named personal that is
contained in a folder directly beneath \\archive\shared, but including back in the fileset any
files contained in any folder named logs and any MP4 files with a filename that starts with the
string company and ends with the string .mp4.

File Systems
Creating a fileset
Create a fileset to define a set of data in a file system. A fileset can be assigned to a host to
protect the data set specified by the fileset on that host.
2. On the left-side menu, click a choice based on the host type:
• Servers & Apps > Linux & Unix Hosts.
• Servers & Apps > Windows Hosts.
• Servers & Apps > NAS Shares.
The Shares tab of the NAS Shares page appears.
3. Click Filesets.
The Filesets tab appears.
4. Click Add Fileset.
The Add Fileset dialog appears.
5. In Fileset Name, type a unique name for the fileset.
6. (NAS shares only) In Share Type, select either NFS or SMB.
7. In Include, type a comma-separated list of values.
Fileset fields, rules, and value types provides information about acceptable values and how the
Rubrik cluster interprets the values.
8. (Optional) In Exclude, type a comma-separated list of values.
The Rubrik cluster uses the values in Exclude to determine which folders and files to remove
from the fileset defined by the Include values.
9. (Optional) In Do Not Exclude, type a comma-separated list of values.
The Rubrik cluster uses the values in Do Not Exclude to determine which folders and files to
include back into the fileset from the folders and files removed based on the values in Exclude.
10.(Linux and Unix only) (Optional) Select Follow Network Shares.
Select to have the Rubrik cluster include in the fileset network shares that are mounted on the
Linux or Unix host.

File Systems
11.(Linux, Unix, and NAS) In Enable Backup of Hidden Folders, do one of the following:
• Select to include hidden folders in the fileset.
• Clear to exclude hidden folders from the fileset.
For Linux and Unix hosts, this field only appears when Follow Network Shares is selected.
12.(Linux, Unix, and Windows) (Optional) Click Enable Pre/Post Scripts, and complete the
following fields:
• (Optional) Type a path to a script in Pre-Backup Script Path
• (Optional) Enable Cancel Backup if Pre-Backup Script Fails
• (Optional) Type a path to a script in Post-Backup Script Path
Backup scripts for Linux, Unix, or Windows hosts provides information about these fields.
13.Click Add.
The Rubrik cluster creates and stores the fileset.
Editing a fileset
Edit a fileset to change the set of data that the fileset defines. The Rubrik cluster applies the
changes to the fileset backups that are created after the change.
3. Click Filesets.
4. (Linux, Unix, and Windows) Select a fileset entry, open the ellipsis menu at the top of the page,
and select Edit.
5. (NAS) Open the ellipsis menu next to a fileset entry, and select Edit.
The Edit Fileset dialog appears.

File Systems
6. Make changes to the values of the fields.

7. Click Update.
The Rubrik cluster modifies the fileset. Fileset changes apply to backups that occur after the
changes.
Deleting a fileset from a host or share

Delete the association between a fileset and a host or share to stop SLA Domain protection of the
selected host fileset or share fileset. Choose whether to move the host fileset or share fileset and
all associated backups to the Snapshot Retention page, or to permanently delete the fileset and all
associated backups.
3. In the Name column, click a host or share name.
The local page for the host or share appears.
4. On the Filesets card, select a fileset.
The local fileset page for the selected host fileset or share fileset appears.
The Delete Fileset dialog appears.
6. Choose how to handle the existing backups of the host fileset or share fileset.
• Select Transfer Snapshots to Relic to move the fileset and associated backups to the
Snapshot Retention page.
• Select Expire Snapshots Immediately to delete the fileset and all associated backups.
7. Click Delete.
The Rubrik cluster deletes the fileset from the host or share and handles the backups as specified.

File Systems
Deleting a fileset globally

Delete the association between a fileset and all hosts or shares that use that fileset to stop
protecting those hosts or shares through the fileset. Choose whether to move the associated
filesets and associated backups to the Snapshot Retention page or to permanently delete the
associated filesets and associated backups.
3. Click Filesets.
4. Select a fileset.
The Delete Fileset dialog appears.
6. (For assigned filesets only) Choose how to handle the existing backups of all associated host
filesets.
• Select Transfer Snapshots to Relic to move the host filesets and associated backups to
the Snapshot Retention page.
• Select Expire Snapshots Immediately to delete the host filesets and all associated
backups.
7. Click Delete.
The Rubrik cluster deletes the fileset from all associated hosts or shares and handles the backups
as specified.

File Systems
Host filesets and share filesets

The combination of a fileset with a host creates a protection object referred to as a host fileset.
The combination of a NAS share with a fileset creates a protection object referred to as a share
fileset.
A host fileset or share fileset is an object that can be assigned to an SLA Domain for policy-based
protection, and can be manually protected through an on-demand backup.
A host or share can be paired with several different filesets, with each host fileset or share fileset
protecting a different set of data. Each of the host filesets or share filesets can be assigned to a
different SLA Domain, permitting different levels of protection for each set of data.
Protecting a host fileset or share fileset

Create a host fileset or share fileset by pairing a fileset with a host or share. Assign the host fileset
or share fileset to an SLA Domain to protect the data in the host fileset or share fileset.
 Add the Linux, Unix, Windows, or NAS host to the Rubrik cluster.
 Add a Linux, Unix, Windows, or NAS fileset to the Rubrik cluster.
3. Click the selection box next to a host or share.
Select multiple hosts or shares to apply the same fileset and SLA Domain to each selected host
or share.
For NAS shares, to select multiple shares, all shares selected must use the same protocol,
either NFS or SMB.
The Manage Protection dialog appears with the first step of the task indicated in the task flow
at the top of the dialog: Select Fileset.
Rubrik CDM Version 5.0 User Guide Host filesets and share filesets 503
File Systems
5. Select an existing fileset, or click the blue + icon to create a new fileset.
Creating a fileset describes how to create a new fileset. After creating a new fileset, the
Manage Protection dialog appears again. Select the new fileset.
6. Click Next.
The Manage Protection dialog changes to show the second step of the task indicated in the
task flow at the top of the dialog: Assign SLA.
7. Select an existing SLA Domain, or click the blue + icon to create a new SLA Domain.
Creating a custom SLA Domain describes how to create a new SLA Domain. After creating a
new SLA Domain, the Manage Protection dialog appears again. Select the new SLA Domain.
8. (Optional) To enable Direct Archive for the fileset, select Direct Archive.
Direct Archive is only available when the fileset is assigned to an SLA that specifies an archival
location.
9. Click Finish.
The Rubrik cluster creates the selected host filesets or share filesets and assigns them to the
selected SLA Domain.
Starting an on-demand backup of a host fileset or share fileset

Start an on-demand backup of a host fileset or a share fileset.
3. In the Name column, click a host name or share name.
The local cards for the host appear, Overview, Snapshots, and Filesets.
The Take On Demand Snapshot dialog appears.
File Systems
5. Select the fileset to use for the on-demand backup, and click Next.
The Take On Demand Snapshot dialog changes to show the second step of the task indicated
in the task flow at the top of the dialog: Assign SLA.
The Rubrik cluster uses the rules and policies of the selected SLA Domain to manage the
on-demand snapshot. The selected SLA Domain can be different from the SLA Domain that
protects the associated host fileset or share fileset.
To manually manage the on-demand snapshot through the Snapshot Retention page, select
Forever.
Removing protection for a host fileset or share fileset

Remove SLA Domain protection from a host fileset or share fileset.
3. Depending on the host type, do one of the following:
• For Linux, Unix, and Windows hosts, in the Name column, click a host name.
• For NAS hosts, in the Path column, click the path for a share.
The local page for the host appears.
4. In Filesets, click the name of a fileset.
The fileset page appears.
File Systems

A warning appears.
6. Click Continue Anyway.
The Manage Protection dialog appears.
7. Select No SLA.
8. Click Submit.
The Rubrik cluster removes SLA Domain protection from the selected host fileset or share fileset.
Storage array integration

Files stored on file systems hosted by storage array volumes can be integrated with a Rubrik
cluster. With storage array integration, a Rubrik cluster performs the ingestion phase of the backup
operation on an array-enabled fileset located on the primary host or on an alternate backup host.
Note: Using an alternate backup host for file ingestion frees up resources on the primary host.
Filesets that use array integration differ from regular filesets in that the Rubrik cluster ingests files
from a storage array snapshot mounted at the primary host or an alternate backup host, rather
than from the original file system.
Adding an array-enabled fileset

Add a fileset to the primary host or an alternate backup host, and indicate that the fileset is
array-enabled.
Note: A fileset’s logical volumes must belong to volume groups whose physical volumes map to
storage array volumes.
1. In the Rubrik CDM web UI, on the left-side menu, click Servers & Apps > Linux & Unix
Hosts.
2. Select the host from the list.
The host can be the primary host or an alternate backup host.
4. Click the blue plus icon to create a new fileset to apply to this host.
5. In the Fileset Name field, enter a name for the fileset.
File Systems
6. Click the slider switch for Array Snapshots to indicate that the fileset is stored in a storage
array.
7. In the Include field of the Rules section, provide a comma-separated list of the mount points
for all logical volumes to be protected.
Get the mount points by opening a terminal window and entering lsvg -l
<volume_group_name>
8. (Optional) Click Enable Pre/Post Scripts and specify paths to the scripts.
9. (Optional) Choose whether to cancel the backup if the pre-backup script fails.
10.Click Add.
Backup scripts for Linux, Unix, or Windows hosts

A fileset can be configured to start scripts on a Linux, Unix, AIX, Solaris, or Windows host before
and after backups. Use this feature to put a Linux, Unix, AIX, Solaris, or Windows host in a specific
state before a backup, and change that state after a backup. For example, run a pre-backup script
to quiesce applications before a backup, and run a post-backup script to restore applications to
their normal running status after the backup.
Note: The Rubrik cluster does not require a post-backup script with a pre-backup script; however,
a post-backup script cannot be specified without a pre-backup script.
The pre-backup script and the post-backup script can consist of any sequence of operations that
can be run by the command line interpreter of the host operating system. On a Windows system,
for example, the script filename must have the .cmd or .bat extension, and the Windows
command line interpreter, cmd.exe, must be able to execute the script.
The Rubrik cluster associates host scripts with a fileset. This way, a different set of pre-backup and
post-backup scripts can be assigned to each fileset that is assigned to a host. The Rubrik cluster
applies the script settings of a fileset to all the hosts that are paired with the fileset.
Configure backup script behavior

The Rubrik cluster can be configured to start a pre-backup script on a host and wait for the script
to finish before starting a backup.
Note: By default, a backup is performed whether the pre-backup script finishes successfully or
not.
Rubrik CDM Version 5.0 User Guide Backup scripts for Linux, Unix, or Windows hosts 507
File Systems
In addition, the Rubrik cluster can be configured to run a post-backup script on the host after a
backup finishes successfully. If the backup does not complete successfully, the Rubrik cluster does
not run the post-backup script.
If the backup is set to occur whether or not the pre-backup script passes (the default behavior),
consider creating a post-backup script to handle the case where the pre-backup script fails.
To override the default behavior so the backup is only performed if the pre-backup script is
successful, enable Cancel Backup if Pre-Backup Script Fails.
Enabling host scripts

Configure the Rubrik cluster to run a script before and, optionally, after the backup of host fileset.
Note: Pre-backup and post-backup script support does not apply to NAS hosts.
Before you begin — Create a pre-backup script and, optionally, a post-backup script. Place the
scripts at the same full path location on each host that is associated with the script settings of the
fileset.
1. Open the Add Fileset dialog or the Edit Fileset dialog by starting the task of creating or editing
a fileset.
• Creating a fileset describes how to create a fileset
• Editing a fileset describes how to edit a fileset
2. Click Enable Pre/Post Scripts.
The script fields appear.
3. In Pre-Backup Script Path, type the full path for the pre-backup script.
The full path is relative to the root of a Linux or Unix host file system or to the specified drive
letter of a Windows file system.
4. (Optional) Select Cancel Backup if Pre-Backup Script Fails.
When Cancel Backup if Pre-Backup Script Fails is selected, the Rubrik cluster only runs a
backup when the pre-backup script finishes with a zero exit status.
5. (Optional) In Post-Backup Script Path, type the full path for the post-backup script.
The full path is relative to the root of a Linux or Unix host file system or to the specified drive
letter of a Windows file system.
6. Complete the other fields on the dialog, and click Add or Update.
Rubrik CDM Version 5.0 User Guide Backup scripts for Linux, Unix, or Windows hosts 508
File Systems
The Rubrik cluster stores the information and runs the scripts for all subsequent backups of hosts
that are paired with the fileset. The Rubrik cluster provides entries in Notifications for any errors
that occur when running the scripts.
Local host pages and local share pages

The local host pages and local share pages provide detailed information about the protection of
host filesets and share filesets. The pages also provide access to actions for host filesets and share
filesets.
The local pages provide the following sections:
 Overview card
 Snapshots card
 Filesets card
The local pages also provide access to a page for each fileset that is assigned to the host or share.
Viewing the local page

Access a local page to view information about a host or share and the associated filesets.
Rubrik CDM Version 5.0 User Guide Local host pages and local share pages 509
File Systems
Viewing a fileset page

View a page with information for a specific host and fileset combination.
4. In Filesets, click the name of a fileset.
The fileset page appears.
Overview card in the local view

The Overview card in the local view provides the information that is described in Table 105.
Table 105 Overview card in the local view
Field Description
Oldest Snapshot Timestamp for the oldest backup associated with the filesets of the host or share.
When the SLA Domain has an active archival policy, the oldest backup resides at the
archival location.
Latest Snapshot Timestamp for the most recent successful backup for the filesets of the host or share.
Total Snapshots Total number of retained backups for the filesets of the host or share, including both the
local Rubrik cluster and any archival location.
Missed Snapshots Number of policy-driven backups that did not complete successfully for the filesets of
the host or share. A missed backup is included in the count until the period since the
SLA Domain policy required the backup exceeds the retention period of the SLA
Domain.
File Systems
Filesets card
The Filesets card in the local view provides the information that is described in Table 106.
Table 106 Filesets card in the local view
Field Description
Name Name of the fileset. Click the name to open the fileset view for that fileset.
SLA List of the SLA Domains that are protecting the fileset. When an entry is abbreviated,
hover over the entry to see the full value in a tool tip. Click an entry to open the SLA
Domain page.
Includes List of the values in Include for the fileset. When an entry is abbreviated, hover over the
entry to see the full value in a tool tip.
Excludes List of the values in Exclude for the fileset. When an entry is abbreviated, hover over the
entry to see the full value in a tool tip.
Do Not Exclude List of the values in Do Not Exclude for the fileset. When an entry is abbreviated, hover
over the entry to see the full value in a tool tip.
Snapshots card
The Snapshots card provides the ability to browse the backups that reside on the local Rubrik
cluster and on the archival location.
In the local view, the Snapshots card shows the backups for all filesets of the host or share. In the
fileset view, the Snapshots card shows only the backups for the selected fileset.
The Snapshots card provides access to backup information through a series of calendar views.
Each view uses color spots to indicate the presence of backups on a date and to indicate the
status of SLA Domain compliance for that date.
The Snapshots card also provides the ability to search for files across all the backups of the filesets
or fileset in the current view.
represents.
Color Status
Green All backups required by SLA Domain policy were successfully created.
Orange All backups required by SLA Domain policy were successfully created but at least one backup
caused a warning.
Red At least one backup required by SLA Domain policy was not successfully created.
File Systems
View Description
Year The Year view displays backup creation information for an entire year. A color spot indicator on a
specific date indicates backup activity, and displays the SLA Domain compliance status for that
day.
Month The Month view displays backup creation information for an entire month. A color spot indicator on
a specific date indicates backup activity, and displays the SLA Domain compliance status for that
day.
Day The Day view displays the individual backups that were created on the selected day.
Overview card in a fileset view

The Overview card in the fileset view provides the information that is described in Table 109.
Table 109 Overview card in a fileset view
Field Description
SLA Domain Name of the SLA Domain that manages the protection of the selected fileset.
• Host • Name or IP address of the host.

• Share • Path of the share.
Includes Description of the Include value for the fileset. Hover over the field to see the full
description.
Excludes Descriptions of the Exclude value and the Exempt value for the fileset. Hover over the
field to see the full descriptions.
Oldest Snapshot Timestamp for the oldest backup associated with the selected host fileset.
When the SLA Domain has an active archival policy, the oldest backup resides at the
archival location.
Latest Snapshot Timestamp for the most recent successful backup of the selected host fileset.
Total Snapshots Total number of retained backups for the selected host fileset, including both the local
Rubrik cluster and any archival location.
Missed Snapshots Number of policy-driven backups that did not complete successfully. A missed backup
is included in the count until the period since the SLA Domain policy required the
backup exceeds the retention period of the SLA Domain.
File Systems
Data recovery from a host fileset or share fileset

Recover data from backups of host filesets or share filesets.
File system data that is backed up through a host fileset or share fileset can be recovered in any of
the following ways:
 Restore a file, a folder, or a full fileset to the source host or source share.
 Export a file, a folder, or a full fileset to another known host or share.
 Download a file, a set of files, a folder, or a full fileset through the Rubrik CDM web UI.
Select files and folders to restore, export, or download by using either the search method or the
browse method.
Searching for a file, a folder, or a fileset

Use search to find data to restore from a backup.
 Assign a fileset to a host or share.
 Complete at least one successful backup of the host fileset or share fileset.
4. (Optional) To limit the search to a single host fileset, on the Filesets card, click the name of a
fileset.
The fileset page appears and the search is confined to the selected fileset.
Rubrik CDM Version 5.0 User Guide Data recovery from a host fileset or share fileset 513
File Systems
A search matches the string of characters entered in the search field with the same string in
any portion of the pathname of a folder or file. Continue to type characters until the file or
folder appears in the results.
The Choose Version dialog appears.
7. Find a file or folder version to recover.
Next task — Restore or export the file or folder version.
Browsing for a file, a folder, or a fileset

Browse a host fileset backup to find data to restore.
 Assign a fileset to a host or share.
 Complete at least one successful backup of the host fileset or share fileset.
4. (Optional) To limit the search to a single host fileset, on the Filesets card, click the name of a
fileset.
The fileset page appears and the available backups are confined to the selected fileset.
File Systems
5. Use the Snapshots card to navigate to a specific backup.

6. Open the ellipsis menu next to the backup, and click Recover Files.
The Recover Files dialog appears. The initial view shows the fileset.
7. (Optional) Click the fileset name to navigate to the files and folders in the fileset.
Next task — Restore, export, or download the files, folder, or fileset version.
Restoring a file, a folder, or a fileset

Restore a file, a folder, or a fileset to the source host.
Before you begin — Use search to find a file version or a folder version to restore. Or use browse
to find a file, a folder, or a fileset to restore.
Note: To restore an entire fileset, use the browse method to find and select a specific backup of
the host fileset or share fileset.
1. Open the ellipsis menu for the selected data, and select Restore.
The selected data can be a file, a folder, or a complete fileset.
The Restore dialog appears.
2. Choose where to restore the data.
• Select Overwrite original to restore the folder or file to the original location, replacing the
existing source file, folder, or fileset data.
• Select Restore to separate folder to restore the file, folder, or fileset data to another
folder on the source host. This option does not replace the existing folder or file.
3. (Restore to separate folder only) In Folder Name, type the full path for a folder on the source
host.
Note: Do not type the original path of the source folder or file. When Restore to separate
same name.
The restore path must exist on the source host. The Rubrik cluster will create a specified target
folder but will not create intermediary folders on the specified path.
File Systems
4. (Optional) Select Continue on restore errors.

Select this option to instruct the Rubrik cluster to continue the restore job after encountering a
restore error. A restore error occurs when a file, folder or symlink cannot be restored.
Clear this option to instruct the Rubrik cluster to end the restore job when a restore error
occurs. Files that were successfully restored before the error occurred remain on the restore
target.
5. Click Restore.
The Rubrik cluster restores the selected object to the specified location. The Activity Log tracks the
status of the task.
Export path
When a backup copy of a file, folder, or fileset is exported, the Rubrik cluster writes the exported
data to a location on the target host.
The location where the data is written consists of the path on the target that is provided through
the Export Path value combined with the path of the exported object relative to the root of the
backup.
The path specified in Export Path must already exist on the target. The Rubrik cluster will create
the rest of the path, starting at the specified Export Path value, if it does not already exist.
For a Linux or Unix host, or for a NAS share (NFS), the root directory can be specified by a single
forward slash character.
For a Windows host, the root directory of a drive can be specified by the drive letter, a colon, and
a backslash. For example, specify the root of the ‘D’ drive with:
D:\
For a NAS share (SMB), the root directory of the share can be specified by a single backslash
character.
Example 17, Example 18, and Example 19 provide examples of the final target location for exports
to a Linux or Unix host, a Windows host, and a NAS share (SMB).
File Systems
Example 17 Exporting a file from a fileset backup of a Linux or Unix host

A fileset backup of a Linux or Unix host includes the test_example file. The full path of
test_example on the source host is:
/usr/local/tmp/test_example
Case 1: The value specified in Export Path is:
/
The Rubrik cluster writes the file to the following path on the target host:
/usr/local/tmp/test_example
/usr/local/tmp
/usr/local/tmp/usr/local/tmp/test_example
Example 18 Exporting a file from a fileset backup of a Windows host

A fileset backup of a Windows host includes the test_example.txt file. The full path of
test_example.txt on the source Windows host is:
C:\Users\Atom\testing\test_example.txt
C:\
C:\Users\Atom\testing\test_example.txt
G:\testing\temp
G:\testing\temp\C_\Users\Atom\testing\test_example.txt
File Systems
Example 19 Exporting a file from a fileset backup of a NAS share (SMB)

A fileset backup of a NAS share (SMB) includes the test_example.txt file. The full path of
test_example.txt relative to the root of the source NAS share is:
\temp\test_example.txt
\
The Rubrik cluster writes the file to the following path relative to the root of the target NAS share:
\temp\test_example.txt
\testing\temp
\testing\temp\temp\test_example.txt
Showing hidden files on Windows hosts

Hidden files and folders on a source Windows system are restored and exported as hidden files
and folders. To view these files and folders, change the setting in the source before backup or on
the restored files and folders.
Prior to exporting the Windows fileset snapshot at the drive level, change the following settings on
your Windows system to show the hidden target directory. This action allows you to view the
target directory drive where the Windows fileset snapshot is exported to the drive level.
1. Navigate to the Windows Control Panel > File Explorer Options > View.
2. Clear the Hide protected operating system files (Recommended) option.
3. When prompted, click Yes to confirm.
4. Click OK.
File Systems
Exporting a file, a folder, or a fileset

Export a file, folder, or fileset backup to another host.
Before you begin. Use search to find a file version or a folder version to export. Or use browse to
find a file, a folder, or a fileset to export.
Note: To export an entire fileset, use the browse method to find and select a specific backup of
the host fileset or share fileset.
1. Open the ellipsis menu for the selected data, and select Export.
The selected data can be a file, a folder, or a complete fileset.
The Export dialog appears and lists the available export targets.
2. In the Name section, select a host or share.
3. In Export Path, type the full path for a folder on the selected host or share.
The folder must already exist. The Rubrik cluster writes the exported data into the specified
folder.
In the path description, use the directory delimiter for the type of operating system. For Linux,
Unix, and NAS (NFS), use a forward slash: /. For Windows and NAS (SMB), use a backslash: \.
4. Click Export.
The Rubrik cluster writes the selected data to the export target at the location indicated by the
export path. The Activity Log tracks the status of the task.
Downloading files or a folder from a fileset snapshot

Search or browse for a set of files, a folder, or a fileset and download the selected items.
1. Search or browse for a set of files, a folder, or a fileset.
2. Select the files, folder, or fileset.
The local page for the fileset appears.
3. Click a date with a snapshot from the calendar. Dates with snapshots are marked with a dot.
The Snapshots card displays the list of snapshots for the selected date.
4. Click the ellipsis next to the snapshot to restore and select Recover Files.
The Recover Files dialog appears at the first task: Select files.
5. Click the name of the fileset
The root directory of the fileset appears.
File Systems
6. Navigate the fileset directory tree to the files to download.

7. Select the files to download.
The selected items appear in the right hand pane of the Recover Files dialog.
8. Click Next.
The Recover Files dialog advances to the next task: Recover Files.
9. Select Download as the recovery type.
10.Click Finish.
The local page for the fileset appears. A message in the Activity Log pane at the bottom
appears when the download link is ready.
11.Click the download link message in the Activity Log pane.
The Activity Detail dialog appears.
12.Click the download icon.
The Save As dialog appears in the web browser.
13.Select a download location for the file, and click Save.
14.(Folder or multiple files only) Extract the folder using a ZIP utility.
Full Volume Protection for Windows

A Rubrik cluster can protect a group of drives on a physical Windows server. In addition to the
data protection provided by fileset backup, Full Volume Protection protects the following
information:
 File system type
 Volume size
Note: Indexing is only supported for NTFS volumes.
Full Volume Protection does not preserve the following attributes:

 The Master Boot Record (MBR)
 The GUID Partition Table (GPT)
 The host IP address.
Rubrik CDM Version 5.0 User Guide Full Volume Protection for Windows 520
File Systems
Protecting Windows volumes

Protecting Windows volumes uses the Rubrik Backup Service on a Windows host to create a
Virtual Hard Drive (VHD) file.
The following prerequisites are required for protecting Windows volumes:
 Communication between the Rubrik Backup Service and the Rubrik cluster uses the SMB
protocol. Port 445 must be open to permit inbound SMB connections to the Rubrik cluster.
 Windows 2016 hosts must be joined to a domain.
 Windows 2012/2008 hosts must be joined to a domain, or the local administrator account can
be used for RBS.
Note: Volumes can only be restored an identical or later OS. For example, Windows Server 2012
R2 volumes cannot be restored to a Windows Server 2008 R2 host.
Before you begin. Add the Windows host to the Rubrik cluster using the procedure in Adding a
host.
2. On the left-side menu, click Servers & Apps > Windows Hosts.
The Windows Hosts tab of the Windows Hosts page appears, listing the Windows hosts on the
Rubrik cluster.
3. Select the selection box next to a host.
The Manage Protection dialog box appears with the first step of the task indicated in the task
flow at the top of the dialog box: Volumes & Filesets.
5. Click Volumes.
6. Select the volumes to protect.
The selected volumes are collectively referred to as a volume group. To search for a specific
volume, enter a string in the Search by Name field.
7. Click Next.
The task flow at the top of the Manage Protection dialog box updates to the next step: SLA.
The dialog box displays a list of available SLAs.
8. (Optional) To create a new SLA, click the blue + icon.
Follow the procedure in Creating a custom SLA Domain.
File Systems
9. Select an SLA for the volume group from the list.

The SLA applies to each volume in the volume group. To search for a specific SLA, enter a
string in the Search SLA domains field.
10.Click Finish.
The selected volume group is protected as a VHD.
Installing the Rubrik Volume Filter Driver on a Windows host

The Rubrik Volume Filter Driver (VFD) is a utility that tracks changes in the individual blocks of a
volume. Installing the VFD can improve the performance of incremental backups of protected
volumes.
Note: Hosts running Windows Server 2008R2 must have Microsoft patch KB3033929 installed
before installing the VFD.
1. Log in to the web UI.

3. In the Name column, select a host name.
4. Click the ellipsis menu and select Install VFD.
The Rubrik cluster installs the VFD to the Windows host.
5. Reboot the Windows host.
The VFD runs in the background to monitor changes in the protected volume.
Taking an on-demand backup of a volume group

An on-demand snapshot of a volume group is a backup taken outside of the specifications in the
SLA that protects the volume group.
3. In the Name column, click a host name.
The Overview, Snapshots, and Status cards appear for that host.
File Systems
The Take On Demand Snapshot dialog box appears with the first step of the task indicated in
the task flow at the top of the dialog box: Volumes or Files.
5. Click Volumes.
6. Select the volumes to protect.
The selected volumes are collectively referred to as a volume group. To search for a specific
volume, enter a string in the Search by Name field.
7. Click Next.
The task flow at the top of the Take On Demand Snapshot dialog box updates to the next step:
SLA. The dialog box displays a list of available SLAs.
8. (Optional) To create a new SLA, click the blue + icon.
Follow the procedure in Creating a custom SLA Domain.
9. Select an SLA for the volume group from the list.
The SLA applies to each volume in the volume group. To search for a specific SLA, enter a
string in the Search SLA domains field.
10.Click Finish.
The selected volume group is protected as a VHD. The Rubrik cluster adds the specified
on-demand backup to the task queue. The Activity Log tracks the status of the on-demand backup
task. The Rubrik cluster manages the snapshot based on the rules and policies of the selected SLA
Domain.
Restoring a Windows volume

A protected volume group can be live mounted for direct access to the snapshot or restored
directly to a host. Protected volume groups can be restored to physical hardware or to a virtual
machine.
Live mounting a volume group on a host with Windows and the RBS installed
When a Windows host has the Rubrik Backup Service (RBS) installed, a snapshot of the protected
volume group can be live mounted to the host for access to the volumes.
File Systems
4. In the Snapshots calendar, select a date with a snapshot.

The list of snapshots for that date appears.
5. Click the ellipsis next to the volume group to restore.
6. Click Mount.
7. Select the volumes in the volume group to restore and click Next.
A list of Window hosts appears.
8. Select the host for the Live Mount.
9. Click Finish.
The Rubrik cluster mounts the selected volumes to the Windows host.
Downloading the Windows recovery tools

Restoring volume groups to hosts without an existing Windows installation or without the RBS
installed makes use of a set of tools provided by Rubrik.
1. Open the Rubrik Support Portal in a browser by navigating to support.rubrik.com.
2. Log in to the support portal.
3. Click Documentation in the top navigation bar.
The Documentation and Downloads page appears.
4. Click Rubrik CDM 4.2 GA.
The Software and Documentation lists for this release appear. These tools remain current for
newer releases.
5. Click the Download link for the WinPE Recovery Tool.
The EULA acceptance window appears.
6. Select the box next to Accept and Download.
7. Click Accept and Download.
A window containing the bmr_restore_scripts.zip file link appears.
8. Click the bmr_4.2GA_scripts.zip file link.
The browser downloads the ZIP file containing the recovery tools. These tools remain current
in the 5.0 release of the Rubrik CDM.
File Systems
The ZIP file contains the scripts and utilities described in Table 110.
Table 110 Windows volume group recovery tools
Item name Description
readme.txt Basic instructions for use
WinPEImageCreation/CreateWinPEImage.ps1 Utility to create the bootable WinPE image
BMR/VolumeDataCopy.exe Block copy utility
BMR/RubrikBMR.ps1 Restore script for hosts without Windows installed
BMR/ForeignDiskImport.bat Component of RubrikBMR.ps1
BMR/modules/BMROperations.psm1 Component of RubrikBMR.ps1
BMR/modules/DiskOperations.psm1 Component of RubrikBMR.ps1
BMR/modules/DiskpartOperations.psm1 Component of RubrikBMR.ps1
BMR/modules/VHDOperations.psm1 Component of RubrikBMR.ps1
Restoring the volume group on a host with Windows installed without RBS
A host with a supported Windows OS installed restores a volume group through the OS
functionality.
Before you begin — Download the Windows recovery tools using the process described in
Downloading the Windows recovery tools.
4. In the Snapshots calendar, select a date with a snapshot.
The list of snapshots for that date appears.
5. Click the ellipsis next to the volume group to restore.
6. Click Mount.
7. Select the volumes in the volume group to restore and click Next.
A list of Window hosts appears.
File Systems
8. Select No Host to create a Samba share without a Live Mount.

9. Click Finish.
The Rubrik cluster mounts the selected volumes.
10.On the left-side menu, click Live Mounts > Windows Volumes.
A list of Live Mounts appears.
11.Hover the cursor on the mounted volume group.
An information box appears, displaying the original mount point, the SMB share path, and the
volume size.
12.Click the SMB share path to copy the path to the clipboard.
13.Launch the Windows Disk Management utility on the recovery target host.
14.Use the Windows Disk Management utility to create disk partitions on the host for each volume
in the volume group.
The partitions must match the sizes of the volumes in the volume group.
15.Select Action > Attach VHD.
A dialog box prompting for the location of the VHD appears.
16.Enter the path of the SMB share of the snapshot being restored.
17.Use the VolumeDataCopy.exe utility to copy data from the attached VHD to the partitions.
The volume group is restored to the Windows host.
Restoring the volume group on a host without Windows

To restore to a host without a Windows OS installation, use the tools downloaded in the
Downloading the Windows recovery tools section to create a bootable Windows Preinstallation
Environment (WinPE) image.
Note: Only volume groups with a volume that contains a supported Windows OS installation can
be restored to a host without a Windows OS installed. The license for the OS being restored must
be available during this process.
Before you begin — Creating the WinPE image requires a computer with a licensed installation of
the Windows Server operating system that is 2012 R2 or later. The computer must have the
Windows Assessment and Deploment Kit (ADK) installed. Download the Windows ADK from
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install. The WinPE image
File Systems
can be used to restore volume groups from any supported operating system version. Determine
the SMB path of the mounted snapshot of the volume group to restore using the procedure
described in Restoring the volume group on a host with Windows installed without RBS.
1. Copy the BMR and WinPEImageCreation folders to the C:\ drive of the Windows Server
computer.
2. Change to the C:\WinPEImageCreation folder.
3. Run the following command to create the image:
.\CreateWinPEImage.ps1 -version 10 -isopath C:\WinPEISO -utilitiespath
C:\BMR
The WinPE image is created in the C:\WinPEISO directory.
Note: The value of the ‘-version’ parameter is the version of the Windows ADK. The version of
the ADK installed on a system is the name of the folder in C:\Program Files (x86)\Windows
Kits\.
4. Copy the WinPE image from the C:\WinPEISO to boot media.

5. Load the boot media on the target host.
6. Power on the target host.
The host boots from the WinPE image and a command prompt appears.
7. Run the following command:
powershell
A Powershell environment initiates.
8. Change to the C:\utilities directory.
9. Run the following command:
.\RubrikBMR.ps1 -Operation bmr
10.Enter the number of volume groups to restore.
11.Enter the SMB path to the snapshot of the first volume group to restore.
12.Enter user credentials.
13.Enter the drive letter to assign to the new volume.
14.Enter the volume GUID.
15.Repeat steps 11-14 for each volume group to restore.
File Systems
The restore script connects to the SMB shares and copies the data from the volume group
snapshot to the specified volumes on the host.
Unmanaged data

Chapter 16
Oracle Databases
This chapter describes how to protect and manage data from Oracle databases.
 Overview ............................................................................................................... 530
 Adding Oracle hosts and discovering Oracle databases .............................................. 542
 Assigning an SLA Domain to a host or database........................................................ 543
 Backing up databases ............................................................................................. 545
 Backing up logs ...................................................................................................... 546
 Exporting databases................................................................................................ 547
 Exporting tablespaces ............................................................................................. 548
 Live mounting an Oracle database ........................................................................... 549
 Creating an on-demand snapshot............................................................................. 551
 Performing an instant recovery ................................................................................ 552
Rubrik CDM Version 5.0 User Guide Oracle Databases 529

Oracle Databases
Overview
A Rubrik cluster provides backup, recovery and data management for Oracle databases. Rubrik
provides a fully automated backup solution that performs all the necessary tasks end-to-end on its
own.
Rubrik supports both standalone and Real Application Cluster (RAC) deployments of Oracle. Rubrik
clusters auto-discover and protect databases on a standalone Oracle host or RAC.
Apply an SLA Domain policy to the standalone Oracle host or RAC to protect all databases on the
standalone Oracle host or RAC. An SLA Domain policy can also be applied to individual databases.
Based on the SLA Domain policy assigned, the Rubrik cluster processes Oracle database
snapshots, manages retention, storage, replication, and archiving of the snapshots.
Rubrik cluster protects Oracle databases by making use of RMAN incremental merge methodology.
The smallest unit to which Rubrik can apply an SLA Domain is the database. The more granular
tablespaces can be recovered but not individually protected. Oracle records transactions in redo
logs before committing them into the database. Oracle archives these redo logs periodically.
Rubrik then backs up these archived redo logs to enable point-in-time recovery.
Rubrik exports one NFS share for each RMAN channel. Each NFS share is exported from a different
Rubrik cluster node.
For optimal performance, Rubrik recommends setting two channels per node. Depending on the
number of datafiles in the database and the distribution of data across datafiles, adjust the
number of channels per node.
Table 111 describes the data protection and management that a Rubrik cluster provides for Oracle
databases.
Table 111 Data management provided for Oracle databases (page 1 of 2)
Feature Description
Automatic discovery • After installing the Rubrik Backup Service (RBS) software on a
standalone Oracle host or on all nodes of an Oracle RAC cluster, RBS
automatically discovers all running database instances.
• RBS provides this information to the Rubrik cluster and the Oracle
objects appear in the Rubrik CDM web UI.
Automatic upgrade When a new version of the RBS software is available, the Rubrik cluster
automatically upgrades the software on all Oracle hosts and RAC nodes.
SLA Domains • Assign SLA Domains to any discovered Oracle host, RAC, or database.
• If an SLA Domain is assigned to an Oracle host or RAC, all databases
on that host or RAC inherit the SLA Domain.
• SLA retention governs database backup retention.

Oracle Databases
Table 111 Data management provided for Oracle databases (page 2 of 2)

Feature Description
Derived protection • Databases can derive SLA Domain protection through an SLA Domain
assignment made to the Oracle host or RAC.
• Databases added at a later date automatically derive the protection of
the parent object.
Configurable archived redo • For any database, derive the archived redo log backup frequency setting
log backups from the system defaults.
• Configure archived redo log backup frequency and retention through an
SLA Domain assignment.
Replication Based on SLA Domain policy, snapshots and archived redo log backups
can be replicated to another Rubrik cluster.
Archiving Based on SLA Domain policy, snapshots and archived redo log backups
can be archived to a supported archival location.
Point-in-time recovery • A database can be recovered from a snapshot or to a point in time
between snapshots.
• The Rubrik cluster returns the recovered database to the state it was in
at the time specified by the user.
Requirements
A Rubrik cluster provides data protection and management for Oracle databases when specific
requirements are met.
Table 112 describes the system requirements for Oracle database data protection and
management.
Table 112 System requirements for Oracle databases
RMAN Rubrik uses RMAN to perform backup and recovery of Oracle. The required
RMAN scripts are generated automatically.
Shared storage For RAC, only shared storage configuration is supported. Archived redo logs
must also be on shared storage.
Storage system • Oracle data files on an Oracle supported file system
• Oracle data files on Automatic Storage Management (ASM) is only
supported on RAC.
• Back up and restore Oracle data files on a storage system to the same
storage system type, such as file system to file system, ASM to ASM.
Maximum user processes • Set the minimum value of maxuproc to 16384.

Oracle Databases
Migrating from Managed Volumes

Oracle Databases that were previously backed up using Managed volumes can be migrated to use
the automated Oracle Database protection feature going forward.
1. Stop any currently running Managed Volume backup scripts.
2. Delete the managed volume on the Rubrik cluster.
Deleting a managed volume describes how to delete the managed volume.
3. Upon deletion, all Managed Volume snapshots become inactive objects that are no longer
updated.
4. Set up the database to be backed up by the automated Oracle Database protection feature.
Backing up databases describes the process of setting up the database.
Upgrading to Oracle 12c database

When this error "E1104 23:38:04.340907 1030 database.cpp:79] HostRegister Failed to begin
session with error code = 28040 and error message = ORA-28040: No matching authentication
protocol" occur, set SQLNET.ALLOWED_LOGON_VERSION=8 in the
oracle/network/admin/sqlnet.ora file.
When upgrading to Oracle 12c database, the creation of a 10.2.0.5 Oracle RAC database fails
when using Database Configuration Assistant (DBCA). In 12.1, the default value for the
SQLNET.ALLOWED_LOGON_VERSION parameter has been updated to 11. Database clients using
pre-11g JDBC thin drivers cannot authenticate to 12.1 database servers unless
theSQLNET.ALLOWED_LOGON_VERSION parameter is set to the old default of 8.
Auto-discovery of Oracle databases

Rubrik CDM performs automated discovery of Oracle hosts, RAC, and databases.
When RBS is installed on a standalone Oracle hos or RAC node, RBS discovers the databases and
query database metadata.
Observe the following prerequisites.
 Rubrik makes use of a user with SYSDBA privileges to query database metadata. This user is by
default “oracle”. However, this default “oracle” user can be customized on a per host basis
while adding the host or RAC node in the Rubrik cluster.
 Rubrik can discover databases in the OPEN or MOUNTED state only.
 If no database exists on the Oracle host, the user must create an empty /etc/oratab file there.

Oracle Databases
To create the empty file, run the following commands as root:

• touch /etc/oratab
• chown oracle:oinstall /etc/oratab
• chmod 664 /etc/oratab
 In the /etc/oratab file, there must be an entry for ASM with the GRID_HOME path to discover
RAC environments making use of ASM.
 Oracle RAC environments are identified by cluster names.
 Install RBS on all nodes of RAC for Rubrik to discover RAC databases.
The following summarizes the database discovery process. The process involves tasks on the
Oracle host or RAC and on the Rubrik cluster.
1. On the Oracle host or RAC, the root user downloads the signed RBS from the Rubrik cluster.
2. The root user installs the RBS binaries on the standalone Oracle host or on all nodes of Oracle
RAC. The root user registers the Oracle host or RAC along with the local node to the Rubrik
cluster. When the Oracle standalone host or RAC is refreshed, the refresh job also discovers the
Oracle resources on the Oracle standalone host or RAC.
RBS collects information from the RAC or standalone server and sends it to Rubrik cluster, the
list of running instances, the list of all tablespaces, and so on.
3. By default, the database user is “oracle”. If there is a different database user on the system,
specify the username during host registration.
Table 113 describes the information on the Oracle data source page.
Table 113 Oracle data source page details
Tab Details
Hosts/Clusters The page displays:
• Name of the standalone Oracle host or RAC
• Number of RAC nodes on the RAC
• Number of databases on the standalone Oracle host or RAC
• SLA Domain assignment
• Status of host or node connectivity
All databases This page displays:
• Name of the database
• Name of the Oracle RAC cluster or Oracle server that the database
belongs to
• Number of database instances
• Number of tablespaces
• SLA Domain assignment

Oracle Databases
Information on how to add an Oracle host or node and discover Oracle objects can be found in
Adding Oracle hosts and discovering Oracle databases.
SLA Domain managed protection

Assign an SLA Domain to manage and protect the discovered Oracle hosts, Oracle RAC clusters, or
Oracle databases. When an SLA Domain is assigned to a parent host or RAC, all databases inherit
the same SLA Domain policy. This enables policy-driven management of snapshots.
Specifically, SLA Domain assignment governs database backups and SLA retention policy governs
database backup retention.
Information on how to assign an SLA Domain can be found in Assigning an SLA Domain to a host
or database.
Backups of databases and logs

Rubrik CDM protects Oracle data sources with database backups and archived redo log backups.
They are separate jobs running at different frequencies in the Rubrik cluster.
Database backups are governed by SLA assignment. Archived redo log backups are governed by
log backup frequency. Database backup retention is governed by SLA retention, and archived redo
log backup retention is governed by log retention hours.
Rubrik CDM makes use of RMAN that in turn issues commands to perform database backups and
writes database backup files to the Oracle RMAN channels. This activity writes data to the Oracle
database on the Rubrik cluster. Oracle Enterprise version is required to grant the permissions to
support parallel streaming via all channels.
In order to restore a database, database backups and archived redo log backups are required.
When on-demand snapshots are taken, both on-demand database backups and on-demand log
backups are required. The on-demand log backup is mandatory since Rubrik cluster uses it to
collect archived redo logs. When configuring log backup, it is mandatory to configure the log
frequency and log retention.
While the database snapshot is running, Rubrik cluster can still take log snapshots simultaneously.
To be recoverable, Rubrik cluster requires a backup of all the archived redo logs that were
generated over the duration of the database snapshot. If a database snapshot appears as
unrecoverable, verify that an archived redo log snapshot is taken to capture the archived redo logs
generated over the duration on the database snapshot.
Logs are deleted from the source after they are backed up by Rubrik.
If instant archival is configured, logs are archived to the cloud and expired from the cloud in
accordance with the configured log backup retention policy.

Oracle Databases
Database backup
Database backups on a Rubrik cluster use incremental merge. Through NFS, RMAN reads the
previous snapshot and applies the new changes to form a new snapshot.
Make sure the following are available:
 Make sure the database is in the OPEN or MOUNTED state.
 Enable ARCHIVEDLOGMODE on the source databases.
Archived redo log backup

A Rubrik cluster uses the value set for the default archived redo log backup frequency to
determine how frequently to backup the archived redo log for a protected database. This default
value applies to a database unless an override value is directly set for the database or an override
value is set through an SLA Domain assignment.
Information on how to configure database and archived redo log backups can be found in Backing
up databases and Backing up logs.

Oracle Databases
Point-in-time recovery of Oracle databases

Recovery is possible within the recovery range only. The recovery range determines which
database and archived redo log backup is used to recover to a certain point in time.
To recover a database to a selected point in time, the Rubrik cluster uses both of the following:
 Last snapshot created before the selected point in time
 Archived redo log backups created between the time of the snapshot and the selected point in
time
The Rubrik cluster first recovers the database from the snapshot. Then, the Rubrik cluster unrolls
and applies the contents of the logs until the selected point in time is reached.
The closer that the snapshot is to the selected point in time, the shorter the recovery time
objective (RTO) that the process requires. To minimize RTO, assign a database to an SLA Domain
with frequent snapshots.
Supported recovery options are:
 Database recovery to a different standalone Oracle host or RAC that has RBS installed
 Tablespace recovery to the same standalone Oracle host or RAC that has a database
configured
 Files and scripts only
 Live mount to a different standalone Oracle host or RAC
 Instant recovery to the same standalone Oracle host or RAC where the original database is
destroyed
When a database is restored, to resume protection of this database, assign an SLA domain to the
database separately.
Replication and archival

Database snapshots follow the routine replication and archival job according to the SLA Domain
assigned.
Archived redo log backup is a separate job for replication and archival. It is also governed by the
assigned SLA Domain. Archived redo log backup retention determines the following:
 Log backup maximum retention.
 If an instant archival is configured, once the logs are archived to the cloud, the logs becomes
expired from the cloud.
Information on how to configure replication and archival can be found in Replication and
Archiving.

Oracle Databases
Expiry of database and archived redo log backups

Database backups become expired based on the SLA Domain. Archived redo log backups become
expired based on the configured log backup retention, as described in Assigning an SLA Domain to
a host or database. Database backup retention must be longer than log backup retention.
Live mount of Oracle databases

A live mount creates a new database from a point-in-time copy of the source database. Rubrik
cluster mounts the datafiles of the database while the database instance runs on the target
standalone Oracle host or RAC. To trigger a live mount, select a snapshot or any point-in-time
point access from the available range. Datafiles of the database are mounted on Rubrik while the
database instance runs on the target host.
Rubrik supports two live mount options. An automated live mount automates mounting of
datafiles and database instance creation. New databases are added to the oratab file. A database
managed mount only mounts the datafiles and exposes the script to the DBA user to perform
recovery.
A live mount database can be attached to an Oracle database instance on any standalone Oracle
host or RAC that is running the RBS. Transmissions between the Rubrik cluster and the standalone
Oracle host or RAC of the live mount are secured by end-to-end encryption.
Using live mount to access a copy of a database can significantly reduce the RTO for the database.
However, a live mount database should not be used for workloads in excess of ten days. A live
mount database cannot be protected through the Rubrik cluster.
Rubrik enables users to recover databases beyond the retention limits of Oracle RMAN. To restore
database to a point in time that is beyond the RMAN retention settings, live mount an Oracle
database snapshot, mount the channels of that snapshot on the standalone Oracle host or RAC,
and run an RMAN restore from the files on the snapshot.

Oracle Databases
The following prerequisites must be observed:

 RBS is installed on the discovered RAC, standalone server, or RAC nodes. Register the RAC,
standalone server, or the nodes of the RAC cluster with the Rubrik cluster.
 Live mount a RAC database to a RAC, a standalone host to another standalone host, and ASM
storage to ASM storage.
 The source and target must have the same $ORACLE_HOME and the same Oracle version.
 For RAC live mount, the oratab file must have the ASM configuration for the RAC.
 Install RBS and register the target host. Make note of the target host ID. For RAC, make sure to
install the backup on all the nodes.
 Ensure that there is no instance on the target host with the same SID. The live mount script
checks if there is any instance with the same SID running on the target host. The live mount
database is created with the same database name and database SID.
Information on how to configure a live mount can be found in Live mounting an Oracle database.
Export of Oracle databases

Rubrik restores Oracle databases by exporting the database from the backups to a target location.
To trigger an export, select a snapshot or any point-in-time point access from the available range.
Export a copy of a selected recovery point of a database to an Oracle database instance on the
same Oracle host or on another known Oracle host.

Oracle Databases
Rubrik supports two export options. An automated export restores the database files and recovers
the database. Rubrik creates and starts the database instance, and updates the oratab file. A
database-managed export only restores the database files and exposes the RMAN script to recover
the database. The following prerequisites must be observed:
 RBS is installed on the discovered RAC, standalone server, or RAC nodes. Register the RAC,
standalone server, or the nodes of the RAC cluster with the Rubrik cluster.
 Export a RAC database to a RAC, a standalone host to another standalone host, and ASM
storage to ASM storage.
 The source and target must have the same $ORACLE_HOME and the same Oracle version.
 For RAC export, the oratab file must have the ASM configuration for the RAC.
 Take a snapshot of the Oracle database and logs as described above, and make note of the
Rubrik snapshot ID.
 Install RBS and register the target host. Make note of the target host ID. For RAC make sure to
install the backup agent on all the nodes.
 Ensure that there is no instance on the target host with the same SID. The export script checks
if there is any instance with the same SID running on the target host. The exported database is
created with the same database name and database SID.
 Ensure that there is enough memory on the target host to run the database and perform
recovery.
Information on how to export an Oracle database can be found in Exporting databases.
Tablespace recovery
Rubrik supports recovery of a single independent tablespace of a database from the backups. The
recovery is restored back to the source.
To trigger a tablespace recovery, select a snapshot or any point-in-time point access from the
available range. Export of tablespaces automatically restores the tablespace to the selected point
in time.

Oracle Databases
Consider the following requirements when recovering tablespaces.

 Tablespaces are discovered only once. Tablespaces that have changed since the last snapshot
cannot be restored.
 Tablespace recovery requires an Oracle Database Enterprise Edition license with the RMAN
TSPITR feature.
 To ensure a clean RMAN operation, prior to starting a tablespace recovery, manually drop the
tablespace that is being recovered.
 The tablespace export script creates an auxiliary destination directory. This destination
directory must be in a filesystem where the user “Oracle” has permission to create a directory.
 Ensure that the device on which the “auxiliaryDestination” path is created has twice the
amount of free disk space as the tablespace for recovery operations on the target host, to
accommodate the auxiliary database.
 Rubrik cluster supports the recovery of only a single tablespace.
Information on how to export tablespaces can be found in Exporting tablespaces.
Instant recovery of Oracle database

Rubrik supports instant recovery of databases from backups. Instant recovery is a quick way to
recover from a database failure. The recovery recovers the database back to the source and
overwrites the existing database.
Instant recovery is essentially performing a live mount back to the source Oracle server or RAC
cluster. The datafiles of the database are mounted on the Rubrik cluster while the database
instance is recreated on the server. To trigger an instant recovery, select a snapshot or any
point-in-time point access from the available range.
Before triggering an instant recovery, drop the database directory under the Oracle audit folder. To
safeguard against unintended restores, the Rubrik cluster verifies that the database does not exist
in the audit folder. If it exists in the audit folder, the instant recovery will fail. Shut down the
database instances running on the Oracle server or on all RAC nodes. Remove the database, if
required.
An instant recovery replaces the Oracle database with a fully functional point-in-time copy. The
Rubrik cluster shuts down and renames the Oracle database, and assigns the name of the source
Oracle database to the recovered Oracle database. The Rubrik cluster starts the recovered Oracle
database and connects the recovered Oracle database to the source network. The Rubrik cluster is
the data store for the recovered Oracle database.
To gradually move database storage back to the native storage on the database host, the Oracle
live migration feature can be used after Rubrik instant recovery. Note that this operation is
managed externally to Rubrik. Oracle supports live migration of database storage. This can be
triggered for instantly recovered databases.

Oracle Databases
The Rubrik cluster mounts the snapshot on the selected standalone Oracle host or RAC with the
name of source standalone Oracle host or RAC, connects the recovered standalone Oracle host or
RAC to the network, and powers up the standalone Oracle host or RAC.
records the final result of the task in the Activities Log. The Rubrik cluster lists the recovered
Oracle database on the Live Mounts page of the Rubrik CDM web UI.
The instantly recovered Oracle database derives protection from parent objects. When the
recovered Oracle database does not derive protection from any parent objects, add it to an SLA
Domain. To protect it using the same SLA rules and policies as the source Oracle database, add
the recovered Oracle database to the original SLA Domain. Or, add the recovered Oracle database
to another SLA Domain.
Information on how to perform an instant recovery can be found in Performing an instant
recovery.
RMAN channels
A Rubrik cluster protects and manages RMAN backups of Oracle databases. The Rubrik cluster
uses the NFS protocol to export each channel of a database instance. For each database instance,
the Rubrik cluster can share multiple NFS exported channels, normally one from each node of the
Rubrik cluster.
Table 114 provides recommendations for the components that are involved in the Rubrik CDM
protection of Oracle databases.
Table 114 Recommendations for Oracle database protection (page 1 of 2)
Component Recommendation Additional information
Oracle database Database size cannot be greater To perform internal data format
than half the size of the available conversions after a database snapshot,
space on the Rubrik cluster. the Rubrik cluster needs available space
that is two times the size of the database
snapshot. The Rubrik cluster reclaims and
reuses the space after the patching
operation is complete.
Oracle database archived Back up the archived redo logs Backing up archived redo logs and control
redo logs and control files and control files for a database. files to a separate database instance
allows you to configure SLA policies for
those files that are different from the SLA
policies that are configured for the
database.

Oracle Databases
Table 114 Recommendations for Oracle database protection (page 2 of 2)

SLA Domain assignment Assign a database instance to an Assigning a database instance to an SLA
SLA Domain before directing any Domain ensures that the correct data
backups into that database management policies are applied to the
instance. snapshots in that database instance.
When the database instance is not
assigned to an SLA Domain, the Rubrik
cluster assigns the snapshots to the
Unmanaged policy group and does not
expire the snapshots.
Configuration workflow
To enable protection and management of backups of Oracle databases, complete the configuration
workflow in the order specified. The configuration workflow involves tasks on the standalone
Oracle host or RAC and on the Rubrik cluster.
Complete the tasks in the order specified in this workflow. Each workflow stage references a
detailed task, complete the steps in a task before moving to the next stage in the workflow.
1. Install Rubrik Backup Service (RBS) on the Oracle server or all nodes of the RAC clusters.
Rubrik Backup Service software describes how to do this.
2. Add an Oracle host to the Rubrik cluster and discovering Oracle databases.
Adding Oracle hosts and discovering Oracle databases describes how to do this.
3. Assign SLA Domain to discovered Oracle hosts or databases.
Assigning an SLA Domain to a host or database and Assigning RMAN channels to nodes
describe how to do this.
4. Back up databases and logs.
Backing up databases and Backing up logs describe how to do this.
5. Export of databases and tablespace recovery.
Exporting databases and Exporting tablespaces describes how to do this.
Adding Oracle hosts and discovering Oracle databases

To begin managing and protecting Oracle databases, add an Oracle host with Oracle database
instances to the Rubrik cluster.
When RBS is installed on an Oracle host, RBS uses the Oracle Call Interface (OCI) library to
discover the databases and query the details in the database.
Rubrik CDM Version 5.0 User Guide Configuration workflow 542

Oracle Databases
Before you begin — Install RBS on the Oracle server or all node of the RAC clusters.
2. On the left-side menu, click Servers & Apps > Oracle DBs.
The Hosts/Clusters page appears.
3. Click Add Hosts/Nodes.
The Add Hosts/Nodes page appears.
4. (Optional) If RBS has not been installed on the host yet, click rpm or deb to download the
appropriate RBS, as described in Rubrik Backup Service software.
5. In IPs or Hostnames, enter an IP or a hostname to identify the connected host.
Use commas to separate multiple IP addresses or hostnames.
6. In Oracle User, type a name for the user.
This Oracle User name is required when the DBA user is not the default “oracle”.
7. Click Add.
The Rubrik cluster saves the configuration and the new Oracle host appears on the Hosts/Clusters
page. The OCI library discovers the databases which appear in the All DBs page.
Assigning an SLA Domain to a host or database

To provide SLA policy-based management of the snapshots of an Oracle host or database
instances, assign an SLA Domain to the host or database.
1. Log in to the Rubrik CDM web UI using an account with administrator privileges.
2. From the left-side menu, click Servers & Apps > Oracle DBs.
The database Hosts/Clusters page appears.
3. To manage and protect an Oracle host, click Hosts/Clusters.
Alternatively, to manage and protect Oracle database instance, click All DBs.
The Manage Protection dialog box appears with the Basic Settings menu selected.
To create an SLA Domain, click + and create the SLA Domain.
The selected SLA Domain must have settings that match correctly to the RMAN settings that
are specified for the Oracle host or database instance.
Details on how to create an SLA Domain can be found in Creating a custom SLA Domain.

Oracle Databases
6. (Optional) Click Clear Existing Assignment to assign selected objects and their contents to
the SLA Domain of the next higher level object.
7. (Optional) Click Do Not Protect to exclude the selected objects from further SLA Domain
assignments.
8. (Optional) Click Overwrite default log backups, type a value in Log Backup Frequency
(Minutes) and Log Backup Retentions (Days).
9. Click Submit.
The Rubrik cluster saves the settings and begins managing the snapshots of the Oracle host or
database instance.
Assigning RMAN channels to nodes

Configure and determine the required number of channels for the Oracle database instances and
specify the priority when creating the Oracle database instances.
Rubrik cluster supports multi-channel RMAN backup. Each channel is mounted on a separate node
of the Rubrik cluster. All the channel directories are mounted on the same Oracle host or RAC
node.
2. From the left-side menu, click Servers & Apps > Oracle DBs.
The database Hosts/Clusters page appears.
3. To manage and protect an Oracle host, click Hosts/Clusters.
The Manage Protection dialog box appears with the Basic Settings menu selected.
5. Select one of the default SLA Domain, or search for a specific SLA Domain to assign to the
host.
6. (Optional) Select Do Not Protect to enable the Rubrik cluster to stop creating policy-driven
snapshots set individually for this host.
7. From the left-side menu, click Advanced Settings.
8. In Number of RMAN Channels, type an integer.
Normally, type the same number as the number of nodes in the Rubrik cluster.
9. Type a RMAN File Tag Name.
10.On each node, click the up or down arrow to change the mode priority.
The node priority determines the order of nodes that Rubrik takes the backup from.

Oracle Databases
Backing up databases
Protect databases by assigning an SLA Domain to the standalone Oracle host or RAC or to the
database instances. Derived assignment provides a way to uniformly manage and protect those
databases.
A derived assignment applies to the databases that exist at the time of the assignment and to
databases that are added after the assignment.
 Install the RBS on the standalone Oracle host or RAC of the database.
 Add the standalone Oracle host or RAC to the Rubrik cluster.
 Ensure that the database is in the OPEN or MOUNTED state.
The Hosts/Clusters tab of the Oracle DBs page appears.
3. Click the selection box next to a host.
Select multiple hosts to apply the same SLA Domain protection to databases on all of the
selections.
5. Select one of the default SLA Domains to assign to the host.
Alternatively, search for a specific SLA Domain and assign it to the host.
6. (Optional) Click Do Not Protect to enable the Rubrik cluster to stop creating policy-driven
snapshots set individually for this host.
7. (Optional) In Log Backup Frequency, type an integer value.
Type an integer value from 5 to 99. The integer value sets the number of minutes between
backups of the archived redo log. This value overrides the default log backup frequency value.
8. (Optional) In Log Backup Retention, type an integer value.
The integer value sets the number of days to retain the archived redo log.
9. From the left-side menu, click Advanced Settings.
10.In Number of RMAN Channels, type an integer.
Normally, type the same number as the number of nodes in the Rubrik cluster.
Changing the number of channels assigned will trigger a new full backup.

Oracle Databases
11.Type a RMAN File Tag Name.

12.On each node, click the up or down arrow to change the mode priority.
The node priority determines the order of nodes that Rubrik takes the backup from.
13.Click Submit.
The Rubrik cluster assigns the selected SLA Domain and the other settings to the host and all
databases within the selection group.
Backing up logs
Create archived redo log backup of a database that protects records that were written to the
archived redo log after the most recent archived redo log backup.
RMAN can also selectively apply archived redo logs and recover to any point in time.
 Install the Rubrik Backup Service software on the Windows Server host of the database.
 Add the standalone Oracle host or RAC to the Rubrik cluster.
 Manage and protect at least one database.
 Ensure that ARCHIVEDLOGMODE is enabled on the database. RMAN does not take backups if
this mode is disabled.
 Successfully complete at least one snapshot of the database.
3. Click All DBs.
The All Databases page appears.
4. In the Name column, click the name of a database.
The Local page for the database appears.
5. Click Take Log Backup.
A notification regarding the backup job being scheduled appears.
The Rubrik cluster adds the specified log backup to the task queue. The Activity Log tracks the
status of the log backup task.

Oracle Databases
Exporting databases
Rubrik restores databases by exporting a copy of a selected recovery point of a database to an
Oracle database instance on the same standalone Oracle host or RAC or on another known
standalone Oracle host or RAC.
Rubrik cluster only allows the export of a database for discovered RAC, standalone server, nodes,
or databases.
 Restore permission on the host, the Oracle host or RAC, and databases.
 RBS is installed on the desired target host or all nodes of the RAC cluster.
 For RAC, the oratab file must have ASM configuration configured for the RAC.
 Register the target host and RAC cluster nodes on the Rubrik cluster. If only a subset of RAC
clusters are registered, the export will be successful. However, only the registered instances
will have running instances registered with the exported database.
 Ensure that there is enough disk space on the target host for recovery.
 Ensure that the target has enough memory to run the database.
 (Optional) To export a recovery point that is between snapshots, successfully complete log
backups that cover the recovery point period.
3. Click All DBs.
The Local page for the database appears, with the Recovery Points card showing the month
view.
5. On the Recovery Points card, select a day that has a green dot.
The green dot indicates that at least one successful snapshot was created on that day.
The Recovery Points card displays the Day view.

Oracle Databases
6. Move the Recovery point slider to select a recovery point.

To select a snapshot, move the slider to a snapshot indicator or click the snapshot indicator
dot. The selected time icon changes to .
To select a recovery point other than a snapshot time, move the slider to choose that time. The
time appears in the time field and the selected time icon changes to . Alternatively, type a
specific time into the time field.
7. Open the ellipsis menu and select Export.
The Export Database dialog box appears.
8. In Hosts/Clusters, select an Oracle host for the exported database copy.
9. Type the Export DB Name.
10.(Optional) To perform a database managed export, click Do not restore, make the backup
image available for DBA, and type a Backup Image Path when the Rubrik cluster restores
the database files and recovery script.
During the export task, the Rubrik cluster places the data files for the database recovery point
at the specified location.
11.Click Export.
The Rubrik cluster exports the database recovery point to the selected Oracle database instance.
Exporting tablespaces
Rubrik restores tablespaces by exporting them in-place on the same database.
To trigger a tablespace recovery, select a snapshot or any point-in-time point access from the
available range. Rubrik cluster restores tablespaces in-place only to the same database.
Before you begin — A database must be set to “ARCHIVELOGMODE” before attempting a
tablespace recovery. Otherwise, the recovery will fail.
3. Click All DBs.
The All DBs tab appears.

Oracle Databases

Alternatively, enter a name in the search field or use the filters at the top left of the list.
view.
dot. The selected time icon changes.
To selected recovery point other than a snapshot time, move the slider to choose that time.
The time appears in the time field and the selected time icon changes. Alternatively, type a
7. Click on the database to expand the list of tablespaces.
8. Select a tablespace, open the ellipsis menu and select Export.
The Export Tablespace dialog box appears.
9. Select a staging Oracle host to orchestrate tablespace recovery, and click Export.
The Rubrik cluster exports the tablespace and restores the tablespace to the selected point in
time.
Live mounting an Oracle database

Use live mount to create a new database from a point-in-time copy of a source database.
 Restore permission on the host, the Oracle host or RAC, and databases.
 To export a recovery point that is between snapshots, successfully complete archived redo log

Oracle Databases
3. Click All DBs.

view.
To select a recovery point other than a snapshot time, move the slider to choose that time. The
time appears in the time field and the selected time icon changes. Alternatively, type a specific
time in the time field.
7. Open the ellipsis menu and select Mount.
The Mount Database dialog box appears.
8. In Hosts/Clusters, select an Oracle host for the list of compatible standalone hosts or
clusters.
9. (Optional) To perform a database managed live mount, click Do not restore, make the
backup image available for DBA, and type a Backup Image Path when the Rubrik cluster
restores the database files and recovery script.
During the mount task, the Rubrik cluster places the datafiles for the database recovery point
10.Click Mount.
The Rubrik cluster mounts the share to the specified Oracle host and attaches the Live Mount
database to the specified Oracle database instance.
If the host or RAC to which the live mount was performed reboots, the live mount will be lost.
Unmount the existing live mount with the force option and try live mounting again.

Oracle Databases

Create an on-demand snapshot of a database.
 Install RBS on the standalone Oracle host or RAC.
 Register the standalone Oracle host or RAC on the Rubrik cluster.
3. Click All DBs.
protects the database.
To manually manage the on-demand snapshot through the Unmanaged Objects page, select
Forever.

Oracle Databases
Performing an instant recovery

Rubrik supports instantly recovering databases from backups. The recovery recovers the database
back to the source and overwrites the existing database.
Before you begin — Make sure there is restore permission on the host, the Oracle host or RAC,
and databases.
3. Click All DBs.
view.
The Rubrik cluster instantly live mounts the database back to the source Oracle server or cluster.
The datafiles of the database are mounted on Rubrik while the database instance is recreated on
the server.
Once instant recovery completes, migrate the database off the Rubrik cluster prior to performing
export, live mount, or backup of this database.

Chapter 17
SQL Server Databases
This chapter describes how to protect and manage data from Microsoft SQL Server databases.
 Overview ............................................................................................................... 554
 Rubrik Backup Service software ............................................................................... 557
 Windows Server hosts ............................................................................................. 562
 SQL Server databases ............................................................................................. 564
 SQL Change Block Tracking ..................................................................................... 570
 Recovery Points card page ...................................................................................... 572
 Database recovery .................................................................................................. 573
 Windows Server Failover Clustering.......................................................................... 580
 Always On Availability Groups .................................................................................. 587
 Unmanaged data .................................................................................................... 589
Rubrik CDM Version 5.0 User Guide SQL Server Databases 553
Overview
A Rubrik cluster provides data management and protection for Microsoft SQL Server databases. A
Rubrik cluster can manage and protect SQL Server databases that are configured to use the Full
recovery model, Bulk-logged recovery model, or the Simple recovery model.
For a database that uses the Full recovery model or the Bulk-logged recovery model, the Rubrik
cluster performs policy-driven VSS snapshots of the database and frequent interim backups of the
transaction log. The combination of a snapshot of the database and transaction log backups,
permits granular restore of a database to a specified recovery point.
For a database that uses the Simple recovery model, the Rubrik cluster performs policy-driven
snapshots of the database. The snapshots permit recovery of the database to its state at the time
of a snapshot.
Table 115 describes the data management and protection that a Rubrik cluster provides for SQL
Server databases.
Table 115 Data management provided for SQL Server databases (page 1 of 2)
Feature Description
Physical and virtual instances The Rubrik cluster supports SQL server databases running on physical
installations of Windows Server, and on guest OS installations of Windows
Server that are running in a virtual environment.
Windows Server Failover The Rubrik cluster supports SQL server databases running on a WSFC
Clustering instances of SQL Server.
Full, Bulk-logged, and Simple The Rubrik cluster provides protection for Full recovery model, Bulk-logged
recovery models recovery model, and Simple recovery model databases.
Automatic discovery After installing the Rubrik Backup Service software on a Windows Server,
Rubrik connector automatically discovers all instances of SQL Server and
all SQL Server databases on the Windows Server. Rubrik connector
provides this information to the Rubrik cluster and the objects appear in the
Rubrik CDM web UI.
Automatic upgrade When new versions of the Rubrik Backup Service software are available,
the Rubrik cluster automatically upgrades the software on all Windows
Server hosts.
SLA Domains SLA Domains provide simplified management of SQL Server database
protection. Setting the snapshot frequency and retention, snapshot window,
replication policy, and archival policy for a database can be accomplished
by assigning the database to an SLA Domain.
Derived protection Databases can derive SLA Domain protection through an SLA Domain
assignment made to the SQL Server database or the Windows Server
host. Databases added at a later date automatically derive the protection of
the parent entity.

Table 115 Data management provided for SQL Server databases (page 2 of 2)
Feature Description
Configurable log backups For any database, the log backup frequency setting can be derived from
the system defaults, or the log backup frequency and retention can be
configured through an SLA Domain assignment. Log backups can also be
disabled entirely.
Copy Only backups When a database is assigned to an SLA Domain, Copy Only backups can
be specified for that database.
Source-side compression The Rubrik Backup Service compresses the data from SQL Server
database backups before sending the data to the Rubrik cluster.
Replication Based on SLA Domain policy, snapshots and transaction log backups can
be replicated to another Rubrik cluster.
Archiving Based on SLA Domain policy, snapshots and transaction log backups can
be archived to a supported archival location.
Point in time recovery A database can be recovered from a snapshot or to a point in time between
snapshots. The Rubrik cluster returns the recovered database to the state it
was in at the time specified by the user.
VDI The Rubrik cluster fully supports the Microsoft Virtual Device Interface
(VDI) API for transaction log backup and restore operations. However, VDI
requires that the agent performing backups or restores have sysadmin
privileges on the server. Sites that choose to not grant this level of privilege
to the Rubrik agent will use the pre-4.1 local staging mechanism for
transaction log backup backup and restore mechanism.
Point in time export A database can be exported to another SQL Server database of the same
version or higher, on the same Windows Server host or on another
Windows Server host. Export of the database can be based on a snapshot,
or on a snapshot combined with transaction log backups.
Group snapshots On-demand snapshots are available for SQL Server hosts or instances,
creating individual snapshots of all the databases on the host or instance.
Group snapshots are also available for multiple databases from different
SQL Server hosts or instances. When snapshots are grouped in this way,
the count of incoming snapshots is the number of snapshot groups, rather
than the number of individual snapshots.
Point in time recovery

For a database that uses the Full recovery model or the Bulk-logged recovery model, the Rubrik
cluster uses a combination of a snapshot of the database and the database transaction log
backups to recover a database. The Rubrik Backup Service obtains the snapshot of the database
by using the VSS writer on the SQL Server host to create a FULL BACKUP of the database.
The combination of a snapshot of the database and the transaction log backups from the database
permits the Rubrik cluster to recover a database to the state it was in at a selected point in time.

To recover to a selected point in time, the Rubrik cluster uses two pieces of information:
 Last snapshot created before the selected point in time
 Log backups created between the time of the snapshot and the selected point in time
The Rubrik cluster first recovers the database from the snapshot. Then the Rubrik cluster unrolls
and applies the contents of the logs until the selected point in time is reached.
The closer that the snapshot is to the selected point in time, the shorter the recovery time
objective (RTO) that is achieved by the process. To minimize RTO, assign a database to an SLA
Domain with frequent snapshots.
Live Mount
A Live Mount creates a new database from a point-in-time copy of the source database. The
Rubrik cluster provides a Samba share of the new database directly from the Rubrik cluster
storage layer.
A Live Mount database can be attached to an SQL Server database on any Windows Server host
that is running the Rubrik Backup Service. Transmissions between the Rubrik cluster and the host
of the Live Mount are secured by end-to-end encryption.
Using Live Mount to access a copy of a database can significantly reduce the RTO for the
database. A Live Mount database cannot be protected through the Rubrik cluster.
Requirements
A Rubrik cluster provides data management and protection for SQL Server databases when
specific requirements are met.
Table 116 describes the system requirements for SQL Server database data management and
protection.
Table 116 System requirements for SQL Server databases
Operating system Refer to the Rubrik Compatibility Matrix for current version support.
Database management system Refer to the Rubrik Compatibility Matrix for current version support.
Windows service SQL Server VSS Writer (running)
Network protocol TCP/IP or Shared Memory protocol enabled for each SQL Server
database

Supported SQL Server cross version exports

The Rubrik cluster can export SQL Server databases restore points from supported versions of SQL
Server to other supported versions of SQL Server.
Note: The Rubrik CDM Compatibility Matrix lists supported source version and target version for
export of SQL Server database snapshots by Rubrik CDM software.
Rubrik Backup Service software

The Rubrik Backup Service provides the Rubrik cluster with the ability to manage SQL Server
databases on Windows Server hosts.
The Rubrik Backup Service software can be downloaded directly from the Rubrik cluster, or the
software can be downloaded once and copied to Windows Server hosts as needed.
! IMPORTANT
cluster automatically upgrades the Rubrik Backup Service software on all protected Windows
Server hosts.
Account used to run the Rubrik Backup Service

Figure 9 shows a domain user account ‘rubrik.svc’ that is a member of the local Administrators
group and shows that the Rubrik Backup Service is configured to run as the domain user account
‘rubrik.svc’.
Figure 9 Domain user account in local Administrators group
SQL Server role and permissions requirements

The account that the Rubrik Backup Service runs as must be assigned specific roles in SQL Server,
and additional permissions.
Grant the ‘sysadmin’ permission to enable the following features:
 SQL Server 2008
 SQL Server 2008 R2
 Always On Availability Groups
 Virtual Device Interface (VDI) API
Users can also have more granular permissions to enable specific access.
Table 117 describes the required permissions at a more granular level.
Table 117 Role requirements for the Rubrik Backup Service account (page 1 of 2)
Level Task Permission
SQL Server Database restore • dbcreator
database • ALTER_ANY_DATABASE
Table 117 Role requirements for the Rubrik Backup Service account (page 2 of 2)
Level Task Permission
SQL Server Metadata collection • VIEW_SERVER_STATE
database • VIEW_ANY_DEFINITION
Databases Database backup db_backupoperator
Databases Optional db_denydatareader
Note: Do not set db_denydatareader as a database
role for the ‘master’ database or the ‘msdb’
database.
Figure 10 shows the assignment of the required roles in Microsoft SQL Server 2012 using SQL
Server Management Studio.
Figure 10 Assigning server-level roles and database-level roles
Figure 11 shows the assignment of the ‘View server state’ and ‘Alter any database’ permissions,
which are required for the account used by the Rubrik Backup Service.
Figure 11 Assigning additional permissions
Obtaining the Rubrik Backup Service software

Obtain the Rubrik Backup Service software from the Rubrik cluster. The Rubrik Backup Service
provides the Rubrik cluster with the ability to manage SQL Server databases.
2. On the left-side menu, click Servers & Apps > SQL Server DBs.
The Hosts/Instances tab of the SQL Server DBs page appears.
3. Open the ellipsis menu at the upper-right of the page, and select Add Windows Hosts.
4. Click Rubrik Backup Service.
Next task — Install the Rubrik Backup Service software on a Windows Server.

Obtain the Rubrik Backup Service software directly by URL. The Rubrik cluster provides a direct
URL link for the software package for Windows hosts.
obtained.
For Windows, use:
Installing the Rubrik Backup Service software

Install the Rubrik Backup Service software on a Window Server host to provide the Rubrik cluster
with the ability to manage the SQL Server databases on the Windows Server host.
1. Check that the most up-to-date version of the Rubrik Backup Service software is available in a
temporary location that the Windows Server host can access.
Obtaining the Rubrik Backup Service software describes how to obtain the Rubrik Backup
Service software.
2. Log into the Windows Server using an account that is a member of the local Administrators
group.
3. Copy the Rubrik Backup Service software ZIP file to a temporary location on the Windows
Server host.
4. Extract the contents of the ZIP file containing the Rubrik Backup Service software to a
temporary location on the Windows Server.
The ZIP file contains the Windows installer package (RubrikBackupService.msi) and the
security certificate that is used for authentication and encryption of all communication with the
Rubrik cluster (backup-agent.crt).
! IMPORTANT
The Windows installer package and the security certificate must be in the same folder on
the Windows Server host during installation of the software.
5. Double-click RubrikBackupService.msi and follow the on screen instructions.

The Windows installer package installs the Rubrik Backup Service software.
Next task — Add Windows Server hosts with SQL Server databases to the Rubrik cluster.
Windows Server hosts

Manage and protect SQL Server databases through the Rubrik Backup Service running on a
Windows Server host.
Adding a Windows Server host to a Rubrik cluster establishes a secure connection between the
Rubrik cluster and the Rubrik Backup Service on the Windows Server host. After the Windows
Server host is added, the SQL Server databases and SQL Server databases on the Windows Server
host appear in the Rubrik CDM web UI.
Remove a Windows Server host from the Rubrik cluster to stop managing the data of the SQL
Server databases on that host. The SQL Server databases on the removed Windows Server host
move to the Unmanaged Objects page. The Rubrik cluster continues to provide access to existing
snapshots and log backups until the SQL Server database is removed from the Unmanaged
Objects page.
Adding a Windows Server host

To begin managing and protecting SQL Server databases, add a Windows Server host with SQL
Server databases to the Rubrik cluster.
Before you begin — Obtain and install the Rubrik Backup Service software on the Windows Server
host.
4. In IPs or Hostnames, type a comma-separated list of the IPv4 addresses or the resolvable
hostnames of the Windows Server hosts that are being added.
The list can contain both IPv4 addresses and hostnames. The Rubrik cluster requires one IPv4
address or one resolvable hostname for each Windows Server host.
5. Click Add.
The Rubrik cluster checks connectivity with the Rubrik Backup Service on each specified Windows
Server host and adds the Windows Server hosts that are successfully connected.
Rubrik CDM Version 5.0 User Guide Windows Server hosts 562
Next tasks — Do the following:

 (Optional) Set the default database management properties.
 (Optional) Set the individual database management properties.
 Manage and protect a database by adding it to an SLA Domain.
Removing a Windows Server host

Remove a Windows Server host from the Rubrik cluster to stop managing the data for the SQL
Server databases on that host.
Removing a Windows Server host removes the following from the SQL Server DBs page:
 All SQL Server databases of that host
 All databases of that host
3. Select a Windows Server host.
4. Open the ellipsis menu and select Delete.
5. Click Delete.
The Rubrik cluster removes the selected Windows Server host.
When there is at least one existing snapshot for a SQL Server database on the removed Windows
Server host, the database appears on the Snapshot Retention page. The snapshots and log
backups from a database on the Snapshot Retention page can be used for recovery and export.
Removing individual snapshots for a data source describes how to use the Snapshot Retention
page to remove the unmanaged snapshot objects of a database.
Rubrik CDM Version 5.0 User Guide Windows Server hosts 563
SQL Server databases

After adding a Windows Server host to a Rubrik cluster, the SQL Server databases on that host can
be managed through the Rubrik CDM web UI. A Rubrik cluster can manage SQL Server databases,
including databases with filestreams and in-memory tables, that are configured to use any of the
following models:
 Full recovery
 Bulk-logged recovery
 Simple recovery
A database that is configured to use the Full recovery model or the Bulk-logged recovery model
can be protected through policy-driven snapshots and backups of the transaction log, or through
policy-driven snapshots only.
A database that is configured to use the Simple recovery model can be protected through
policy-driven snapshots only.
For databases that use the Full recovery model or the Bulk-logged recovery model, and have
policy-based snapshots and transaction log backups enabled on the Rubrik cluster, the following
log backup options can be configured:
 Default frequency for transaction log backups by the Rubrik cluster
 Frequency and retention of transaction log backups through settings associated with an
assigned SLA Domain
Setting the default log backup frequency

A Rubrik cluster uses the value set for the default transaction log backup frequency to determine
how frequently to backup the transaction log for a protected database. The default value applies
to a database unless an override value is directly set for the database or an override value is set
through an SLA Domain assignment.
3. Open the ellipsis menu at the upper-right of the page, and select Edit Default Log Backup
Properties.
The Edit Default Log Backup Properties dialog box appears.
4. In Log Backup Frequency, type an integer value.
backups of the transaction log. The default value is 15 minutes.
Rubrik CDM Version 5.0 User Guide SQL Server databases 564
5. Click Update.
The Rubrik cluster updates the default frequency and applies the new setting to log backups for
databases that use the default value.
Managing and protecting databases through a parent object

Protect databases by assigning an SLA Domain to the parent Windows Server host, or to the
parent SQL Server database. Derived assignment provides a way to uniformly manage and protect
those databases.
A derived assignment applies to the databases that exist at the time of the assignment and to
databases that are added after the assignment.
 Add the Window Server host to the Rubrik cluster.
3. Click the selection box next to a Windows Server host or a SQL Server database.
Click the name of a Windows Server host to view the SQL Server databases on that host.
Select multiple hosts or SQL Server databases to apply the same SLA Domain protection to
databases on all of the selections.
When a database within the selection is already assigned to an SLA Domain, a warning dialog
box appears.
Click Continue Anyway to change the existing assignment to a new selection or click Cancel
to return to the Hosts/Instances tab.
5. In the SLA Domain section, select an SLA Domain.
6. (Optional) Select Take Copy Only Backups.
The Rubrik cluster will perform Copy Only backups for the policy-driven backups of the
databases in the selection group.
Selecting Take Copy Only Backups closes the Log Backup Frequency and Log Backup Retention
fields.

backups of the transaction log. This value overrides the default log backup frequency value.
The integer value sets the number of days to retain the transaction log.
9. Click Submit.
The Rubrik cluster assigns the SLA Domain and other settings to all existing databases within the
selection group.
Managing and protecting individual databases

To provide data management and protection for an individual database, assign that database to an
SLA Domain.
3. Click All DBs.
Alternatively, select a database through the Hosts/Instances tab by clicking values in the Name
field to move down in the hierarchy of a Windows Server host.
4. Click the selection box next to a database.
Select multiple databases to apply the same SLA Domain protection settings to all of the
selected databases.
When a database within the selection group is already assigned to an SLA Domain, a warning
dialog box appears. Click Continue Anyway to change the existing assignment to a new
selection. Or, click Cancel to return to the All DBs tab.

fields.
8. (Optional) To disable log backups entirely, select Disable Log Backups.
10.(Optional) In Log Backup Retention, type an integer value.
11.Click Submit.
The Rubrik cluster assigns the selected SLA Domain and the other settings to all databases within
the selection group.
Removing an SLA Domain assignment

Remove an SLA Domain assignment from a database to prevent policy-driven snapshots and log
backups for the database. Both derived and individual SLA Domain assignments can be removed.
Removing an assigned SLA Domain from a database does not block that database from a derived
or individual assignment to an SLA Domain at a later point.
3. Select a tab to view specific protection objects.
• To view Windows Server hosts, SQL Server databases, or databases, click
Hosts/Instances.
• To view databases, click All DBs.
4. Select a parent object or a database by clicking the selection box next to the object.
• Select a Windows Server host to remove the derived SLA Domain assignments for all SQL
Server databases and databases on that host.
• Select a SQL Server database to remove the derived SLA Domain assignments for all
databases on that instance.
• Select a database to individually remove the SLA Domain assignment of that database.
Select multiple objects in any of these groups to remove the SLA Domain assignment for all
databases covered by the selected group.
A warning appears.
7. Select No SLA.
8. Click Submit.
The Rubrik cluster removes the SLA Domain assignments for all databases within the selection
group. Databases within the selection group that have unexpired snapshots appear on the
Unmanaged Objects page.

On-demand snapshots enable the creation of snapshots outside the scope of the SLA Domain
assigned to a SQL Server database or instance.
3. Click All DBs.

protects the database.
To manually manage the on-demand snapshot through the Snapshot Retention page, select
Forever.
Creating a group on demand snapshot task

Group on-demand snapshots for SQL Server databases reduce the overhead of individual database
on-demand snapshot creation.
3. (Optional) Select one or more Windows hosts and go to step 6.
4. (Optional) Click the name of a Windows host.
A list of the SQL Server instances on the Windows host appears.
5. Select one or more SQL Server instances.
6. Open the ellipsis menu at the upper-right of the page and select Take On Demand
Snapshot.
The Take On Demand Snapshot page appears.
7. Select the SLA level to assign to the on-demand snapshots.

The group on-demand snapshot task is scheduled and executed. When the task completes, each
SQL Server database in the selected Windows hosts or SQL Server instances has an individual
on-demand snapshot.
Creating a tail-log backup

Tail-log backups protect records that were written to the transaction log after the most recent
transaction log backup.
Tail-log backups are only available for databases protected with the Full recovery model.
3. Click All DBs.
4. In the Name column, click the name of a database protected with the Full recovery model.
5. Click Take T-Log Backup.
A notification regarding the backup job being scheduled appears.
The Rubrik cluster adds the specified tail-log backup to the task queue. The Activity Log tracks the
status of the tail-log backup task.
SQL Change Block Tracking

Change Block Tracking (CBT) uses a filter driver to track SQL database file changes as they
happen. At backup intervals, only the tracked changes are scanned to determine modifications.
By default, the entire database is scanned at each backup interval to determine if any changes
have occurred. By using CBT to track any changes in large databases, backup performance
improves.
CBT improves performance for environments with large databases, low change rate, frequent
backups, or any environment where the full scan time is adversely affecting performance.
Rubrik CDM Version 5.0 User Guide SQL Change Block Tracking 570
The disadvantage to enabling CBT is the filter driver tracks changes as they occur, which might
reduce IOPS on the database.
Configuring default CBT settings

By default, CBT is disabled. Configuring the CBT settings specifies if CBT is enabled or disabled if
the default radio button is selected on a Windows host.
3. Select Hosts and click the Windows Host tab.
4. Open the ellipsis menu at the upper-right of the page, and select Edit Default CBT.
The Edit Default CBT dialog box appears.
5. Click the On or Off button to enable or disable the default CBT settings.
6. Click Update.
The default CBT settings are applied to the Windows hosts.
Enabling or disabling CBT on a Windows host

CBT can be enabled or disabled for selected Windows hosts.
3. Check the Windows host to configure CBT.
4. Open the ellipsis menu at the upper-right of the page, and select Edit CBT.
The Edit CBT dialog box appears.
5. Select On.
6. Select Update.
CBT is enabled or disabled for the specified Windows host.
Rubrik CDM Version 5.0 User Guide SQL Change Block Tracking 571
Recovery Points card page

The Rubrik cluster provides a Recovery Points card page for every detected database.
The Recovery Points card page consists of information about the database on two cards:
 Overview card
 Recovery Points card
Overview card
The Overview card on the Recovery Points card page for a database provides general protection
management information for the database.
Table 118 describes the information provided by the Overview card.
Table 118 Overview card on the Recovery Points card page
Field Description
Windows Host The FQDN or IPv4 address of the Windows Server that is the host of the SQL
Server database that manages the database.
SQL Instance The name assigned to the SQL Server database that manages the database.
SLA Domain The name of the SLA Domain that manages the protection of the database.
Recovery Model Type of recovery model that controls how the transactions of the database are
logged, either: Full or Simple.
Oldest Recovery Point Timestamp of the oldest retained recovery point for the database.
Latest Recovery Point Timestamp of the most recent retained recovery point for the database.
Local Storage Amount of storage on the Rubrik cluster that is occupied by data from the
database.
snapshot is counted until the period since the SLA Domain policy required the
snapshot exceeds the retention period of the SLA Domain.
Rubrik CDM Version 5.0 User Guide Recovery Points card page 572
Recovery Points card

The Recovery Points card provides access to the available snapshots and log backups of the
database.
The elements of a Recovery Points card are:
1. Recovery point slider–Move the slider to the left or right to select a specific recovery point.
2. Recovery time line–Represents the 24 hours for the selected day. Dark gray dots indicate 6
hour intervals. Light gray dots indicate hour intervals. Green segments of the recovery time line
indicate periods with available recovery points as a result of successful log backups. Gray
segments of the recovery time line indicate periods without available recovery points.
3. Snapshot indicator–Green dots above the recovery time line indicate the points during the day
when a snapshot was created.
4. Selected time–Move the recovery point slider to change the time shown in the selected time
field, or type a time of day into the field. he icon changes to a camera to indicate that a
snapshot is selected or to a document to indicate that a log backup is selected.
5. Ellipsis menu–Provides access to the following database actions:
• Restore–Restores the database to the selected point in time.
• Live Mount–Creates a database on a selected SQL Server database from a copy of the
database at the selected point in time.
• Export–Exports a copy of the database at the selected point in time to another known SQL
Server database.
Database recovery
The Rubrik cluster provides recovery of a database through snapshots of the database. When
transaction logs for the database have been backed up, the Rubrik cluster also provides the ability
to recover the database to any point in time that is within the backed up data.
For each protected database, and for each database on the Unmanaged Objects page, the Rubrik
cluster provides a Recovery Points card. Use the Recovery Points card to select a recovery point
and to start the recovery process.
A database can be exported as a new database from a recovery point on the Recovery Points card.
The export can be to the same SQL Server database or to another SQL Server database on any
known Windows Server host.
Rubrik CDM Version 5.0 User Guide Database recovery 573

A database recovery point on the Recovery Points card can be used to create a Live Mount. Live
Mounts are shared directly from the Rubrik storage layer over the SMB/CIFS protocol.
Note: The Live Mount feature does not support SQL Server databases that use filestreams or
in-memory tables.
Note: The Rubrik cluster can back up SQL Server system databases, such as: ‘master’, ‘model’,
and ‘msdb’, but backups of these system databases cannot be directly restored from the Rubrik
cluster. System database backups can be exported or created as Live Mounts.
Recovering a database
Restore a selected database to a specific recovery point.
 Protect at least one database.
 (Optional) To restore to a recovery point between snapshots, successfully complete log
backups that include the recovery point.
Note: The SQL Server system databases, such as: ‘master’, ‘model’, and ‘msdb’, cannot be directly
restored from the Rubrik cluster. Use Export or Live Mounts to recover data from backups of those
system databases.

3. Click All DBs.
To work with the unmanaged snapshots for a database that is listed on the Unmanaged
Objects page, On the left-side menu, click Unmanaged Objects. Then, continue with the
following steps from the Unmanaged Objects page instead of the SQL Server DBs page.
view.

7. Open the ellipsis menu and select Restore.
The restore option does not appear when the database is one of the system databases: master,
model or msdb.
The Restore Database dialog box appears.
8. (Optional) Select Keep database in Restoring state.
When selected, this option exports the database with the SQL Server NORECOVERY option.
The NORECOVERY option prevents roll back, and allows roll forward to continue.
9. Click Restore.
The Rubrik cluster replaces the existing database with a copy of the database from the selected
recovery point. When the recovery point is between snapshots, the Rubrik cluster uses the log to
bring the database from the closest prior snapshot to the selected recovery point.
Live mounting a SQL Server database

Use Live Mount to create a new database from a point-in-time copy of a source database.
The Rubrik cluster shares the Live Mount over the SMB/CIFS protocol and sets the protection state
of the new database to Do Not Protect.
Note: Live Mount is not supported with SQL Server 2008 databases or with SQL Server databases
that use filestreams or in-memory tables.


3. Click All DBs.
view.
7. Open the ellipsis menu and select Mount.
The Mount Database dialog box appears.
8. In Name, select a Windows Server host, and click Next.
Alternatively, enter the name of a host in the search field.
9. In Name, select a SQL Server database.

Alternatively, enter the name of an instance in the search field.

10.In Live Mount Database Name, type a name.
11.Click Mount.
The Rubrik cluster mounts the share to the specified Windows Server host and attaches the Live
Mount database to the specified SQL Server database.
Force Unmount
Use Force Unmount to remove the Live Mount entry and the associated storage and metadata
from the Rubrik cluster, when a normal unmount cannot be completed.
A normal unmount can be prevented by:
 A lost connection with the host of a Live Mount.
 Manually deleting the Live Mount database from the SQL Server database.
When this occurs, use Force Unmount to remove all storage and metadata for the database from
the Rubrik cluster.
Unmounting a Live Mount database

Use the Live Mounts page to unmount a Live Mount database. The Live Mounts page lists all SQL
Server database Live Mounts.
2. On the left-side menu of the Rubrik CDM web UI, click Live Mounts > SQL Server DBs.
The SQL Server DB Live Mounts page appears.
3. Open the ellipsis menu next to the entry for a Live Mount database.
4. Click Unmount.
5. (Optional) Check the Force Unmount box.
6. Click Unmount.
The Rubrik cluster detaches the database from the SQL Server database and unmounts the share
from the Windows Server host.

Exporting a database
Export a copy of a selected recovery point of a database to a SQL Server database on the same
Windows Server host or on another known Windows Server host.
3. Click All DBs.
view.
7. Open the ellipsis menu and select Export.
The Export Database dialog box appears.
8. In Host, select a Windows Server host for the exported database copy.

9. Click Next.
The second view of the Export Database dialog box appears.
10.In Name, select a SQL Server database.
The Export Database dialog box shows only the SQL Server databases on the selected
Windows Server host that are a SQL Server version that is qualified to receive the exported
database.
11.In Exported Database Name, type a name for the exported database recovery point.
12.In Export Path, select a method for providing the export paths.
Choose:
• Default Method to provide a single path for the data files and a single path for the log files.
• Advanced Method to provide a separate path for each of the database files. The Rubrik
cluster assigns a logical name to each file and lists each file with a logical name and a path
entry field.
The specified export path cannot point to existing database files. If the specified export path
does not exist, the Rubrik cluster creates it.
Each export path must point to a location that has sufficient free storage to accommodate the
data files. The Rubrik cluster checks the available space before exporting the data.
The specified location must be accessible by the selected SQL Server database.
13.(Default Method only) In Data Files Export Path, type a full path on the selected Windows
Server host.
During the export task, the Rubrik cluster places the data files for the database recovery point
14.(Default Method only) In Logs Files Export Path, type a full path on the selected Windows
Server host.
During the export task, the Rubrik cluster configures the database to store the database
transaction logs at the specified location.
15.(Advanced Method only) Type a full path for each logically named file in the text entry field
next to each logical name.
The path must be a full Windows path including a valid drive letter, or a valid UNC path for a
network share.
16.(Optional) Select Keep database in Restoring state.
When selected, this option exports the database with the SQL Server NORECOVERY option.
The NORECOVERY option prevents roll back, and allows roll forward to continue.

17.(Optional) Select Overwrite data on export.

When selected, this option performs a destructive export, overwriting existing data at the
target.
! IMPORTANT
Selecting this option can result in data loss.
18.Click Export.
The Rubrik cluster exports the database recovery point to the selected SQL Server database.
Windows Server Failover Clustering

The Rubrik cluster provides protection for Windows Server Failover Clustering (WSFC) at the
failover cluster instance (FCI) level.
The Rubrik Backup Service software must be installed on each of the WSFC nodes used by an FCI.
The account running the Rubrik Backup Service must have the roles described in Table 117.
! IMPORTANT
For the account running the Rubrik Backup Service, the View server state permission
must be explicitly enabled at the server scope level for each SQL Server database in the
FCI.
Automatic detection and display

The Rubrik Backup Service provides automatic detection of WSFC.
After installation, the Rubrik Backup Service automatically detects when a host is a WSFC node.
The Rubrik Backup Service then detects all SQL Server databases on the WSFC node.
For each SQL Server database that is found, the Rubrik Backup Service determines if the SQL
Server database is part of an FCI, and then detects the IP address of the FCI.
The Rubrik Backup Service transmits the detected information to the associated Rubrik cluster.
The Rubrik cluster groups the SQL Server databases of an FCI into a logical entity called a failover
cluster. The detected failover clusters appear on the Failover Clusters tab of the SQL Server DBs
page in the Rubrik CDM web UI.
Failover events
A Rubrik cluster handles WSFC failover events automatically.
Rubrik CDM Version 5.0 User Guide Windows Server Failover Clustering 580
When an active WSFC node fails and a secondary WSFC node becomes the active node, the Rubrik
Backup Software detects the failover and communicates the change to the Rubrik cluster. The
Rubrik cluster automatically continues to manage and protect the databases in the FCI through
the new active WSFC node.
The Rubrik cluster continues to provide for each database in the FCI:
 Same SLA Domain protection
 Access to existing backup history
 Access to existing backups
Adding failover clusters

Add failover clusters to begin managing and protecting the FCI databases on those clusters.
1. Install the Rubrik Backup Service software on each node in the failover cluster.
Rubrik Backup Service software describes the Rubrik Backup Service software, the permissions
required to run the software, and how to install the software.
2. For the account running the Rubrik Backup Service, enable the View server state permission
at the server scope level for each SQL Server database in the failover cluster.
5. Click Failover Clusters.
The Failover Clusters tab appears.
7. In IPs or Hostnames, type a comma-separated list of the IPv4 addresses or the resolvable
hostnames of each of the Windows Server hosts that is a node in the cluster.
! IMPORTANT
Add all WSFC nodes to the Rubrik cluster to ensure continuous protection of SQL Server
databases in the event of a failover. The Rubrik cluster cannot protect the databases of a
SQL Server database when the active instance is on a WSFC node that has not been
added to the Rubrik cluster.
The list can contain both IPv4 addresses and hostnames. The Rubrik cluster requires one IPv4
address or one resolvable hostname for each Windows Server host.
8. Click Add.
The Rubrik cluster checks connectivity with the Rubrik Backup Service on each specified Windows
Server host and adds the Windows Server hosts that are successfully connected.
The Rubrik Backup Service communicates the failover cluster information to the Rubrik cluster.
Viewing failover clusters and databases

View the available failover clusters, the SQL Server databases on each failover cluster, the
databases on each failover cluster, and the restore points for each database.
The Failover Clusters tab appears. The page lists by name each failover cluster. For each
failover cluster, the page provides the number of SQL Server databases and the SLA Domains
that are assigned.
4. Click the name of a failover cluster.
The page lists by name each SQL Server database on the failover cluster. For each SQL Server
database, the page provides the assigned IP address, the number of databases, and the
assigned SLA Domains.
5. Click the name of a SQL Server database.
The page lists by name the databases on the SQL Server database. For each database, the
page lists whether it is an availability replica, whether log backup is enabled, whether the
database is protected through Copy Only, and the assigned SLA Domains.
6. Click the name of a database.
The Recovery Points card for the selected database appears.
Managing and protecting FCI databases through a parent object

Protect databases in an FCI by assigning an SLA Domain to the parent failover cluster, or to the
parent SQL Server database. Deriving an SLA Domain assignment from a parent object provides a
way to uniformly manage and protect a group of FCI databases.
A derived assignment only applies to the FCI databases that exist at the time of the assignment.
Before you begin — Add each Window Server host that is a node in the failover cluster to the
Rubrik cluster.
The Failover Clusters tab appears.
4. Click the selection box next to a failover cluster or a SQL Server database.
Click the name of a failover cluster to view the SQL Server databases on that failover cluster.
Select failover clusters or SQL Server databases to apply the same SLA Domain protection to
databases on all of the selections.
When a database within the selection is already assigned to an SLA Domain, a warning dialog
box appears.
Click Continue Anyway to change the existing assignment to a new selection or click Cancel
to return to the Hosts/Instances tab.
fields.
10.Click Submit.
The Rubrik cluster assigns the SLA Domain and other settings to all existing databases within the
selection group.
Managing and protecting individual FCI databases

To provide data management and protection for an individual FCI database, assign that database
to an SLA Domain.
Before you begin. Add each Window Server host that is a node in the failover cluster to the Rubrik
cluster.
3. Click All DBs.
Alternatively, select a database through the Failover Cluster tab by clicking values in the Name
field to move down in the hierarchy of a failover cluster.
4. Click the selection box next to an FCI database.
Select multiple databases to apply the same SLA Domain protection settings to all of the
selected databases.
When a database within the selection group is already assigned to an SLA Domain, a warning
dialog box appears. Click Continue Anyway to change the existing assignment to a new
selection. Or, click Cancel to return to the All DBs tab.
fields.
10.Click Submit.
The Rubrik cluster assigns the selected SLA Domain and the other settings to all databases within
the selection group.
Removing an SLA Domain assignment

Remove an SLA Domain assignment from a database to prevent policy-driven snapshots and log
backups for the database. Both derived and individual SLA Domain assignments can be removed.
Removing an assigned SLA Domain from a database does not block that database from a derived
or individual assignment to an SLA Domain at a later point.
3. Select a tab to view specific protection objects.
• To view failover clusters, SQL Server databases, or FCI databases, click Failover Clusters.
• To view databases, click All DBs.
4. Select a parent object or a database by clicking the selection box next to the object.
• Select a failover cluster to remove the derived SLA Domain assignments for all SQL Server
databases and FCI databases on that failover cluster.
• Select a SQL Server database to remove the derived SLA Domain assignments for all
databases on that instance.
• Select a database to individually remove the SLA Domain assignment of that database.
Select multiple objects in any of these groups to remove the SLA Domain assignment for all
databases covered by the selected group.
A warning appears.
7. Select No SLA.
8. Click Submit.
The Rubrik cluster removes the SLA Domain assignments for all databases within the selection
group. Databases within the selection group that have unexpired snapshots appear on the
Unmanaged Objects page.

Create an on-demand snapshot of an FCI database.
3. Click All DBs.
4. In the Name column, click the name of an FCI database.
The Local page for the FCI database appears.
The Rubrik cluster adds the on-demand snapshot task to the task queue. Task messages for
the on-demand snapshot appear in the Activity Log.
Recover or export from FCI database recovery points

To recover an FCI database to a selected recovery point or to export a copy of a selected FCI
database recovery point, use the same steps that are required to recover or export other
databases.
To recover an FCI database to a selected recovery point, complete the steps described in
Recovering a database.
! IMPORTANT
When recovering an FCI database be sure that the data recovery path is within the shared
storage of the FCI.
To export a copy of a selected FCI database recovery point, complete the steps described in
Exporting a database.
Always On Availability Groups

The Rubrik cluster supports data protection for availability databases in an Always On Availability
Group.
In order to protect availability databases, the Rubrik Backup Service software must be installed on
each of the Windows Server hosts for the availability databases. The account running the Rubrik
Backup Service must have the roles described in Table 117.
Prioritizing the synchronous secondary replica for protection by the Rubrik cluster minimizes
impact on the primary replica.
The Rubrik cluster supports export of an availability database backup as a database that exists
outside of the Always On Availability Group. The Rubrik cluster does not support in-place restore
of an availability database backup. Availability databases are actively involved in database
mirroring sessions and cannot be directly replaced by a backup.
Rubrik clusters support availability databases in an Always-On availability group and provide
auto-protection for availability databases based on the SQL Server database backup settings
described in Table 119.
Table 119 SQL Server database settings affecting availability group protection
sys.availability_groups.automated_backup_preference_desc • PRIMARY: only use the primary replica
for backups
• SECONDARY_ONLY: only use a
secondary replica for backups
• SECONDARY: prefer using a secondary
replica, but use a primary if no
secondaries are available
• NONE: no preference with respect to
whether a replica is primary or
secondary
sys.availability_replicas.backup_priority A value from 0 to 100, with higher numbers
assigning higher priority. Set this value to 0
to never use this replica.
For details on managing these settings, consult the documentation for SQL Server.
! IMPORTANT
In order to prevent unauthorized access to database replicas, Rubrik clusters rely on the
availability groups information in the sys.availability_databases_cluster table during the
discovery process. Restrict the visibility of the group_id and group_database_id identifiers
to the smallest practicable number of people to further reduce the risk of unauthorized
access.
Rubrik CDM Version 5.0 User Guide Always On Availability Groups 587
Exporting or restoring an availability database recovery point

Export or restore an availability database recovery point.
3. Click Availability Groups.
The Availability Groups tab appears.
4. (Optional) Enter a string in the “Search by Name” field to display availability groups matching
that string.
5. (Optional) Choose an SLA Domain from the “Filter SLA” drop-down to display availability groups
protected by the chosen SLA Domain.
6. In the Name column, click the name of an availability group.
The databases in the selected availability group display.
7. Click the name of a database in the availability group.
8. The Local page for the database appears, with the Recovery Points card showing the month
view.
10.Move the Recovery point slider to select a recovery point.
11.Export or restore the database recovery point.
Choose a recovery method:
• Export the database recovery point, as described in Exporting a database.
• Restore the database recovery point, using the method described in Workflow to restore a
database into an Always On Availability Group.
Rubrik CDM Version 5.0 User Guide Always On Availability Groups 588
Workflow to restore a database into an Always On Availability Group

Availability Group databases are actively involved in database mirroring sessions and cannot be
directly replaced by a backup. Follow the recommended workflow to restore a database into an
Always On Availability Group.
Rubrik CDM does not support an in-place restore of an Availability Group database.
To restore a database into an AAG, use the following workflow.
1. Remove the databases from the AAG
2. Drop the databases from each member.
3. Use the Rubrik CDM web UI to refresh the hosts.
4. Export the databases via the steps described in Exporting a database to each member in the
AAG, using the same point in time for each export.
! IMPORTANT
For all secondary members of the AAG, select Keep database in Restoring state.
5. Add the databases back to the AAG, selecting "Join Only" for the data synchronization option.
Unmanaged data
Manage application data that is not subject to a retention policy through the Unmanaged Objects

Chapter 18
SAP HANA Databases
This chapter describes how to protect and manage data from SAP HANA databases.
 Overview ............................................................................................................... 591
 SAP HANA backup retention .................................................................................... 591
 Rubrik Backup Service............................................................................................. 592
 Requirements for using sap_hana_bootstrap_main.................................................... 594
 Registering SAP HANA database .............................................................................. 595
 Configuring Rubrik backup for SAP HANA databases.................................................. 596
 Deleting the Rubrik Backup Service software ............................................................ 597
 Backing up a SAP HANA database ............................................................................ 598
 Restoring a SAP HANA database .............................................................................. 599
 Copying a database from an external host ................................................................ 600
 Restoring a database from a managed volume snapshot ........................................... 601
 Pausing Backint backups ......................................................................................... 603
 Resuming Backint backups ...................................................................................... 603
Rubrik CDM Version 5.0 User Guide SAP HANA Databases 590
SAP HANA Databases
Overview
A Rubrik cluster provides data management and protection for SAP HANA Databases.
HANA Studio or HANA Cockpit software from SAP can be used to initiate or schedule backup and
recovery. Internally, Rubrik uses Managed Volumes that can be assigned SLA policies, to store and
retrieve SAP HANA database backup files.
Note: More information using SAP HANA Studio or SAP HANA Cockpit can be found at:
https://help.sap.com/viewer/index
SAP HANA backup retention

Retention of SAP HANA backups can be managed through SAP HANA Studio or SAP HANA Cockpit
or through the Rubrik SAP SLA Manager utility.
SAP HANA backups can be stored on a Rubrik cluster, be replicated to another Rubrik cluster, or be
archived to the Cloud.
The policies for backup retention are set at the Managed Volume level through Rubrik CDM web
UI. Backups that are not removed from SAP HANA can be restored immediately using SAP HANA
Studio or SAP HANA Cockpit without additional configuration through Rubrik. Backups that are
removed from SAP HANA, but are still retained through Rubrik (either on a Rubrik cluster or
archived to Cloud), can be restored as described in Restoring a database from a managed volume
snapshot.
Table 120 provides an example of how SAP HANA backup retention is retained if the Managed
Volume SLA retention is configured for three days and SAP HANA scheduler-based deletion is
configured for three days..
Table 120 SAP HANA backup retention example (page 1 of 2)
Deletion
through SAP HANA
SAP HANA backups SAP HANA
Current Available Expired Studio or available in backups
SAP Managed Managed Managed Cockpit or Managed available for
HANA Volume Volume Volume through Volume direct
Backup snapshot snapshot snapshots Script snapshots restore
1 (1) (1) None No 1 1
2 (1,2) (1), (1,2) None No 1,2 1,2
3 (1,2,3) (1), (1,2), None No 1,2,3 1,2,3
(1,2,3)
4 (2,3,4) (1,2), (1,2,3), (1) Yes, 1,2,3,4 2,3,4
(2,3,4) Backup 1

SAP HANA Databases
Table 120 SAP HANA backup retention example (page 2 of 2)

Deletion
through SAP HANA
SAP HANA backups SAP HANA
Current Available Expired Studio or available in backups
SAP Managed Managed Managed Cockpit or Managed available for
HANA Volume Volume Volume through Volume direct
Backup snapshot snapshot snapshots Script snapshots restore
5 (3,4,5) (1,2,3), (1,2) Yes, 1,2,3,4,5 3,4,5
(2,3,4), Backup 2
(3,4,5)
6 (2,3,4), (1,2,3) Yes, 2,3,4,5,6 4,5,6
(3,4,5), Backup 3
(4,5,6)
7 (3,4,5), (2,3,4) Yes, 3,4,5,6,7 5,6,7
(4,5,6), Backup 4
(5,6,7)
8 (4,5,6), (3,4,5) Yes, 4,5,6,7,8 6,7,8
(5,6,7), Backup 5
(6,7,8)
Rubrik Backup Service

Install and configure the Rubrik Backup Service on a SAP HANA host to allow backup and restore
of SAP HANA databases.
Note: Before upgrading the Rubrik Backup Service, pause any SAP HANA backups, as described in
Pausing Backint backups.
Obtaining the Rubrik Backup Service software

Rubrik Backup Service (RBS) serves as a conduit for the software that manages SAP HANA backup
and recovery. RBS also automatically upgrades the SAP HANA backup software whenever the
Rubrik Cluster upgrades to a new version.
2. On the left-side menu, click Servers & Apps > Linux & Unix Hosts.
The Linux & Unix Hosts tab of the Linux &Unix Hosts page appears.
Rubrik CDM Version 5.0 User Guide Rubrik Backup Service 592
SAP HANA Databases
3. In the text of the dialog box, from Linux, click rpm.Depending on the Download settings of the
web browser, one of the following occurs:
• The browser downloads the report to the default download folder.
• The browser opens a Save As dialog box.
4. Save the file to a temporary location on the SAP HANA node for single-node deployments or on
the master node of the SAP HANA instance in the case of multi-node deployments.
Next task — Install the Rubrik Backup Service software on a SAP HANA host.

Obtain the Rubrik Backup Service software directly by URL. The Rubrik cluster provides a direct
URL link for the software package for SAP HANA hosts.
obtained.
2. Access the URL that is appropriate for the host operating system.
https://<RubrikCluster>/connector/rubrik-agent.x86_64.rpm
Next task — Install the Rubrik Backup Service software on hosts.
Installing the Rubrik Backup Service software

Install the Rubrik Backup Service software on a Linux host to provide the Rubrik cluster with the
ability to manage data on the host.
Note: If the Rubrik Backup Service has been installed with CDM 5.0 EA2, the Rubrik Backup
Service is automatically upgraded.
Before you begin — Check that the most up-to-date Linux version of the Rubrik Backup Service
software for the correct Rubrik cluster is available in a temporary location that the host can access.
2. Copy the software package to a temporary location on the host.
3. Change the working directory to the location of the package.
Rubrik CDM Version 5.0 User Guide Rubrik Backup Service 593
SAP HANA Databases
4. Remove existing rpm if any and install the downloaded rpm.

To uninstall existing Rubrik Agent:
rpm -e rubrik-agent
dpkg --remove rubrik-agent
To install Rubrik Agent:
rpm -i rubrik-agent.x86_64.rpm
dpkg -i rubrik-agent.x86_64.deb
Installing the Rubrik Backup Service copies the SAP HANA binaries to /usr/bin/rubrik/sap_hana
Inside the package, there are two important executables. sap_hana_agent_main is the backint
executable by SAP HANA to perform backup and restore operations using third party tools.
sap_hana_bootstrap_main is the setup script to configure rubrik backint.
Next task — Register the SAP HANA database.
Requirements for using sap_hana_bootstrap_main

A Rubrik cluster provides data protection and management for SAP HANA databases when specific
requirements are met.
The following are requirements for using sap_hana_bootstrap_main.
 The agent must be run as root user. This is required to append mount points in the /etc/fstab
file. The script creates and modifies all required files only inside /usr/bin/rubrik directory. Other
than edits to the /etc/fstab file, no other Linux system files are accessed or modified by the
bootstrap agent.
 In multi-host systems, the agent requires the root password of other hosts if password-less ssh
to other hosts is not configured on the master node.
 The SQL Port number to connect to the database. This is required to fetch all host details in a
multi-host environment and to configure backint settings in SAP HANA.
 Rubrik cluster IP and admin credentials.
 sap_hana_agent_main and the sap_hana_bootstrap agent must be in the same directory.
 SQL Port Number, which is in the form of 3<instance_number>15 for single container system
and 3<instance_number>13 for multi-container system
Alternatively, you can use the following SQL command to get the relevant port number of the SAP
HANA database:
SELECT SQL_PORT FROM SYS_DATABASES.M_SERVICES WHERE ( SERVICE_NAME =
Rubrik CDM Version 5.0 User Guide Requirements for using sap_hana_bootstrap_main 594
SAP HANA Databases
'nameserver' and COORDINATOR_TYPE = 'MASTER' );
Registering SAP HANA database

To register the Rubrik Backup Service for SAP HANA databases, use the
sap_hana_bootstrap_main.
Before you begin — Install RBS on the SAP HANA database.
1. Run sap_hana_bootstrap_main from the /usr/bin/rubrik/sap_hana directory.
2. Type the password for the System DB user and press Enter.
The Port number of System database (for example, 30113) prompt appears.
3. Type the port for the System database and press Enter.
The Enter HANA SID prompt appears.
4. Type the HANA SID, a three character ID, and press Enter.
The Enter ‘Rubrik prefix’ (This should be unique for different HANA instances using the same
Rubik cluster) prompt appears.
The Rubrik Prefix or SAP HANA SID, is a unique ID to distinguish Managed Volumes in Rubrik
cluster in case there are multiple HANA instances with same SID and containing databases with
same names using a common Rubrik cluster. The Rubrik Prefix is user generated. Use the same
Rubrik Prefix specified for SAP HANA that was used when sap_hana_bootstrap_main was run.
5. Type the Rubrik prefix and press Enter.
A series of prompts appears.
6. Press 1 to select Install Rubrik Backup Service on one or more SAP nodes (Press 1).
The Enter Hostname/IP of a Rubrik node prompt appears.
7. Type the Hostname or IP address of the Rubrik node and press Enter.
The Enter admin username for Rubrik cluster [admin] prompt appears.
8. Type the Rubrik cluster admin name and press Enter.
The Enter ‘admin’ password for Rubrik cluster prompt appears.
9. Type the admin password and press Enter.
A Setup successful message appears.
Rubrik CDM Version 5.0 User Guide Registering SAP HANA database 595
SAP HANA Databases
Configuring Rubrik backup for SAP HANA databases

To configure Rubrik backup for SAP HANA databases, use the sap_hana_bootstrap_main.
Before you begin — Install RBS on the SAP HANA database.
1. Download the RPM from Rubrik on the SAP HANA node in any desired directory.
2. Install the RPM.
sap_hana_agent_main and sap_hana_bootstrap_main is moved to the
/usr/bin/rubrik/sap_hana directory.
8. Press 2 to select Configure Rubrik backup for one or more DB instances and press Enter.
The Enter Hostname/IP of a Rubrik node prompt appears.
10.Type the Rubrik cluster admin name and press Enter.
11.Type the admin password and press Enter.
The user is setup, the database details are fetched, and the current state of the database is
displayed.
Rubrik CDM Version 5.0 User Guide Configuring Rubrik backup for SAP HANA databases 596
SAP HANA Databases
The Enter comma separated S.No of databases to enable backups (0 to enable all): prompt
appears. This lists whether the databases are configured for backup.
12.Specify the databases for backups and press Enter.
For each selected database, the Data MV Size (GB) prompt appears.
13.Specify the MV Size in GB and press Enter.
For each selected database, the Log MV Size (GB) prompt appears.
14.Specify the Log MV Size in GB and press Enter.
The databases are listed, which specifies the databases configured for backup.
The setup successful message appears.
Deleting the Rubrik Backup Service software

If you want to disconnect your SAP HANA instance from Rubrik so that no future backups go to
Rubrik, you can uninstall RBS.
Previous backup files are still present on the Rubrik cluster and SAP HANA instances can be
recovered from these backups. To remove the previous backups, remove the corresponding
Managed Volumes.
6. Press 3 to select Uninstall Rubrik (Press 3).
The Rubrik Backup Service software is removed from the SAP HANA database.
Rubrik CDM Version 5.0 User Guide Deleting the Rubrik Backup Service software 597
SAP HANA Databases
Backing up a SAP HANA database

The SAP HANA Studio client or SAP HANA Cockpit is used to backup SAP HANA databases. Any
database that was configured with Rubrik Backup by running sap_hana_bootstrap_main program
can be backed up.
The following instructions use the SAP HANA Studio client to backup SAP HANA databases.
Before you begin — Install and configure RBS on the SAP HANA database.
1. Right-click the database for backup.
2. Select Backup and Recovery > Back up Tenant Database (or System).
The Specify Tenant (or System) database dialog box appears.
3. Select the database for backup and click Next.
The Specify Backup Settings dialog box appears.
4. Select the Backup Type:
• Complete Data Backup
• Differential Backup
• Incremental Backup
5. Select the Backint Destination Type.
6. Accept the Backup Destination.
7. Click Next.
The Review Backup Settings dialog box appears.
8. Confirm the settings are correct and click Finish.
The backup process runs.
When the backup is complete, the Backup Execution Summary confirms the backup is complete.
Viewing the backup catalog

The SAP HANA Studio client maintains a backup catalog for all backups.
Before you begin — Create a backup(s) of SAP HANA database(s).
1. Right-click on the database name and select Backup Console.
2. In the Backup Console, choose the Backup Catalog tab.
The Backup Catalog tab displays all of the backups for the selected database.
Rubrik CDM Version 5.0 User Guide Backing up a SAP HANA database 598
SAP HANA Databases
Restoring a SAP HANA database

The SAP HANA Studio client or SAP HANA Cockpit is used to restore SAP HANA databases. Any
database that was configured with Rubrik Backup by running sap_hana_bootstrap_main program
can be backed up and restored.
The following instructions use the SAP HANA Studio client to restore SAP HANA databases.
Before you begin — Backup a SAP HANA database.
1. Right click on the HANA SID.
2. Select Backup and Recovery > Recover Tenant Database (or System).
The Specify Tenant database (or System) dialog box appears.
3. Select the database for restore and click Next.
The Specify Recovery Type dialog box appears.
4. Select the Recovery Type:
• Recover the database to its most recent state
• Recover the database to a specific data backup
The Select a Backup dialog box appears. The Backup catalog is listed.
5. Select a backup for recovery.
6. Click Check Availability to confirm that all of the files that were backed up are available in
the Managed Volume.
7. Click Next.
The Other Settings dialog box appears.
8. In Check Availability of Delta and Log Backups, specify Third-Party Backup Tool (Backint).
9. (optional) Specify Initialize Log Area.
10.(optional) Specify Use Delta Backups.
11.(optional) Specify Install New License Key.
12.Click Next.
The Review Recovery Settings dialog box appears.
13.Confirm the settings are correct and click Finish.
The recovery process runs.
The Recovery Execution Summary dialog box appears.
Rubrik CDM Version 5.0 User Guide Restoring a SAP HANA database 599
SAP HANA Databases
14.Review the summary and click Close.

The recovery process is complete.
Copying a database from an external host

If source and target databases are not in the same SAP HANA system, use sap_hana_bootstrap_
main to configure the system to copy a database from an external host.
The following scenarios are not supported if the target and source system have the same SID:
 Database name on the source and target database is the same
 Source and target systems are connected to different Rubrik clusters
Before you begin — The target database must be configured for Backup using mode 1 and the
source database must have backups in a Rubrik cluster.
6. Press 4 to select Configure system to copy remote database (Press 4).
The Enter Hostname/IP of the Rubrik node prompt appears.
Rubrik CDM Version 5.0 User Guide Copying a database from an external host 600
SAP HANA Databases

The Enter SID of HANA system to restore from prompt appears.
10.Type the SID of the source system and press Enter.
The Enter ‘Rubrik Prefix’ of HANA system to restore from prompt appears.
11.Type the Rubrik Prefix of the source system and press Enter.
The Do you want to restore SYSTEMDB DB prompt appears.
12.Type N.
The Do you want to restore [dbname] DB prompt appears.
13.Type Y.
The Enter DB name corresponding to [dbname] in source system prompt appears.
14.For each database that needs to be copied to in target system, type the corresponding
database for source system and press Enter.
The Do you want to restore [dbname] DB prompt appears.
15.Type N.
After the sap_hana_bootstrap_main process is complete, use SAP HANA Studio or SAP HANA
Cockpit to copy the database.
Restoring a database from a managed volume snapshot

Use sap_hana_bootstrap_main to configure the system to restore a database from an exported
Managed Volume snapshot.
Before you begin — The snapshot (both data and log) to be restored to should be exported on
the Rubrik Cluster. Ensure that the correct log and data Mounted Volume snapshots are exported
based on the time of snapshot. Restoring to any backup not present in the snapshot will fail. If
multiple snapshots are mounted for the same database, then the database will be configured to
restore from the most recently exported snapshot.
Rubrik CDM Version 5.0 User Guide Restoring a database from a managed volume snapshot 601
SAP HANA Databases
6. Press 5 to select Configure system to restore from an exported managed-volume snapshot
(press 5).
The Enter Hostname/IP of the Rubrik node prompt appears.
The Configure system to restore from replicated cluster prompt appears.
10.Type Y for replication and N for archival.
The Do you want to restore [dbname] DB from mounted snapshot prompt appears.
11.Type Y for each database you want to restore.
A setup successful message appears.
After the sap_hana_bootstrap_main process is complete, use SAP HANA Studio or SAP HANA
Cockpit to restore the database.
Once the restore is complete, see Configuring Rubrik backup for SAP HANA databases to reset
normal backup operations.
Rubrik CDM Version 5.0 User Guide Restoring a database from a managed volume snapshot 602
SAP HANA Databases
Pausing Backint backups

Use sap_hana_bootstrap_main to pause and resume Backint backups.
Since log backups are triggered frequently, managed volumes are always in busy state, which can
cause a Rubrik CDM upgrade to fail. Before an upgrade, pause the Backint backup. Once the
backup is complete, resume the Backint backup.
6. Press P to select Pause for the SAP Backup.
Resuming Backint backups

Use sap_hana_bootstrap_main to pause and resume Backint backups.
Since log backups are triggered frequently, managed volumes are always in busy state, which can
cause a Rubrik CDM upgrade to fail. Before an upgrade, pause the Backint backup. Once the
backup is complete, resume the Backint backup.
Rubrik CDM Version 5.0 User Guide Pausing Backint backups 603
SAP HANA Databases
6. Press R to select Resume for the SAP Backup.
Rubrik CDM Version 5.0 User Guide Resuming Backint backups 604
Chapter 19
Managed Volumes
This chapter describes how to protect and manage data using managed volumes.
 Overview ............................................................................................................... 606
 Floating IP addresses .............................................................................................. 606
 Creating a managed volume .................................................................................... 608
 Editing a managed volume ...................................................................................... 610
 Deleting a managed volume .................................................................................... 611
 Managing protection with SLA Domains .................................................................... 612
 Snapshot-level protection ........................................................................................ 613
 Creating user accounts for managed volumes ........................................................... 615
 The managed volume local page.............................................................................. 617
Rubrik CDM Version 5.0 User Guide Managed Volumes 605

Managed Volumes
Overview
Managed volumes are a generic data source that enable users to back up arbitrary data on a
Rubrik cluster. Managed volume snapshots can make use of the full range of Rubrik protection
features, including data deduplication and secure SMB Live Mounts.
Note: Encrypting application backups can lead to ineffective deduplication. Files encrypted with
different encryption keys do not trigger content-based matching.
Configuration workflow
Establishing a managed volume protected by an SLA Domain uses the workflow described in this
section. Once established, the managed volume is treated as any other protected data source.
Complete the tasks in the order specified in this workflow. Each stage references a detailed task.
Complete the steps in a task before moving to the next stage in the workflow. To use secure SMB
for live mounts of managed volumes, enable secure SMB connections using the procedure in
Secure SMB settings.
Note: Managed volumes that use the secure SMB protocol cannot map the IP address of a client
to more than one domain. A given client IP address can only access managed volumes from within
a single domain.
1. Set up floating IP addresses for the Rubrik cluster.

Setting up floating IP addresses describes how to do this.
2. Create a managed volume.
Creating a managed volume describes how to do this.
3. Assign the managed volumes to SLA Domains.
Assigning a managed volume to an SLA Domain describes how to do this.
Floating IP addresses
Floating IP addresses must be set up before creating any managed volumes. Floating IP addresses
provide a consistent connection to the Rubrik cluster even when a cluster node becomes
unavailable.
Configure the same number of floating IP addresses as the number of nodes on the Rubrik cluster.
An equal distribution of floating IP addresses between the nodes ensures efficient distribution of
the work between the nodes.

Managed Volumes
After the floating IP addresses are configured, the Rubrik cluster assigns each node a floating IP
address. The nodes handle communication through the assigned floating IP address.
When a node cannot handle communication on its assigned floating IP address, the Rubrik cluster
assigns (floats) that address to another node. This functionality prevents disruption of data
transmission over the floating IP address and maintains the availability of the managed volumes.
Table 121 describes the requirements for floating IP addresses.
Table 121 Floating IP address requirements
Number Same number of floating IP addresses as the number of nodes on the Rubrik
cluster.
Subnet Same subnet as the static data IP addresses of the Rubrik cluster.
Uniqueness Each IP address must be unique within the subnets and cannot be the same as
the management IP address or the data IP address.
Network bonding The floating IP addresses should be configured on bond0.
Setting up floating IP addresses

Set up floating IP addresses to ensure that all managed volumes remain available even if a Rubrik
node fails. One floating IP address must be defined for each Rubrik node, and the floating IP
address should be on the same subnet as the static data IP addresses of the Rubrik nodes.
2. On the top bar, click the gear icon.
4. In Floating IPs, type a comma-separated list of IPv4 addresses.
Provide the same number of IPv4 addresses as the number of nodes in the Rubrik cluster. Each
IPv4 address must be on the same subnet as the static data IP addresses of the Rubrik nodes.
5. Click Update.
The Rubrik cluster stores the floating IP addresses, and assigns the floating IP addresses to the
nodes.
Rubrik CDM Version 5.0 User Guide Floating IP addresses 607

Managed Volumes
Creating a managed volume

Create a managed volume for each app being protected. Recommended settings for managed
volumes are listed in Table 122.
Table 122 Recommendations for managed volume settings
Managed volume One channel per managed A single channel can provide
channels volume. For additional throughput, approximately 1 TB/hr of throughput when
up to 4 total channels can be used sufficient system resources are available.
per managed volume.
Managed volume size Create the managed volume with For example, a 1 TB data source with a 5%
enough space to contain all of the change rate requires approximately 1.3 TB
data from the recovery period, and for a 7 day recovery period and 1.6 TB for
provide some additional space for a 14 day recovery period.
unexpected data growth. Managed volumes can be increased in
For managed volumes created on size as needed, but cannot be decreased
versions of the Rubrik CDM in size.
earlier than 5.0, the requested
provision size is used to calculate
an optimal number of disks and
managed volume size. This
results in an actual volume size
that could be up to 15% larger
than the provision size.
Managed volume subnet When VLAN tagging is configured Supply a subnet mask value in CIDR
on the Rubrik cluster, use this format to limit the network traffic for the
setting to direct the network traffic managed volume to that subnet.
of the managed volume to a
specific VLAN.
SLA Domain assignment Assign a managed volume to an Assigning a managed volume to an SLA
SLA Domain before directing any Domain ensures that the correct data
backups into that managed management policies are applied to the
volume. snapshots in that managed volume.
When the managed volume is not
assigned to an SLA Domain, the Rubrik
cluster assigns the snapshots to the
Unmanaged policy group and does not
expire the snapshots.
Note: Depending on the settings and size of the managed volume, the volume creation process
can take up to one hour.
Rubrik CDM Version 5.0 User Guide Creating a managed volume 608
Managed Volumes
Before you begin — Set up floating IP addresses for the Rubrik cluster, as described in Setting up
floating IP addresses.
2. On the left-side menu, click Servers & Apps > Managed Volumes.
The Managed Volumes page appears.
3. Click Add Volume.
The Add Volume dialog appears.
4. In Volume Name, enter a name to identify the managed volume.
To simplify identification, use the name of the database being protected.
5. In Provisioned Size, type a size, in gigabytes.
The actual size allotted could be up to 15% larger as the result of an automatically applied
optimizing calculation.
6. Select a communications protocol for the managed volume.
• Select NFS to use the NFS protocol for live mounts of snapshots for this managed volume.
Note: Managed volumes that use the NFS protocol do not support NFSv4.
• Select SMB to use the secure SMB protocol for live mounts of snapshots for this managed
volume.
Note: To use secure SMB for live mounts of managed volumes, enable secure SMB
connections using the procedure in Secure SMB settings.
Note: Managed volumes that use the secure SMB protocol cannot map the IP address of a
client to more than one domain. A given client IP address can only access managed volumes
from within a single domain. Reusing a client IP as an agent-based host as part of another
domain can result in conflicts.
7. (Optional) Select an application tag from the Applications Tags drop-down.

Application tags specify the type of application content in the managed volume. The Rubrik
CDM cluster optimizes the use of CPU and memory during data reduction based on the selected
type. When no tag is selected, data reduction uses more CPU and memory.
8. (Optional) In Client Name Patterns, type a FQDN or IPv4 address.
Multiple FQDNs and IPv4 addresses can be added.
Rubrik CDM Version 5.0 User Guide Creating a managed volume 609
Managed Volumes
The Rubrik cluster only allows hosts that are identified in the client name patterns to mount the
shares from the managed volume and the managed volume snapshots.
When this field is empty or contains a single asterisk (*), the Rubrik cluster allows any host to
mount the shares from the managed volume.
9. (Optional, with VLAN tagging enabled) In Subnet, type a subnet mask value, in CIDR format.
For example, to use the subnet range 10.128.45.0 - 10.128.45.63, type 10.128.45.0/26.
The Rubrik cluster limits the network traffic of the managed volume to the specified subnet.
10.(Optional) In Number of Channels, type an integer.
Normally, type the same number as the number of nodes in the Rubrik cluster. The number of
managed volume channels is governed by the value of the maxChannelsPerNode configuration
setting. Based on the resources available on the node, this value can be between 4 and 32.
11.Click Add.
Note: The first snapshot taken for a managed volume might show a Data Transferred value in the
Activity Detail that is larger than the actual amount of ingested data. This is due to internal,
one-time filesystem metadata initialization, such as inode tables and extent maps.
The Rubrik cluster saves the configuration information and the new managed volume appears on
the Managed Volumes page.
Editing a managed volume

Use the Rubrik CDM web UI to edit the volume name, provisioned size, and client name pattern
values of a managed volume. The provisioned size can be increased but cannot be decreased by
using this method.
3. Open the ellipsis menu next to the managed volume and click Edit.
The Edit Volume dialog appears.
4. To rename the managed volume, in Volume Name, type a new name.
5. To increase the managed volume size, in Provisioned Size, type a size in gigabytes.
The value represents the new size of the selected managed volume. The specified size must be
the same as, or larger than, the current size of the managed volume.
Rubrik CDM Version 5.0 User Guide Editing a managed volume 610
Managed Volumes
Note: When editing managed volumes created in versions of the Rubrik CDM older than 5.0,
the actual size allotted can be up to 15% larger as the result of an automatically applied
optimizing calculation.
6. To modify client access to the managed volume, type a resolvable hostname or IPv4 address in
Client Name Patterns.
Multiple hostnames and IPv4 addresses can be added.
The Rubrik cluster only allows hosts that are identified in the client name patterns to mount the
shares from the managed volume and the managed volume snapshots.
When this field is empty or contains a single asterisk (*), the Rubrik cluster allows any host to
mount the shares from the managed volume.
7. Click Edit.
The Rubrik cluster makes the specified changes to the information for the managed volume and
performs any resizing operations in the background. The managed volume remains in the
read-only state until resizing operations complete.
Deleting a managed volume

Use the Rubrik CDM web UI to delete a managed volume.
3. Open the ellipsis menu next to the managed volume and click Delete.
A dialog appears with choices for how to handle the existing snapshots of the managed
volume:
• Transfer Snapshots to Relic – The Rubrik cluster retains the snapshots as unmanaged
relics.
• Expire Snapshots immediately – The Rubrik cluster immediately marks the snapshots
as expired and the snapshots will be permanently deleted.
4. Select one of the snapshot handling choices.
5. Click Delete.
The Rubrik cluster deletes the specified managed volume and applies the selected choice to the
existing snapshots.
Rubrik CDM Version 5.0 User Guide Deleting a managed volume 611
Managed Volumes
Managing protection with SLA Domains

Assign a managed volume to an SLA Domain to enable policy-driven management of the
snapshots of the managed volume.
To prevent differences in the policies applied to the snapshots of a managed volume, assign an
SLA Domain to the managed volume before using the volume for backups.
When a managed volume is not initially assigned to an SLA Domain, and backups are written to
the managed volume, default policies are applied to the snapshots that are created. These policies
can differ substantially from the policies applied to the managed volume through an SLA Domain
assignment.
Assigning a managed volume to an SLA Domain

To provide SLA policy based management of the snapshots of a managed volume, assign the
managed volume to an SLA Domain.
3. Select a managed volume.
An alert appear stating that an SLA Domain assignment to a managed volume does not mean
that the Rubrik cluster will initiate snapshots to meet the specified SLA policies. Snapshots
must be initiated manually through the Rubrik CDM web UI or through a Rubrik REST API
endpoint.
The Manage Protection dialog appears.
To create an SLA Domain, click + and create the SLA Domain.
7. Click Finish.
The Rubrik cluster saves the settings and begins managing the snapshots of the managed volume.
Rubrik CDM Version 5.0 User Guide Managing protection with SLA Domains 612
Managed Volumes
Snapshot-level protection
Individual on-demand snapshots of a managed volume can be managed using SLA policies that
are different from the associated managed volume.
For some business purposes, specific managed volume snapshots should be managed differently
from the other snapshots of the managed volume. Business requirements may be satisfied by
specifying a longer retention period, a different replication policy, or a different archival policy.
To assign SLA policies to a managed volume snapshot that are different from those assigned to the
managed volume, the snapshot must be an on-demand snapshot initiated from the Rubrik CDM
web UI. On-demand snapshots of managed volumes can be assigned SLA Domains different from
the SLA Domain set for the managed volume as a whole. These individual SLA Domain
assignments override the assignments made on the managed volume.
To set an on-demand snapshot of a managed volume as unmanaged, specify Forever at the time
the snapshot is taken. The Rubrik cluster handles a snapshot with the Forever setting as follows:
 Snapshot labeled as On Demand
 No automatic expiration of the snapshot
 Manual expiration of the snapshot permitted
 Snapshot accessible through the Unmanaged Objects page
Specifying managed volume snapshot assignment

To provide separate SLA policy-based management of an managed volume snapshot, create an
on-demand snapshot of the managed volume and assign a different protection setting to the
snapshot.
3. Click the name of a managed volume.
The local page for the managed volume appears.
4. Click Manage Snapshot Operations.
The Managed Snapshot Operations dialog appears.
5. Click Begin Snapshot.
The Rubrik cluster sets the managed volume to read-write and the Managed Snapshot
Operations dialog changes.
6. Click Take Snapshot.
Rubrik CDM Version 5.0 User Guide Snapshot-level protection 613

Managed Volumes
The Take On Demand Snapshot dialog appears.

7. Select an SLA Domain for the snapshot, or select Forever.
Optionally, to create an SLA Domain for the snapshot, click +.
The Rubrik cluster creates a snapshot of the files in the managed volume.
The Activity Log message for the job includes the timestamp for the backup that is the basis for
the snapshot.
The Rubrik cluster lists the snapshot on the Snapshots card of the managed volume local page.
Live mounting a managed volume snapshot

A Live Mount of a managed volume snapshot enables access to the data in that snapshot.
The Rubrik cluster shares the Live Mount over the SMB/CIFS protocol. Because live mounts are
optimized for faster read operations, restoring from a live mount can offer performance
advantages over other recovery methods.
 Manage and protect at least one managed volume.
 Successfully complete at least one snapshot of the managed volume.
The Recovery Points card displays the Day view and a list of snapshots for that day.
5. Open the ellipsis menu for the snapshot to live mount and click Export.
6. Click Export.
The Rubrik cluster creates the Live Mount of the selected snapshot. Active Live Mounts are listed
in Live Mounts > Managed Volumes.
Rubrik CDM Version 5.0 User Guide Snapshot-level protection 614

Managed Volumes
Deleting an unmanaged on-demand snapshot

The Rubrik cluster retains an unmanaged snapshot of a managed volume until the snapshot is
manually deleted.
4. In the Snapshots card, navigate to the Day view that shows the on-demand snapshot.
The Rubrik CDM web UI uses a camera icon to represent an on-demand snapshot
5. Open the ellipsis menu for the snapshot and click Delete.
6. Click Delete.
The Rubrik cluster removes the selected on-demand snapshot.
Creating user accounts for managed volumes

A user account with administrator privileges can use the Rubrik REST API to grant a user account
without administrator privileges the permissions to issue the API calls to begin and end a managed
volume snapshot.
Perform this task to create a non-administrator user account to use when making calls to the
begin_snapshot and end_snapshot endpoints.
! IMPORTANT
For managed volumes using SMB, calling either the begin_snapshot or end_snapshot API
endpoints during the process of restoring the volume causes the restore operation to end
with an error.
2. Create a user account with End User permissions for assigned objects.
3. Open the internal version of the Rubrik REST API Explorer.
Go to: https://<RubrikCluster>/docs/internal/playground/
Rubrik CDM Version 5.0 User Guide Creating user accounts for managed volumes 615
Managed Volumes
The Rubrik REST API Explorer appears.

4. Click Authorize.
The Available authorizations dialog appears.
5. In the Basic Authorization section, type the user name and password for an administrator
account.
6. Click Authorize.
The Rubrik REST API Explorer opens a session and stores the session token.
7. Click /user.
The listing expands to show all operations for that endpoint.
8. Click GET /user.
The endpoint listing expands.
9. Click Try it out.
The Rubrik REST API server responds with a list of users.
10.In the response, find the entry for the user, and save the ID that was assigned to the user.
Here is an example user account entry for “enduser”:
{
"id": "User:::a9395d52-632d-4ff2-8ac5-496cb2914543",
"authDomainId": "15b3592b-65dd-4bad-a714-4dd55e0c4784",
"username": "enduser",
"emailAddress": "foo@foo.com"
},
The user ID assigned to enduser is:
User:::a9395d52-632d-4ff2-8ac5-496cb2914543
11.Save the user ID.
12.Click /authorization.
The listing expands to show all operations for that endpoint.
13.Click POST /authorization/role/managed_volume_user.
The endpoint listing expands.
14.Click the Example Value field to populate the authorization_policy field with default values.
15.In principals, replace string with the user ID.
16.In privileges:basic, replace string with Global:::All.
Rubrik CDM Version 5.0 User Guide Creating user accounts for managed volumes 616
Managed Volumes
To limit the user account to a single managed volume, replace string with the ID assigned to
that managed volume.
17.Delete the "organizationId": "string" member from the JSON object, including the comma that
precedes the member.
Example of a completed JSON object:
{
"principals": [
"User:::a9395d52-632d-4ff2-8ac5-496cb2914543"
],
"privileges": {
"basic": [
"Global:::All"
]
}
}
18.Click Try it out.
The Rubrik REST API server processes the POST request and adds the privilege to the specified
user account. Upon success, the server returns status code 200.
The managed volume local page

The managed volume local page provides the following sections:
 Action bar
 Overview card
 Snapshots card
Viewing a managed volume local page

Access the managed volume local page to view information about a managed volume.
1. From the left-side menu of the Rubrik CDM web UI, click Servers & Apps > Managed
Volumes.
The local host page for the selected managed volume appears.
Rubrik CDM Version 5.0 User Guide The managed volume local page 617
Managed Volumes
Action bar
For the selected managed volume, the action bar provides the actions described in Table 123.
Action Description
Begin snapshot Sends the begin_snapshot API call to prepare the managed volume to receive
backup data.
End snapshot Sends the end_snapshot API call to return the managed volume to read-only state.
Manage Protection Opens the Manage Protection dialog to assign a managed volume to an SLA
Domain.
Overview card
The Overview card provides the information described in Table 124.
Field Description
Total Snapshots Total number of retained snapshots for the selected managed volume, including
snapshots stored locally and at archival locations.
Channels The number of channels configured for the managed volume. Click View for
additional details.
Provisioned Size The amount of space that was provisioned for the managed volume.
Used Size The current amount of space used by the managed volume.
SLA Domain The name of the SLA Domain for the managed volume.
Live Mount The number of active Live Mounts.
Oldest Snapshot Timestamp for the oldest snapshot associated with the managed volume.
Latest Snapshot Timestamps for the most recent successful snapshot of the managed volume.
Managed Volumes
Snapshots card
For the selected managed volume, the Snapshots card provides the ability to browse the
Each calendar view uses color spots to indicate the presence of snapshots on a date and to
indicate the status of SLA Domain compliance for the managed volume on that date.
managed volume.
Chapter 20
Retention Management
This chapter describes how to assign retention policies to existing scheduled snapshots,
on-demand snapshots, and snapshots retrieved from an archival location. It also explains how to
delete snapshots.
 Overview ............................................................................................................... 621
 Snapshot Retention page ........................................................................................ 622
 Working with a data source ..................................................................................... 627
 Unprotecting a data source...................................................................................... 628
 Changing the retention policy on an on-demand snapshot ......................................... 628
 Changing the retention policy on a scheduled snapshot ............................................. 629
 Deleting snapshots for a data source........................................................................ 629
 Removing individual snapshots for a data source ...................................................... 630
 Removing retrieved content for a database............................................................... 630
Rubrik CDM Version 5.0 User Guide Retention Management 620

Overview
The Snapshot Retention page of the web UI displays the retention SLAs for all scheduled
snapshots associated with relic, replicated relic, or unprotected data sources. In a separate
column, it also displays the number of on-demand snapshots and retrieved snapshots combined.
To change the retention policy on an existing snapshot, or to delete a snapshot, use the features
available from the Snapshot Retention page of the web UI.
The Rubrik cluster uses SLA Domains to protect data sources, such as virtual machines,
applications, and filesets. An SLA Domain specifies schedules for creating snapshots (called the
protection policy) and how long to retain them (called the retention policy). As long as an SLA
Domain is in effect, the Rubrik cluster stores the snapshots and backups until the specified
retention period expires.
For on-demand snapshots, the retention period is specified when the job is created, either by
assigning an SLA Domain or by choosing the Forever option. If an SLA Domain is assigned, the
Rubrik cluster keeps the on-demand snapshot for the length of time specified by the maximum
retention period specified in the SLA Domain. If the Forever option is selected, the snapshot is
retained until it is manually deleted.
Once a snapshot is placed on the Snapshot Retention page, its retention period can be changed by
selecting Manage Retention.
Snapshots are included in the count on the Snapshot Retention page in the following situations:
 When the status of a data source is changed from protected to unprotected.
When the SLA Domain of a data source is changed to Do Not Protect, the status of the data
source changes to Unprotected. The choices for handling existing snapshots include expire
immediately, keep forever, and assign to the current SLA Domain for retention. If snapshots are
kept forever or assigned to the current SLA Domain, they can be managed from the Snapshot
Retention page.
 When a snapshot is taken on demand, independent of the schedule specified in the assigned
SLA Domain.
When the on-demand snapshot job is created, the retention period is specified by assigning an
SLA domain or by choosing Forever. If an SLA domain is assigned, the maximum retention
period from that SLA domain is applied to the snapshot. All on-demand snapshots can be
managed from the Snapshot Retention page.
 When a data source is disconnected from the Rubrik cluster.
In this case, the data source becomes a relic and the originally assigned SLA Domain is no
longer in effect. Any snapshots taken before the data source was disconnected are moved to
the Snapshot Retention page, where a retention policy can be assigned.

 When a snapshot resides on a replication target that is no longer associated with the
replication source.
Once the replication relationship is broken, the snapshot becomes a replication relic and is no
longer subject to the SLA Domain assigned to the replication source.
 When the snapshot is retrieved from an archival location.
Snapshot Retention page

Use the Snapshot Retention page to change retention policies for snapshots or to delete them.
The Snapshot Retention page presents information at two levels: data source level and object
level.
The data source level provides information for each virtual machine, application, and fileset that
have snapshots associated with them.
The object level provides information about the individual snapshots of a selected data source.
Opening the Snapshot Retention page

To work with on-demand, downloaded, and existing scheduled snapshots, open the Snapshot
Retention page of the web UI.
2. On the left-side menu, click Snapshot Retention.
The data source level of the Snapshot Retention page appears.
Information available at the data source level of the Snapshot Retention page
The data source level of the Snapshot Retention page provides information about snapshots listed
by their data sources.
Rubrik CDM Version 5.0 User Guide Snapshot Retention page 622
Table 125 describes the information that is available at the data source level of the Snapshot
Retention page.
Table 125 Fields at the data source level on Unmanaged Snapshots
Field Description
Name The value in the Name column depends on the type of data source:
• Virtual machine–Name of the data source virtual machine. Click a name
value to open the associated local host page.
• Application–Application reference name for the data source; for example, the
name assigned to a database. Click a name value to open the associated
Recovery Points card page.
• Fileset–Fileset name for the data source host fileset. Click a name value to
open the local host page associated with the selected fileset and host pairing.
Location The value in the Location column depends on the type of data source:
• Virtual machine–vCenter Server cluster/host path of the data source virtual
machine. Click a location value to open the Clusters/Hosts tab of the Virtual
Machines page.
• Application–IPv4 address or host name of the application host and name of
the application instance for the data source. Click a location value to open
the Hosts/Instances tab of the SQL Server DBs page.
• Fileset–IPv4 address of the host for the data source host fileset. Click a
location value to open the Hosts page.
Status Status of the data source:
• Protected–The data source is protected through an SLA Domain.
• Relic–The data source is no longer accessible to the Rubrik cluster.
• Unprotected–The data source is accessible, but the SLA domain assignment
has been changed to Do Not Protect.
• Replicated Relic–The replication target’s data source is no longer accessible
to the Rubrik cluster.
Retention SLA Name of the SLA Domain that is assigned to the data source. The Retention
SLA refers to the portion of the SLA Domain that specifies the retention policy.
Scheduled Snapshots Number of snapshots for the data source that were taken according to the
schedule in an SLA Domain that is no longer in effect.
On Number of snapshots taken on demand or retrieved from an archival location.
Demand/Downloaded
Snapshots
Local Storage Total local storage space occupied by the snapshots associated with the
selected data source.
Archive Storage Total archival storage space occupied by the snapshots associated with the
selected data source.
Filters available at the data source level of the Snapshot Retention page
Display specific subsets of information on the data source level of the Snapshot Retention page by
applying the provided filters. For each data source that meets the filter criterion, the following
information is displayed:
 The current retention SLA assigned to the data source.
 The number of existing snapshots that are not subject to the current retention SLA.
 The combined number of on-demand snapshots and snapshots downloaded from archival
locations.
Viewing the object level of the Snapshot Retention page

To work with unmanaged snapshots, open the object level of the Snapshot Retention page.
The Snapshot Retention page appears.
3. Click a number in the Scheduled Snapshots column for a data source to view the object level
for a scheduled snapshot.
4. Click a number in the On Demand/Downloaded Snapshots column to view the object level
for an on-demand snapshot or a retrieved archival snapshot.
For the selected data source, the object level of the Snapshot Retention page appears.
Information available at the object level of the Snapshot Retention page

The object level displays information about the individual snapshots for a selected data source.
Table 126 describes the information that is available at the object level of the Snapshot Retention
page.
Table 126 Fields at the object level on the Snapshot Retention page (page 1 of 2)
Field Description
Snapshot Date & Time Date and time that the snapshot was taken.
Table 126 Fields at the object level on the Snapshot Retention page (page 2 of 2)
Field Description
Type Type of snapshot. Type can be one of the following:
• On Demand–The snapshot was created through the on-demand snapshot
process or the on-demand backup process.
• Relic–The data source of the snapshot is no longer accessible to the Rubrik
cluster.
• Retrieved–The snapshot was retrieved from an archival location.
• Unprotected–The snapshot was created through an SLA Domain policy and the
data source is no longer assigned to an SLA Domain. This type excludes
on-demand snapshots or backups that are assigned to an SLA Domain.
Retrieved snapshots and on-demand snapshots that are not assigned to an SLA
Domain are included in both Relic and Unprotected listings.
Retention SLA Name of the SLA Domain that contains the retention policy for the data source, if
the status is Protected. If the status of the data source is Unprotected, Relic, or
ReplicatedRelic, the Retention SLA refers to the name of the SLA Domain that
contains the retention policy for the Scheduled Snapshots.
Filters available at the object level of the Snapshot Retention page

Display specific subsets of information on the object level of the Snapshot Retention page by using
the provided filters.
Table 127 describes the filters that are provided on the object level of the Snapshot Retention
page.
Table 127 Filters at the object level on snapshots
Filter type Filter View
Type Relic Snapshots taken from a data source that is now a relic.
Type Unprotected Snapshots taken from a data source that is now unprotected.
Date Last 2 Hours Snapshots that were created in the last 2 hours.
Date Last 24 Hours Snapshots that were created in the last 24 hours.
Date Last 7 Days Snapshots that were created in the last seven days.
Date Last 30 Days Snapshots that were created in the last 30 days.
Date Custom Range Snapshots that were created within a specified date range.
Uses the Filter By Custom Range dialog box described in
Specifying a custom date range.
Relic data sources

When a data source that is managed by a Rubrik cluster is no longer accessible to the Rubrik
cluster, the Rubrik cluster designates that data source as a relic. The designation of the data
source as a relic is attached to the universally unique identifier (UUID) that the Rubrik cluster
assigned to the data source when the data source was added.
A data source can become a relic and later become accessible again to the Rubrik cluster. In that
case, the type of the data source determines whether the Rubrik cluster can attempt to associate
the history and backups from before the data source became a relic with the newly accessible data
source.
For data source types where it is possible to attempt to associate previous history and data,
changes on the data source host can prevent successful association.
Table 128 describes Rubrik cluster actions for situations where a data source becomes a relic, then
later becomes accessible. The following terms are used in the table:
 ‘relic event’ refers to the event that caused the data source to become a relic.
 ‘pre-relic’ means the virtual machine, application instance, or host and fileset pair that existed
before the relic event.
Table 128 Rubrik cluster actions for relic events (page 1 of 2)
Data source type Relic event sequence Rubrik cluster action
virtual machine The Rubrik cluster loses connection with Scan the vSphere metadata for the virtual
the virtual machine host, then the Rubrik machine. If the virtual machine is identical
cluster establishes connection with the to the pre-relic virtual machine, then
virtual machine host. assign the original UUID and associate
the original history and data.
virtual machine The virtual machine is moved to a vCenter Scan the vSphere metadata for the virtual
Server state that blocks the Rubrik machine. If the virtual machine is identical
cluster, then the virtual machine is moved to the pre-relic virtual machine, then
out of the vCenter Server state that blocks assign the original UUID and associate
the Rubrik cluster. the original history and data.
application The Rubrik cluster loses connection with Scan the application instance for an
the application host or application identical data source.
instance, then the Rubrik cluster regains If a data source that is identical to the
the connection. pre-relic data source is found, then assign
the original UUID and associate the
pre-relic history and data with the
discovered data source.
application A user manually deletes the application Scan the application instance for an
host in the web UI, then a user adds the identical data source.
application host in the web UI. If a data source that is identical to the
pre-relic data source is found, then assign
the original UUID and associate the
pre-relic history and data with the
discovered data source.
Table 128 Rubrik cluster actions for relic events (page 2 of 2)

Data source type Relic event sequence Rubrik cluster action
application An issue during a host side scan of the If the data source is identical to the
application instances causes the data pre-relic data source, then assign the
source instance to be missed, then the original UUID and associate the pre-relic
data source appears in a subsequent host history and data with the discovered data
side scan. source.
file system The Rubrik cluster loses connection with If the host is identical to the pre-relic host,
the file system host, then the Rubrik then assign the original UUID and
cluster regains the connection. associate the pre-relic fileset, history, and
data with the discovered host.
file system For a host and fileset pair, a user The original host and fileset pair remains
manually deletes the host in the web UI, a relic. The Rubrik cluster treats the
then a user adds the host in the web UI added host and fileset pair as new,
and pairs it with the same fileset. assigns a new UUID, and does not
associate pre-relic history and data with
the new host and fileset pair.
file system A user manually deletes the fileset that is The original host and fileset pair remains
paired with a host in the web UI, then a a relic. The Rubrik cluster treats the
user creates an identical fileset in the web added host and fileset pair as new,
UI and pairs it with the same host. assigns a new UUID, and does not
associate pre-relic history and data with
the new host and fileset pair.
Working with a data source

Perform data source-specific tasks, such as taking an on-demand snapshot or changing the
protection policy.
3. In the Name column, select the name of the data source.
The local host page appears.
Perform tasks with the data available through the Overview card or Recovery Points card using the
methods described for managed objects.
Rubrik CDM Version 5.0 User Guide Working with a data source 627
Unprotecting a data source

Change the SLA assignment for a data source to Do Not Protect and choose how to handle the
retention policy for existing snapshots.
3. In the Name column, select the name of the data source.
The local host page or Recovery Points card page appears with the Manage Protection button
activated.
5. Select Do Not Protect.
The Existing Snapshot Retention section appears.
6. Select one of the choices for Existing Snapshot Retention.
• Use current SLA domain for retention
• Keep forever
• Expire immediately
7. Click Submit.
Changing the retention policy on an on-demand snapshot

Assign an SLA Domain’s retention policy to an on-demand snapshot on the Snapshot Retention
page.
3. In a data source row, click the number in the On Demand/Downloaded Snapshots column.
The object-level page for the data source appears.
4. Select a snapshot or snapshots according to their Snapshot Date & Time entry.
The Manage Retention button becomes active.
5. Click Manage Retention to display a list of available SLA Domains and the Forever selection.
Rubrik CDM Version 5.0 User Guide Unprotecting a data source 628
6. Select one of the SLA Domains to apply to all selected snapshots, or select Forever to mark
snapshots for deletion.
Note: Only the maximum retention and remote configuration settings of the associated SLA
Domain apply to an on-demand snapshot.
7. Click Submit.
Changing the retention policy on a scheduled snapshot

Assign an SLA Domain’s retention policy to all existing scheduled snapshots associated with a
specific data source on the Snapshot Retention page.
3. Select a data source.
The Manage Retention button becomes active.
4. Click Manage Retention to display a list of available SLA Domains and the Forever selection.
5. Select one of the SLA Domains to apply to all existing scheduled snapshots, or select Forever to
mark snapshots for deletion.
6. Click Submit.
Deleting snapshots for a data source

Remove all snapshots whose Retention SLA is Forever for a data source.
3. Select a data source.
Select multiple data source entries to remove all snapshots whose Retention SLA is Forever for
every data source in the selection group.
The Delete Snapshots button becomes active.
4. Click Delete Snapshots.
Rubrik CDM Version 5.0 User Guide Changing the retention policy on a scheduled snapshot 629
5. Click Delete.
The Rubrik cluster removes all the snapshots associated with the selected data sources that have
a Retention SLA of Forever.
For snapshots that exist locally and at an archival location, the Rubrik cluster removes the local
data. To also remove the data at the archival location, perform the removal task a second time.
Removing individual snapshots for a data source

Select and remove individual snapshots whose Retention SLA is Forever for a data source.
3. Click a number in either the Scheduled Snapshots column or the On
Demand/Downloaded Snapshots column corresponding to a data source.
For the selected data source and snapshot type, the object level of the Snapshot Retention
page appears.
4. Select a snapshot with a Retention SLA set to Forever.
Select multiple snapshots to remove all snapshots in the selection group.
6. Click Delete.
The Rubrik cluster removes all the selected snapshots that exist only on local storage or only at an
archival location.
Removing retrieved content for a database

Select and remove database snapshots and transaction logs that were retrieved from an archival
location. The Rubrik cluster removes the data from local storage only.
Note: The retention SLA must be set to Forever before retrieved content can be deleted.

Rubrik CDM Version 5.0 User Guide Removing individual snapshots for a data source 630

3. Click Filter Object and select the type of database to search for.
4. In the On Demand/Downloaded Snapshots column, click the number associated with a
particular database.
For the selected database, the object level page for the data source appears.
5. Select a snapshot with a Retention SLA of Forever.
Select multiple snapshots to remove the retrieved content for all snapshots in the selection
group.
7. Click Delete.
The Rubrik cluster deletes all the retrieved content for the selected group of snapshots.
Rubrik CDM Version 5.0 User Guide Removing retrieved content for a database 631
Chapter 21
Reports
This chapter discusses the reporting functionality provided by the Rubrik Envision feature,
including customizing the default reports.
 Overview ............................................................................................................... 633
 SLA Compliance Summary report ............................................................................. 650
 Object Backup Task Summary report ....................................................................... 650
 Protection Tasks Summary report ............................................................................ 651
 Protection Tasks Details report ................................................................................ 651
 Recovery Tasks Details report.................................................................................. 652
 Object Protection Summary report ........................................................................... 652
 Capacity Over Time report....................................................................................... 653
 System Capacity report ........................................................................................... 653
Rubrik CDM Version 5.0 User Guide Reports 632

Reports
Overview
The Rubrik Envision feature provides customizable reports about the data protection functions of
the local Rubrik cluster. The reports record historical information about several categories of
cluster functionality.
 Protection tasks
 Service Level Agreement (SLA) compliance
 System capacity
 Snapshot storage usage
Each of these report types supports extensive customization to the graphs displayed, as well as
custom filtering along several different dimensions.
Default reports and the Summary view

The Rubrik Envision feature includes default reports.
 SLA Compliance Summary: This report displays the total number of data objects that are in SLA
compliance, the objects and their SLA compliance status by SLA Domain, and a summary table
with more detailed information.
 Object Backup Task Summary: This report displays the total number of daily expected backup
tasks for each object and provides a breakdown of successful, failed, and missed tasks.
 Protection Tasks Summary: This report displays the weekly number of protection tasks by
status, the status of weekly tasks by SLA Domain, and a summary table with more detailed
information.
 Protection Tasks Details: This report displays the daily number of protection tasks by status,
daily failed tasks by object name, and a summary table with more detailed information.
 Recovery Tasks Details: This report displays the total number of recovery tasks in the last
month, the number of recovery tasks by status, a chart of failed recovery tasks sorted by
object name, and a summary table with more detailed information.
 Object Protection Summary: This report displays the storage usage of each SLA Domain, the
level of SLA compliance by SLA Domain, and a summary table with more detailed information.
 Capacity Over Time: This report displays the total data transferred in the last month, the total
cluster storage capacity used month-to-month, and a summary table with more detailed
information.
 System Capacity: This report displays the usage of local storage by SLA Domain, the usage
growth over time by SLA Domain, and a summary table with more detailed information.

Reports
Viewing summary information from a default report

Each default report contains summary information.
1. Log in to the Rubrik CDM .
2. On the left-side menu of the web UI, click Reports > Summary to display summary
information from the default reports.
3. Click View Report in any individual chart to go to the full report.
Displaying a report
The Gallery lists all of the reports available on the Rubrik cluster.
2. On the left-side menu of the web UI, click Reports > Gallery.
A list of all available reports appears.
3. (Optional) To search the list, type a string into the “Search by Name” field.
To filter the list by template, select a template type from the “Filter Template” drop-down.
To filter the list by type, select “Default” or “Custom” from the “Filter Type” drop-down.
4. Click the name of a report.
The selected report appears.
Creating a custom report

Each of the default report types supports customization.
3. From the Gallery, click Create Report in the top right corner.
4. Enter a name for the report and select a report type.
5. Select options for the charts, data table, and filters, then click Create.
The customized report appears.

Reports
Report customization elements

Each custom report can have the following aspects customized:
 Charts
 Filters
 Measures
 Attributes
 Tables
Charts are a graphical representation of the data. Table 129 lists the types of charts available for
each report.
Table 129 Chart availability in reports
Chart Type Description Available in reports
Donut A ring shape with the length of the arcs proportional All, except Capacity Over Time
to the percentage of the total.
Vertical A chart that displays vertical bars with the length of All
the bars proportional to the value.
Horizontal A chart that displays horizontal bars with the length All, except Capacity Over Time
of the bars proportional to the value.
Line A chart that displays a series of data points All, except Capacity Over Time
connected by line segments.
Stacked Vertical A vertical chart where the bars have individual All, except Capacity Over Time
segments with lengths proportional to the
percentage of the total value of each bar.
Stacked Horizontal A horizontal chart where the bars have individual All, except Capacity Over Time
segments with lengths proportional to the
percentage of the total value of each bar.

Reports
Filters restrict the content that appears in a report. Table 130 lists the filters available for custom
reports.
Table 130 Filter availability in reports
Filter Description Available in reports
Date Restricts the report information to a selected date • Protection Tasks Summary
range. Supported ranges are: • Protection Tasks Details
• Past 24 Hours
• Recovery Tasks Details
• Past 7 Days
• Capacity Over Time
• Past 30 Days
• Past Year
• Custom Range, which is a start date to an end
date.
Task Status Restricts the report to information about tasks in the • Protection Tasks Summary
selected statuses: • Protection Tasks Details
• Succeeded
• Canceled
• Failed
SLA Domain Filters tasks by the selected SLA Domain. Search All
for specific SLA Domains by typing a portion of the
name of an SLA Domain in “Search by Name”.
Object Type Restricts the report to information about the All
specified object types:
• VMware Virtual Machines
• Linux & Unix Filesets
• Windows Filesets
• SQL Server DBs
• Nutanix Cluster
• Hyper-V Cluster
• Managed Volumes

Reports
Table 130 Filter availability in reports

Filter Description Available in reports
Location Restricts the report to information from specified All, except Object Task Backup
locations. The definition of location varies by object: Summary
• Virtual machines – The IPv4 address or FQDN of
the vCenter Server.
• SQL Server DBs – The FQDN of the Window
Server and the SQL Server instance.
• Linux & Unix Hosts – The IPv4 address or FQDN
of the Linux or Unix host.
• Windows Hosts – The IPv4 address or FQDN of
the Windows host.
• Nutanix Cluster – The name of the cluster.
• Hyper-V Cluster – The name of the cluster.
• Managed Volume – The name of the volume.
Search for specific locations by typing a portion of
the name of a location in “Search by Name”.
To add a location, click Add next to the entry for the
location.
Object Name Restricts the report to information from selected All, except Object Task Backup
objects. Search for specific objects by typing a Summary
portion of the name of a object in “Search by Name”.
To add a object, click Add next to the entry for the
object.
Cluster Location Restricts the report to information from local or All, except Object Backup Task
remote clusters. Summary
Task Types Restricts the report to information about tasks of the • Protection Tasks Summary
specified types. Supported task types are: • Protection Tasks Details
• Backup
• Archival
• Object Protection Summary
• Replication
The measures used by a report are the metrics that the report visualizes. Table 131 lists the
measures available for each report type.
Table 131 Measure availability in reports
Measure Description Available in reports
Task Count Total number of tasks. • Protection Tasks Summary
• Protection Tasks Details
Expected Tasks Number of expected tasks. • Object Backup Task
Summary

Reports

Successful Tasks Number of successful tasks. • Protection Tasks Summary
• Object Backup Task
Summary
Canceled Tasks Number of canceled tasks. • Protection Tasks Summary
Summary
Failed tasks Number of failed tasks. • Protection Tasks Summary
Summary
Missed tasks Number of tasks that should have • Object Backup Task
been scheduled in a calendar day Summary
according to the SLA, but were not.
Average Duration Average task duration. • Protection Tasks Summary
Total Files Transferred Total number of files ingested by the • Protection Tasks Summary
Rubrik cluster. • Protection Tasks Details
Task Count by Status The number of successful, canceled, • Protection Tasks Summary
and failed tasks. • Protection Tasks Details
Dedup Ratio The deduplication ratio achieved by • Protection Tasks Summary
the task. • Protection Tasks Details
• System Capacity
Logical Dedup Ratio The deduplication ratio calculated on • Protection Tasks Summary
the basis of full backups instead of • Protection Tasks Details
incremental differences.
• System Capacity

Reports

Data Transferred Total amount of data transferred by • Protection Tasks Summary
the task. • Protection Tasks Details
• System Capacity
Logical Data Protected Total size of protected data calculated • Protection Tasks Summary
on the basis of full backups instead of • Protection Tasks Details
incremental differences.
• System Capacity
Data Stored Sum total storage used by objects • Protection Tasks Summary
over the target time period, including • Protection Tasks Details
expired and purged snapshots, after
deduplication and compression. • System Capacity
Data Reduction The percentage reduction in total data • Protection Tasks Summary
size of the backup. • Protection Tasks Details
• System Capacity
Logical Data Reduction The percentage reduction in the size • Protection Tasks Summary
of the backup calculated on the basis • Protection Tasks Details
of full backups instead of incremental
differences. • System Capacity
Effective Throughput The ratio of total bytes ingested to • Protection Tasks Summary
time taken. • Protection Tasks Details
Data Transferred vs Stored The ratio of data transferred over the • Protection Tasks Summary
network compared to the amount of • Protection Tasks Details
data stored on the cluster.
Object Count Total number of objects. • Recovery Task Details
• SLA Compliance Summary
Total Local Storage Amount of cluster local storage • SLA Compliance Summary
currently in use. • Capacity Over Time
Total Replica Storage Amount of cluster storage used by • SLA Compliance Summary
replicas. • Capacity Over Time

Reports

Total Archive Storage Amount of cluster storage used by • SLA Compliance Summary
archives. • Capacity Over Time
Local Storage Growth Amount of cluster storage used in a • SLA Compliance Summary
specified time period. • Capacity Over Time
Archive Storage Growth Amount of cluster storage used by • SLA Compliance Summary
archives in a specified time period. • Capacity Over Time
Replica Storage Growth Amount of cluster storage used by • SLA Compliance Summary
replicas in a specified time period. • Capacity Over Time
Non-Compliant A Boolean with a value of No when • SLA Compliance Summary
the object is in SLA compliance and • Object Protection Summary
Yes otherwise.
In-Compliance A Boolean with a value of Yes when • SLA Compliance Summary
the object is in SLA compliance and • Object Protection Summary
No otherwise.
Snapshot Count by Data Location A stack chart of local, replica, and • SLA Compliance Summary
archive snapshot counts. • Object Protection Summary
Compliance Count by Status Object count by compliance status. • SLA Compliance Summary
Objects can be non-compliant or • Object Protection Summary
in-compliance.
Total Storage by Data Location A stack chart of local, replica, and • System Capacity
archive physical storage consumed. • Object Protection Summary
Storage Growth by Data Location A stack chart of storage growth for • System Capacity
local, replica, and archive snapshots. • Object Protection Summary
Object Logical Size The logical size of the most recent • System Capacity
unexpired snapshot. • Capacity Over Time

Reports
Attributes are the categories into which a particular measure is divided. Table 132 lists the
attributes available for custom reports.
Table 132 Attribute availability in reports
Attribute Description Available in reports
Task Status Icon representing the state of the task at the time of • Protection Tasks Summary
the entry. The status can be: • Protection Tasks Details
• Succeeded
• Failed
• Canceled
Task Type Restricts the report to information about tasks of the • Protection Tasks Summary
specified types. Supported task types are: • Protection Tasks Details
• Backup
• Archival
• Replication
SLA Domain One of the following: All, except Capacity Over Time
• The name of the SLA Domain that protects the
object.
• Unprotected
Click on the name of the SLA Domain to manage the
domain.
Object Type One of the following types: All, except Capacity Over Time
• Virtual Machine
• Linux & Unix Fileset
• Windows Fileset
• SQL Server DB
• Nutanix Cluster
• Hyper-V Cluster
• Managed Volumes
Location The definition of location varies by object: All, except Capacity Over Time
• Virtual machines – The IPv4 address or FQDN of
the vCenter Server.
• SQL Server DBs – The FQDN of the Window
Server and the SQL Server instance.
• Linux & Unix Hosts – The IPv4 address or FQDN
of the Linux or Unix host.
• Windows Hosts – The IPv4 address or FQDN of
the Windows host.
• Nutanix Cluster – The name of the cluster.
• Hyper-V Cluster – The name of the cluster.
• Managed Volume – The name of the volume.
Object Name The name of the object that is the subject of the task. All, except Capacity Over Time

Reports
Table 132 Attribute availability in reports

Attribute Description Available in reports
Cluster Location Specifies whether the cluster is local or remote. All, except Capacity Over Time
and Object Backup Task
Summary
Compliance Status Restricts the report to information about compliant, • SLA Compliance
non-compliant, or unprotected elements. • Object Protection Summary
Day Day the task ran. • Capacity Over Time
Summary
Month Month the task ran. Capacity Over Time
Quarter Quarter the task ran. Capacity Over Time
In addition to charts, reports feature a data table. The information displayed in this data table can
also be customized with specific measures and attributes.
Table 133 Table customizations available in reports
Table Element Type Available in Report
SLA Domain Attribute All
Object Type Attribute All
Location Attribute All
Object Name Attribute All
Cluster Location Attribute All
Replication Target Attribute All except Protection Tasks Summary
Archival Target Attribute All except Protection Tasks Summary
Task Status Attribute • Protection Tasks Summary
• Recovery Task Details
Current Task Status Attribute • Object Backup Task Summary
Task Type Attribute • Protection Tasks Details
Queued Time Measure • Protection Tasks Details
Start Time Measure • Protection Tasks Details

Reports

End Time Measure • Protection Tasks Details
Duration Measure • Protection Tasks Details
Data Transferred Measure All except SLA Compliance
Total Files Transferred Measure • Protection Tasks Summary
Logical Data Protected Measure • Protection Tasks Summary
• System Capacity
Data Stored Measure • Protection Tasks Summary
• System Capacity
Dedup Ratio Measure • Protection Tasks Summary
• System Capacity
Logical Dedup Ratio Measure • Protection Tasks Summary
• System Capacity
Data Reduction Measure • Protection Tasks Summary
• System Capacity

Reports

Logical Data Reduction Measure • Protection Tasks Summary
• System Capacity
Effective Throughput Measure • Protection Tasks Summary
Organization Attribute • SLA Compliance
• System Capacity
Protected On Measure • SLA Compliance
• System Capacity
• Object Backup Task Summary
Day Attribute • Protection Tasks Summary
Month Attribute • Protection Tasks Summary
Quarter Attribute • Protection Tasks Summary
Object Count Measure • System Capacity
Total Local Storage Measure • System Capacity
Total Replica Storage Measure • System Capacity
Total Archive Storage Measure • System Capacity

Reports

Local Storage Growth Measure • System Capacity
Archive Storage Growth Measure • System Capacity
Replica Storage Growth Measure • System Capacity
Compliance Status Attribute • SLA Compliance
In-Compliance Measure • SLA Compliance
Non-Compliant Measure • SLA Compliance
Total Snapshots Measure • SLA Compliance
Missed Snapshots Measure • SLA Compliance
Local Snapshots Measure • SLA Compliance
Hour Attribute Protection Tasks Summary
Year Attribute Protection Tasks Summary
Task Count Measure • Protection Tasks Summary
Successful Tasks Measure Protection Tasks Summary
Last Successful Task Attribute Object Backup Task Summary
Long Running Tasks Measure Object Backup Task Summary
On Time Tasks Measure Object Backup Task Summary
Canceled Tasks Measure Protection Tasks Summary
Failed Tasks Measure Protection Tasks Summary
Average Duration Measure Protection Tasks Summary

Reports

Task Count by Status Measure Protection Tasks Summary
Data Transferred vs Stored Measure Protection Tasks Summary
Snapshot Consistency Attribute Protection Tasks Details
Recovery Point Attribute Recovery Task Details
Recovery Point Type Attribute Recovery Task Details
Username Attribute Recovery Task Details
Failure Reason Attribute Recovery Task Details
Replica Snapshots Measure SLA Compliance
Archive Snapshots Measure SLA Compliance
Last Snapshot Measure SLA Compliance
Object Logical Size Measure • System Capacity
Editing an existing report

Users can modify existing custom reports.
4. From the Gallery, click the name of a report.
5. Open the ellipsis menu.
6. Click Edit Report.
7. Select options for the charts, data table, and filters, then click Update.
Filtering and searching in a report data table

Report tables support dynamic filters. To filter the table for a report, click a filter above the table
and select the filter type from the drop-down.

Reports
Exporting a report data table

Export a CSV-formatted version of a report data table to the computer that is running the web
browser.
5. At the top of the report, click CSV.
Depending on the Download settings of the web browser, one of the following occurs:
• The browser downloads the report to the default download folder.
• The browser opens a Save As dialog box.
6. (Save As dialog box) Select a location on the computer that is running the web browser.
7. (Save As dialog box) Click Save.
The browser downloads the CSV table to the selected location.
Scheduling a report
Schedule a report to specify times for the Rubrik cluster to send an HTML email containing the
report charts and the first 100 lines of the report table. The email includes all data from the report
table in an attached CSV file.
5. At the top of the report, click Schedule.
The Schedule Report pane appears.
6. In Email Address, type a valid email address. To specify multiple recipients, use commas to
separate each address.
The Rubrik cluster sends reports to the specified email addresses.
7. (Optional) Clear the CSV box to omit the CSV file of report data from the report emails.

Reports
8. Select an email frequency: Daily, Weekly, or Monthly.

9. Select a time of day.
The Rubrik cluster sends email at the selected time of day.
10.(Weekly) Select the days of the week.
The Rubrik cluster sends email on each selected day.
11.(Monthly) Select the days of the month.
The Rubrik cluster sends email on the selected day.
12.(Optional) To add another schedule, click +.
13.Click Schedule.
The Rubrik cluster stores the schedule information for the report email.
Changing ownership of a scheduled report email subscription

When a user that owns the subscription to a scheduled report is no longer on the Rubrik cluster,
the cluster administrator can assume ownership of the subscription.
1. Log in to the Rubrik CDM web UI as a user with administrative privileges over the cluster.
6. Click the Owned By drop-down.
7. Select the current user.
8. Click Schedule.
The assigned user is now the owner of the subscription.

Reports
Changing a report schedule

Modify a report subscription to change the recipient email address and to change the subscription
frequency and time.
6. Make changes to the information in the dialog box.
7. Click Schedule.
The Rubrik cluster stores the schedule information for the report email.
Removing a report schedule

Remove a report subscription to stop the Rubrik cluster from sending the report by email.
A list of the reports available on the cluster appears.
6. Click X to delete the schedule from the Schedule Report pane.
7. Click Schedule to confirm changes and return to the report.
The Rubrik cluster removes the report scheduling information.

Reports
SLA Compliance Summary report

The SLA Compliance Summary report provides information about compliance with the SLA rules
and policies of the SLA Domains on the local Rubrik cluster.
The Rubrik cluster refreshes the SLA Compliance Summary report data every hour.
Viewing the SLA Compliance Summary report

Obtain information about compliance with the SLA rules and policies of the SLA Domains on the
local Rubrik cluster by viewing the SLA Compliance Summary report.
2. On the left-side menu of the web UI, click Reports > Gallery > SLA Compliance
Summary.
The SLA Compliance Summary report appears.
Object Backup Task Summary report

The Object Backup Task Summary report provides information about scheduled backup tasks that
are triggered by an SLA. It does not provide information about on-demand backup tasks.
The Rubrik cluster refreshes the Object Backup Task Summary report every hour.
Note: The Object Backup Task Summary report does not include information for the current day.
Viewing the Object Backup Task Summary report

Obtain information about object backup tasks on the local Rubrik cluster by viewing the Object
Backup Task Summary report.
2. On the left-side menu of the web UI, click Reports > Gallery > Object Backup Task
Summary.
The Object Backup Task Summary report appears.
Rubrik CDM Version 5.0 User Guide SLA Compliance Summary report 650
Reports
Protection Tasks Summary report

The Protection Tasks Summary report provides information about backup and replication tasks for
the past seven days.
The Rubrik cluster refreshes the Protection Tasks Summary report every hour.
Viewing the Protection Tasks Summary report

Obtain information about data protection tasks on the local Rubrik cluster by viewing the
Protection Tasks Summary report.
2. On the left-side menu of the web UI, click Reports > Gallery > Protection Tasks
Summary.
The Protection Tasks Summary report appears.
Protection Tasks Details report

The Protection Tasks Details report provides information about backup and replication tasks for
the past week.
The Rubrik cluster refreshes the Protection Tasks Details report every hour.
Viewing the Protection Tasks Details report

Obtain information about data protection tasks on the local Rubrik cluster by viewing the
Protection Tasks Details report.
2. On the left-side menu of the web UI, click Reports > Gallery > Protection Tasks Details.
The Protection Tasks Details report appears.
Rubrik CDM Version 5.0 User Guide Protection Tasks Summary report 651
Reports
Recovery Tasks Details report

The Recovery Tasks Details report provides information about recovery tasks for the past month.
The Rubrik cluster refreshes the Recovery Tasks Details report every hour.
Viewing the Recovery Tasks Details report

Obtain information about recovery tasks on the local Rubrik cluster by viewing the Recovery Tasks
Details report.
2. On the left-side menu of the web UI, click Reports > Gallery > Recovery Tasks Details.
The Recovery Tasks Details report appears.
Object Protection Summary report

The Object Protection Summary report provides information about storage usage and SLA
compliance according to the defined SLA Domains on the cluster.
The Rubrik cluster refreshes the Global Protection Summary report every hour.
Viewing the Object Protection Summary report

Obtain information about data protection resource use and SLA compliance on the local Rubrik
cluster by viewing the Object Protection Summary report.
2. On the left-side menu of the web UI, click Reports > Gallery > Object Protection
Summary.
The Object Protection Summary report appears.
Rubrik CDM Version 5.0 User Guide Recovery Tasks Details report 652
Reports
Capacity Over Time report

The Capacity Over Time report provides information about changes in the data usage of the
cluster over time.
The Rubrik cluster refreshes the Capacity Over Time report data every hour.
Viewing the Capacity Over Time report

Obtain information about data storage for objects by viewing the Capacity Over Time report.
2. On the left-side menu of the web UI, click Reports > Gallery > Capacity Over Time.
The Capacity Over Time report appears.
System Capacity report

The System Capacity report provides information about object data usage.
The Rubrik cluster refreshes the System Capacity report data every hour.
Viewing the System Capacity report

Obtain information about data storage for objects by viewing the System Capacity report.
2. On the left-side menu of the web UI, click Reports > Gallery > System Capacity.
The System Capacity report appears.
Rubrik CDM Version 5.0 User Guide Capacity Over Time report 653
Chapter 22
System and Task Information
This chapter describes the system and task information that the Rubrik CDM web UI provides
through dashboards, notifications, and alerts.
 Overview ............................................................................................................... 655
 Dashboards ............................................................................................................ 656
 Activity Log ............................................................................................................ 663
 Specifying a custom date range ............................................................................... 666
Rubrik CDM Version 5.0 User Guide System and Task Information 654
Overview
The Rubrik CDM web UI provides administrative information about the status of protection tasks,
protected objects, Rubrik cluster system status, and Rubrik cluster system tasks.
The Rubrik CDM web UI uses a variety of delivery methods to provide information in the most
useful format based on the type of information, the time-sensitivity of the information, and the
historical value of the information.
Table 134 describes the methods used to provide information through the Rubrik CDM web UI.
Table 134 Information delivery methods
Method Description
Dashboard Uses graphical elements and text to provide current state information. The Rubrik
CDM web UI refreshes dashboard information automatically. Dashboards also
provide links to reports, logs, and additional dashboards.
Notification message Task message that the Rubrik cluster classifies as time-sensitive, either because
the message indicates a possible issue or because the message indicates the
completion of a manually initiated task.
Activity message Task state message. Task state is one of the following:
• Canceled
• Failure
• In Progress
• Success
• Warning
• Queued
Data measurements
The Rubrik CDM web UI depicts data values using the decimal definition for the prefixes used with
bits and bytes.
The Rubrik cluster uses the standards promulgated in the Système international d'unités
(International System of Units or SI) for all expressions of data measurements. Under those
standards, the prefixes used with bits (b) and bytes (B) represent decimal multiples of those units,
not binary multiples.

Table 135 compares the traditional prefix definitions used by Rubrik with the binary definitions
used by the International Electrotechnical Commission (IEC)/International Organization for
Standardization (ISO) in ISO/IEC 80000-13 and the binary definitions used by the JEDEC Solid
State Technology Association (JEDEC).
Table 135 Comparison of data prefix definitions
Rubrik Non-Rubrik
Decimal value SI prefix Binary value ISO/IEC prefix JEDEC prefix
1000 k - kilo 1024 ki - kibi K- kilo
10002 M - mega 10242 Mi - mibi M- mega
10003 G - giga 10243 Gi - gibi G- giga
10004 T - tera 10244 Ti - tebi T - tera
10005 P - peta 10245 Pi - pebi
10006 E - exa 10246 Ei - exbi
10007 Z - zetta 10247 Zi - zebi
10008 Y - yotta 10248 Yi - yobi
Dashboards
Dashboards provide information about the current state of various aspects of the Rubrik cluster.
The Rubrik CDM web UI regularly refreshes the information that appears in a dashboard. Table
136 describes the dashboards that are available in the Rubrik CDM web UI.
Table 136 Dashboards available through the Rubrik CDM web UI (page 1 of 2)
Name Description
Dashboard Main system dashboard and default view at the start of a Rubrik CDM web UI
session. Provides:
• Virtual Machine protection numbers and links
• SLA Domains quick look and links
• Current top activities and link
• Number of Live Mounts
• System status quick look and current number of incoming snapshots
• System storage donut chart and link
• Data ingestion line chart
Rubrik CDM Version 5.0 User Guide Dashboards 656

Table 136 Dashboards available through the Rubrik CDM web UI (page 2 of 2)
Name Description
System Overview Provides:
• Name of the Rubrik cluster
• System configuration and a link to the Nodes page
• Storage usage
• IO throughput
• IO operations
Reports Overview Provides information about:
• Operational tasks and link to the Operational Tasks report
• SLA compliance and link to the SLA Compliance report
• System capacity and link to the System Capacity report
Manage Replication Provides information about the incoming and outgoing caused by replication
activities.
Local SLA Domain Provides overview, policy, and storage information for the local SLA Domain.
Remote SLA Domain Provides overview, policy, and storage information for the remote SLA Domain.
Local VM Provides overview and snapshot information for the local virtual machine.
Remote VM Provides overview and snapshot information for the remote virtual machine.
This chapter provides the following sections:

 Dashboard
 System Overview
 Reports Overview
Viewing the main dashboard

The main dashboard provides a comprehensive summary of the activities and status of the local
Rubrik cluster.
2. On the left-side menu of the Rubrik CDM web UI, click Dashboard.
The Dashboard page appears.

Information provided by the main dashboard

Table 137 describes the information that is provided by the Dashboard page.
Table 137 Information provided by the main dashboard (page 1 of 2)
Information type Description
Selected protected object: For the selected type of protected object, the Overview card provides the
• vSphere VMs number of objects that are protected and the number of objects that are
• Hyper-V VMs unprotected.
Includes the following links:
• AHV VMs • See all – Links to the page specified object type.
• SQL Server DBs • Protect Now – Links to page for the specified object type with the All
• Linux & Unix Hosts Unprotected filter applied. This displays objects that have the SLA
• Windows Hosts Domain setting of No SLA or Do Not Protect.
• NAS Shares
• Managed Volumes
SLA Domains Provides the following information for the three local SLA Domains with
the most protected objects:
• Base frequency
• Total number of protected objects
Also, includes the link See all, which links to the Local SLA Domains
page.
Activity Displays the most recent Activity messages and provides a link to the
Activity Log page.
Live Mounts Displays the current total number of Live Mounts for the local Rubrik
cluster.
System Provides a simple visual indicator of the health of the Rubrik cluster.
Green for healthy and Red for unhealthy (contact Rubrik Support).
Incoming Snapshots Displays the total number of local snapshots currently being processed by
System For the local Rubrik cluster, displays:
• Total number of Briks in the Rubrik cluster.
• Total number of Nodes in the Rubrik cluster.
• Total storage capacity of the Rubrik cluster (listed in the middle of the
donut graph).
• Donut graph with a graphical representation for the Rubrik cluster of the
unused storage, storage used for snapshots, and the storage used for
Live Mounts. Hover over a graphical section to see detailed information.
Table 138 describes the information that is provided by the system
donut graph.
Also, provides a link to the System Overview page.

Table 137 Information provided by the main dashboard (page 2 of 2)

Rubrik Ingestion Throughput Provides a line graph showing the data ingestion throughput to the local
Rubrik cluster for the last four hours. Hover over any point on the line
graph to view data ingestion details for that point.
Also provides the following totals for the Rubrik cluster, from the time of
system setup:
• Snapshots – Total number of snapshots ingested.
• Data Reduction – Total storage space reduction for the data ingested.
• Archive – Total amount of data transferred to the archival location.
Table 138 describes the information that is provided by the system donut graph.
Table 138 Information provided by the system donut graph
Live mount storage Space used by live mounts.
Snapshot storage Space used to store immutable snapshots.
System storage Space used as storage for the following:
• In-progress data ingestion and file management activity.
• OS reserved space for EXT4 file system metadata and inodes. (~1% of
the total storage)
• Backups of Cassandra snapshot metadata.
• SDFS data that has been marked for garbage collection.
• Journals for active Live Mounts and for running backups of filesets and
manged volumes.
Every Rubrik cluster requires approximately 5% of the total capacity to
handle in-progress jobs and Cassandra snapshots.
Available storage Available space in the system.
Viewing the System Overview dashboard

The System Overview dashboard provides information about the hardware system of the local
Rubrik cluster.
2. On the left-side menu of the Rubrik CDM web UI, click System.
The System Overview page appears.

Storage graphic
In the Storage section, the System Overview dashboard provides a graphical representation of the
storage on the Rubrik cluster.
The Storage section uses a donut chart to depict information about the total storage capacity of
the Rubrik cluster. Each colored arc in the donut chart represents a unique part of the total
storage. A legend identifies the type of storage that each color represents.
The donut chart displays the largest arc starting at the top of the chart and running clockwise. A
Rubrik cluster with Available as the largest storage category has the arc that represents Available
storage starting at the top and running clockwise. A Rubrik cluster with Snapshot as the largest
storage category has the arc that represents Snapshot storage starting at the top and running
clockwise.
Information provided by the System Overview dashboard

Table 139 describes the information that is provided by the System Overview page.
Table 139 Information provided by the System Overview dashboard
Hardware Lists information for each of the following hardware component types:
• Nodes
• Cores
• Memory
• Briks
• SSD
• HDD
Also, provides a link to the Nodes page, which lists the name, status, IP address,
and Brik ID for each node on the local Rubrik cluster.
Storage Provides the following information about storage on the local Rubrik cluster:
• Total storage capacity
• Graphical representation of the unused storage
• Graphical representation of the storage used for snapshots
• Graphical representation of the storage used for Live Mounts
Hover over a graphical section to see detailed information.
If Data Encryption at Rest is enabled, a lock icon will appear next to HDD or SSD.
Data encryption is available if the Brik supports hardware encryption or if there is
software encryption and it has been enabled.
IO Throughput Provides line graphs showing IO throughput in megabytes per second for Read
operations and for Write operations for the previous hour.
Hover over any point on the line graphs to see detailed information for that point.
IOPS Provides line graphs showing IO operations per second for Read operations and for
Write operations for the previous hour.
Hover over any point on the line graphs to see detailed information for that point.

Viewing the Nodes page and node dashboards

The Nodes page provides overview information about the nodes of the Rubrik cluster and provides
access to node dashboard pages for each of the nodes.
2. On the left-side menu of the Rubrik CDM web UI, click System.
The System Overview page appears.
3. In the Nodes section of the hardware card, click See all.
The Nodes page appears, with the name, status, IP address, and Brik ID for each node on the
local Rubrik cluster.
4. Click a node entry on the Nodes page.
The node dashboard page for the selected node appears.
Viewing the Reports Overview dashboard

The Reports Overview dashboard provides information about the hardware system of the local
Rubrik cluster.
2. On the left-side menu of the Rubrik CDM web UI, click Reports > Overview.
The Reports Overview page appears
Information provided by the Reports Overview dashboard

Table 140 describes the information that is provided by the Reports Overview page.
Table 140 Information on the Reports Overview dashboard (page 1 of 2)
Operational Tasks Uses a donut graph to display the status of operational tasks for the selected
period. Hover over a point on the graph to see detailed information for that point.
Select Last 24 Hours or Last 7 Days. For the selected period, lists the number of
operational tasks in each of the following status categories:
• Succeeded
• In Progress
• Failed
• Canceled
Also, provides a link to the Operational Tasks report.

Table 140 Information on the Reports Overview dashboard (page 2 of 2)

SLA Compliance Uses a donut graph to display the SLA compliance status of virtual machines
known to the local Rubrik cluster. Hover over a point on the graph to see detailed
information for that point. Lists the number of virtual machines in each of the
following categories:
• In Compliance
• Not in Compliance
• Not Protected
Also, provides a link to the SLA Compliance report.
System Capacity Uses a line graph to show the local Rubrik cluster storage that is used by snapshots
over the last month. Hover over a point on the graph to see detailed information for
that point. Lists storage information in system-wide and local categories.
Also, provides a link to the System Capacity report.
Table 141 describes each information type in the System Usage column of the Reports Overview
dashboard.
Table 141 Information in the System Usage column
Total Storage used by snapshots on the local Rubrik cluster combined with the storage at
the archival location used by snapshots from the local Rubrik cluster.
Local Storage used by snapshots on the local Rubrik cluster.
Archive Storage at the archival location used by snapshots from the local Rubrik cluster
Across all replicas Local Rubrik cluster storage used by replicas from other Rubrik clusters.
Table 142 describes each information type in the Local Overview column of the Reports Overview
dashboard.
Table 142 Information in the Local Overview column
Available Storage Free space on the local Rubrik cluster.
Average Daily Growth Average daily increase in storage on the local Rubrik cluster, computed by using
the daily increase in storage for each day in the last month.
Estimated Runway Estimated number of days remaining before additional data storage space is
required on the local Rubrik cluster.
Remote Brik Storage Storage on the replication target Rubrik cluster that is used by replicas from the
local Rubrik cluster.

Activity Log
The Activity Log contains notifications that are considered time sensitive and log messages about
standard tasks.
The Rubrik cluster creates notifications about tasks that the Rubrik cluster classifies as potentially
time-sensitive. Factors that determine this classification are:
 Task status indicates a possible issue
 Task was manually initiated
Notifications provide information in three status categories: Success, Warning, and Failure. Click
on a warning notification or on a failure notification to open an associated Rubrik CDM web UI
dialog box or Rubrik CDM web UI page that can be helpful in addressing the underlying issue.
The Rubrik CDM web UI provides Activity Log messages that describe the current state of tasks on
Activity Log messages furnish information about every task that is started on the local Rubrik
cluster over the past 90 days, including tasks that result in a notification.
The top bar of the Rubrik CDM web UI has a globe icon that links to the Activity log page. The
globe icon displays the number of messages added to the Activity Log since the last time the page
was accessed.
Viewing Activity Log messages

View recent messages of the Activity Log to see the 15 most recent activity messages.
2. Click the globe icon on the top bar of the Rubrik CDM web UI.
The recent messages list of the Activity Log appears.
3. Scroll the list to see all of the most recent notifications.
4. On the recent messages list, click See all.
The Activity Log page appears.
5. Scroll the page to see the messages that the Rubrik cluster generated during the past 90 days.
Information provided by Activity Log messages describes the information that is provided on
the Activity Log page.
6. (Optional) Filter the Activity Log messages.
Filtering messages describes how to use the filters on the Activity Log page.
Rubrik CDM Version 5.0 User Guide Activity Log 663

7. (Optional) In Search by Name, type the name of a notification object.

For example, to view all Activity Log entries for a particular user account, type the name of the
user account in Search by Name.
The Rubrik CDM web UI shows matching results as characters are typed. Select one of the
displayed matches to view the Activity Log entries for that object.
Filtering messages
Filter the messages that appear on the Activity Log by status, data source type, message type,
and date.
4. Click one of the filter menus and select a filter.
Activity Log filters describes the filters that are available on the Activity Log page.
The Activity Log displays only messages that match the selected filter.
5. (Optional) Select filters from more than one filter menu to further refine the visible
notifications.
6. (Optional) Click the X next to a filter menu to clear a selected filter.
Viewing activity details

The Rubrik cluster provides detailed information for individual Activity Log messages through the
Activity Detail dialog box.
The Activity Detail dialog box provides the status, the log message, and the timestamp of each
task involved in a selected activity.
4. Scroll the page to see the activity log.

Information provided by Activity Log messages describes the information that is provided on
the Activity Log page.
5. (Optional) Filter the Activity Log messages.
Filtering messages describes how to use the filters on the Activity Log page.
6. (Optional) In Search by Name, type the name of a notification object.
For example, to view all Activity Log entries for a particular user account, type the name of the
user account in Search by Name.
The Rubrik CDM web UI shows matching results as characters are typed. Select one of the
displayed matches to view the Activity Log entries for that object.
7. Click on an activity in the log.
The Activity Detail dialog box for that activity appears.
8. (Optional) On the Activity Detail dialog box, click Download Logs.
The Rubrik cluster collects the logs that are relevant to the message, combines the logs in a zip
file, and provides a download link for that file.
9. Click OK.
The Activity Detail dialog box closes.
Information provided by Activity Log messages

Table 143 describes the information that a Rubrik cluster provides in an Activity Log message.
Table 143 Information provided by Activity Log messages
Status Icon representing the state of the task. The possible task states are:
• Canceled
• Failure
• In Progress
• Success
• Warning
• Queued
Name Name of the object that is the subject of the notification.
Message Message that provides a detailed description about the task and the task status.
Date Month, day, and time that the Rubrik cluster generated the message. The format is: M/DD
H:MM{AM|PM} in the time zone of the Rubrik cluster.

Activity Log filters

The Activity Log provides filters on four filter menus.
Table 144 describes the filters that are provided on the Activity Log.
Table 144 Activity Log filters
Filter menu Description
Status Select a status to show only messages that have that status type.
• Canceled – Messages about canceled tasks.
• Failure – Messages about failed tasks.
• In Progress – Message about running tasks, including the percent complete.
• Success – Messages about tasks that finished successfully.
• Warning – Messages about tasks that finished with a warning, including the warning text.
Object Select a type of object to show only notifications for that type.
Type Select a type to show only messages of that type.
• Archive – Messages about archival tasks.
• Backup – Messages about backup and snapshot tasks.
• Configuration – Messages about configuration changes and issues.
• Diagnostic – Messages about Rubrik cluster internal activity.
• Instantiate – Messages about CloudOn tasks.
• Recovery – Messages about data recovery tasks.
• Replication – Messages about replication tasks.
• vCenter Communication – Messages about communicating with the vSphere
environment.
• User Activity – Activities initiated by a logged in user, including successful log in by a
user account. The User Activity filter can only be used with the Date filter.
Date Select a specified date range or configure a custom date range to show messages
generated during that date range.
• Last 2 Hours - Notifications that were generated in the previous 2 hours.
• Last 24 Hours – Notifications that were generated in the previous 24 hours.
• Last 7 Days – Notifications that were generated in the previous 7 days.
• Last 30 Days – Notifications that were generated in the previous 30 days.
• Custom Range – Notifications that were generated within a specified date range.
Specifying a custom date range describes how to use this filter.
Specifying a custom date range

The Rubrik CDM web UI provides a custom date range filter in several views. Use this filter to
show the information that was generated during a specified date range.
1. Access the Notifications page, the Activity Log, or another view.
2. Click Filter Date > Custom Range.
Rubrik CDM Version 5.0 User Guide Specifying a custom date range 666
The Filter By Custom Range dialog box appears, as shown in Figure 12.
Figure 12 Filter By Custom Range dialog box
3. On the left-side calendar, select a day as the earliest end-point of the date range.
The calendar date of the selected day appears in From Date.
4. In From Time, select an hour to mark the earliest hour of the day listed in From Date.
5. On the right-side calendar, select a day to mark the latest end-point of the date range.
The calendar date of the selected day appears in To Date.
6. In To Time, select an hour to mark the latest hour of the day listed in To Date.
7. Click Filter.
The Rubrik CDM web UI displays only the information that was generated after the From Date at
From Time and before the To Date at To Time.
Rubrik CDM Version 5.0 User Guide Specifying a custom date range 667
Appendix A
Ports
This appendix provides all Rubrik port requirements in a single table and also groups related port
requirements into separate tables.
 All Rubrik port requirements .................................................................................... 669
 Additional network requirement ............................................................................... 674
 Rubrik cluster inbound ports .................................................................................... 674
 Rubrik cluster outbound ports.................................................................................. 676
 Ports used for communication between nodes in a cluster ......................................... 678
 Archiving ports ....................................................................................................... 678
 Cloud ports ............................................................................................................ 679
 Replication port ...................................................................................................... 681
Ports 668
Ports
All Rubrik port requirements

Table 145 lists the ports that must be available to permit the full range of Rubrik cluster features.
Table 145 All required ports (page 1 of 4)
Port Source Destination Description
22 a. Local client or a. Rubrik cluster a. Provides the ability to launch an SSH session for
TCP cloud instance b. Cloud instance support and administration.
b. Rubrik cluster c. <Bolt-subnet> b. (Optional) Only required when an issue occurs.
c. Rubrik cluster Permits troubleshooting.
c. Only required for troubleshooting CloudOn for
Azure or CloudOn for AWS. Replace
<Bolt-subnet> with the CIDR range of the network
subnet used by Bolt.
25 Rubrik cluster Email server Allows the Rubrik cluster to send email alerts to
TCP administrators. Only required when the email server
supports this port.
53 Rubrik cluster DNS server Permits hostname resolution.
UDP
80 Web UI clients Rubrik cluster Handles redirection of web UI clients to HTTPS.
TCP
88 Rubrik cluster Active Directory Permits Kerberos communication for SMB security.
UDP server
111 a. VMware ESXi a. Rubrik cluster a. Provides an NFS datastore for ESXi hosts.
TCP hosts b. Rubrik cluster b. Provides NFS access to managed volumes.
b. Oracle c. Rubrik cluster c. Provide NFS access to managed volumes.
database host
c. SAP HANA
database host
123 Rubrik cluster NTP server Provides access to network time protocol (NTP)
UDP servers for time synchronization.
123 Rubrik cluster Rubrik cluster Allows NTP synchronization across nodes of a
UDP cluster.
137 Hyper-V host Rubrik cluster Provides access to Samba share during backup,
UDP export and live mounts.
UDP export and live mounts.
TCP export and live mounts.
All Rubrik port requirements 669

Ports

389 Rubrik cluster Active Directory Permits LDAP communication for SMB security and
TCP server or LDAP LDAP servers.
server
443 Table 146 describes all uses of secure port 443 TCP.
TCP
445 a. Rubrik cluster a. Active Directory a. Required for NTLM authentication.
TCP b. SQL Live server b. Required for Live Mount SQL databases
Mount host b. Rubrik cluster c. Supports communication with SMB.
c. Hyper-V c. Rubrik cluster d. Supports Volume Group backup using SMB.
Server d. Rubrik cluster
d. Windows host
464 Rubrik cluster Active Directory Permits Kerberos password set/change
TCP/UDP server communication for SMB security.
supports this port.
supports this port.
623 Remote IPMI on Rubrik node Provides access to the IPMI system on a Rubrik
UDP management node.
tool
636 TCP Rubrik cluster Active Directory Permits secure LDAP (LDAPS) communication for
server or LDAP SMB security and LDAP servers.
server
860 Rubrik cluster iSCSI targets Permits iSCSI data transfers.
TCP/UDP
902 Rubrik cluster VMware ESXi hosts Permits network block device (NBD) data transfers.
TCP
2002 a. Cloud a. Rubrik cluster a. Permits secure communication with the cloud
TCP provider (AWS b. <Bolt-subnet> provider.
or Azure) b. Required for CloudOn with Azure and for
b. Rubrik cluster CloudOn with AWS. Replace <Bolt-subnet> with
the CIDR range of the network subnet used by
Bolt.
2013 Rubrik cluster Rubrik cluster Allows sharing of statistics between the nodes of a
TCP Rubrik cluster.
2014 Rubrik cluster Rubrik cluster Allows sharing of statistics between the nodes of a
TCP Rubrik cluster.

Ports

2200 Rubrik node Rubrik node Allows node to node SSH communication during
TCP upgrade.
2049 Rubrik cluster NFS server Permits communication with a NAS device that is
TCP being used as an archival location.
2049 a. VMware ESXi a. Rubrik cluster a. Permits contact with the NFS daemon running on
TCP/UDP hosts b. Rubrik cluster the Rubrik cluster for Live Mount operations.
b. Oracle c. Rubrik cluster b. Permits contact with the NFS daemon running on
database host the Rubrik cluster for Live Mount of managed
c. SAP HANA volume snapshots.
database host c. Permits contact with the NFS daemon running on
the Rubrik cluster for Live Mount of managed
volume snapshots.
2074 Rubrik cluster Nutanix cluster Permits secure communication between the Rubrik
TCP cluster and the Nutanix Guest Agent (NGA). The
NGA publishes information such as guest OS type,
status of VM mobility and VSS services, and more.
TCP/UDP
TCP
3268 TCP Rubrik cluster Active Directory Permits LDAP communication for LDAP servers.
Global Catalog
server
3269 TCP Rubrik cluster Active Directory Permits secure LDAP (LDAPS) communication for
Global Catalog LDAP servers.
server
5353 Rubrik node Rubrik node Allows zeroconf node discovery.
UDP
5900 VNC client IPMI on Rubrik node Permits a virtual networking connection with the
TCP IPMI interface on a Rubrik node.
7000 Rubrik cluster Rubrik cluster Allows process arbitration between the nodes of a
TCP Rubrik cluster.
7500- Rubrik cluster Rubrik Envoy Required for communication between Rubrik cluster
7501 TCP and Rubrik Envoy managed service provider, to
handle inbound proxy communications specifically
for RBA traffic.
7781 Rubrik cluster Rubrik cluster Permits the Rubrik cluster to load basic software and
TCP configuration information (bootstrap) during cluster
configuration.

Ports

7784 Rubrik node Rubrik node TLS over TCP communication between nodes within
TCP a Rubrik cluster.
7785 a. Replication a. Replication target a. Replication data transmission.

TCP source b. Replication b. Replication data transmission.
b. Replication source
target
8080 Rubrik node Isilon Allows communication for NAS vendor API
TCP integration.
8081 Rubrik node Rubrik node Allows node to node communication to the Graphite
TCP web server.
9440 Nutanix Cluster Rubrik cluster Permits communication between Nutanix Cluster
TCP and the Rubrik cluster
10000 Rubrik cluster Rubrik cluster Allows sharing of Rubrik cluster file system (SDFS)
TCP data between the nodes of a Rubrik cluster.
10001 Rubrik node Rubrik node Allows node to node SDFS communication.
TCP
12800 Rubrik cluster a. Physical Linux or a. Permits contact with the Rubrik Backup Service
TCP Unix host software on the Linux or Unix host.
b. Windows Server b. Permits contact with the Rubrik Backup Service
host software on the Windows Server host.
c. Hyper-V host c. Permits contact with the Rubrik Backup Service
software on the Hyper-V host.
12801 Rubrik cluster a. Physical Linux or a. Permits contact with the Rubrik Backup Service
TCP Unix host software on the Linux or Unix host.
b. Windows Server b. Permits contact with the Rubrik Backup Service
host software on the Windows Server host.
c. Hyper-V host c. Permits contact with the Rubrik Backup Service
software on the Hyper-V host.
18082 Rubrik cluster QStar host Required for archiving to QStar tape archive.
TCP Remote Admin (C:\qstar\bin\admin.exe) listens on
the QStar host.
26257 Rubrik node Rubrik node Allows node to node CockroachDB communication.
TCP
32764 - NFS client Rubrik cluster Required for all NFS protocol Live Mounts of
32769 managed volumes on a Rubrik cluster. Rubrik
TCP/UDP clusters limit the allocated port range for managed
volumes and for the mountd, statd, lockd, and
rquotad services to this inbound TCP/UDP port
range.

Ports
Rubrik uses TCP port 443 for secure transmissions in a number of contexts. Table 146 describes
those uses.
Table 146 All uses of secure port 443 TCP (page 1 of 2)
Source Destination Description
Rubrik cluster proxy.rubrik.com Required for:
Rubrik Support tunnel and Rubrik cluster
statistics.
Rubrik cluster logs.rubrik.com Error log upload.
Rubrik cluster s3.amazonaws.com Uploading support bundles.
Rubrik cluster ESXi host File level restore.
Web UI clients Rubrik cluster Secure communication between web UI client
and Rubrik cluster.
Rubrik cluster Archival location URL Transmitting data to the archival location.
Rubrik cluster VMware vCenter Server Information queries about virtual machines.
Local web browser IPMI on a Rubrik node Web interface with IPMI on a Rubrik node.
Rubrik cluster Pure Storage array Invoking Pure Storage REST APIs for
snapshots and queries about volumes.
Rubrik cluster <blob-acct>.blob.core.windo Required for CloudOut to Azure. Replace
ws.net <blob-acct> with the Azure archive blob storage
account name.
Rubrik cluster gp-acct>.blob.core.windows. Required for CloudOn with Azure. Replace
net <gp-acct> with the name of a GPv1 or GPv2
storage account. The account cannot be a blob
storage account.
Rubrik Bolt <blob-acct>.blob.core.windo Required for CloudOn with Azure. Replace
ws.net <blob-acct> with the Azure archive blob storage
account name.
Rubrik cluster s3.<region>.amazonaws.co Required for CloudOut to AWS. Replace
m <region> with an AWS region name.
Rubrik cluster kms.<region>.amazonaws.c Required for CloudOut to AWS only when AWS
om KMS encryption keys are used with the archive.
Replace <region> with an AWS region name.
Rubrik cluster ec2.<region>.amazonaws.co Required for CloudOn with AWS. Replace
Rubrik Bolt s3.<region>.amazonaws.co Required for CloudOn with AWS. Replace
Rubrik Bolt kms.<region>.amazonaws.c Required for CloudOn with AWS only when
om AWS KMS encryption keys are used with the
archive. Replace <region> with an AWS region
name.

Ports
Table 146 All uses of secure port 443 TCP (page 2 of 2)

Source Destination Description
Rubrik Bolt sts.<region>.amazonaws.co Required for CloudOn with AWS only when the
m BOLT and Converter image is shared. Replace
<region> with an AWS region name.
Rubrik cluster ESXi host Enables secure communication for pre- and
post-scripts on protected vSphere virtual
machines. Note that this port assignment
applies only to Rubrik CDM version 5.0.0, and
not to any subsequent release.
Rubrik Envoy Rubrik cluster Required for communication between Rubrik
Envoy managed service provider and Rubrik
cluster.
Rubrik node NetApp Allows communication for NAS vendor API
integration.
Additional network requirement

To provide IPMI management information, Rubrik nodes must be able to receive packets sent from
a local ping program. Firewalls must be configured to permit traffic that uses the ECHO protocol.
The ability to ping a node permits an administrator to determine if the node address exists and if
the node can accept requests.
Rubrik cluster inbound ports

To provide the full range of Rubrik cluster features, the Rubrik cluster listens on the ports listed in
Table 147. This list excludes communication between nodes within a cluster, communication for
replication, and communication for archival activity, which are covered in other tables.
Table 147 Rubrik cluster inbound ports (page 1 of 2)
Port Source Description
22 TCP a. Local SSH client a. Provides the ability to launch an SSH session for support and
b. Cloud instance administration.
b. (Optional) Only required when an issue occurs. Permits
troubleshooting.
80 TCP Web UI clients Handles redirection of web UI clients to HTTPS.
111 TCP a. VMware ESXi a. Provides an NFS datastore for ESXi hosts.
hosts b. Provides an NFS datastore for Oracle Server.
b. Oracle Server c. Provides an NFS datastore for SAP HANA host.
c. SAP HANA host
Additional network requirement 674

Ports
Table 147 Rubrik cluster inbound ports (page 2 of 2)

Port Source Description
137 UDP Hyper-V host Provides access to Samba share during backup, export and live
mounts.
138 UDP Hyper-V host Provides access to Samba share during backup, export and live
mounts.
139 TCP Hyper-V host Provides access to Samba share during backup, export and live
mounts.
443 TCP a. Web UI clients a. Required for secure communication between web UI client
b. Oracle database and Rubrik cluster.
host b. Required for secure connection when sending REST API
c. SAP HANA host commands from the Oracle database host to the Rubrik
d. Rubrik Envoy cluster.
c. Required for secure connection when sending REST API
commands from the SAP HANA database host to the Rubrik
cluster.
d. Required for communication with Rubrik cluster.
445 TCP a. SQL Live Mount a. Required for Live Mount SQL databases.
host b. Required for Volume Group backups.
b. Windows host
2002 TCP Cloud provider (AWS Permits secure communication with the cloud provider.
or Azure)
2049 TCP/UDP a. VMware ESXi a. Permits contact with the NFS daemon running on the Rubrik
hosts cluster for Live Mount operations.
b. Oracle Server b. Permits contact with the NFS daemon running on the Rubrik
cluster for Live Mount operations.
2200 TCP Rubrik node Allows node-to-node SSH communication during upgrade.
8077 TCP Cloud provider (AWS Permits secure communication over SSH with the cloud
or Azure) provider for debugging.
7500-7501 Rubrik cluster Required for communication between Rubrik cluster and Rubrik
TCP Envoy managed service provider, to handle inbound proxy
communications specifically for RBA traffic.
7784 TCP Rubrik node Allows TLS over TCP communication between nodes within a
Rubrik cluster.
9440 TCP Nutanix cluster Permits communication between Nutanix cluster and the Rubrik
cluster.
32764 - 32769 NFS server Rubrik clusters limit the allocated port range for managed
TCP/UDP volumes and for the mountd, statd, lockd, and quotad services
to this inbound TCP/UDP port range.
Rubrik cluster inbound ports 675

Ports
Rubrik cluster outbound ports

To provide the full range of Rubrik cluster features, the Rubrik cluster must be allowed to connect
to the ports listed in Table 148. This list excludes communication between nodes within a cluster,
communication for replication, and communication for archival activity. Refer to Cloud ports for the
required Rubrik cluster outbound ports for CloudOut and CloudOn.
Table 148 Rubrik cluster outbound ports (page 1 of 2)
Port Destination Description
25 TCP Email server Allows the Rubrik cluster to send email alerts to administrators.
Only required when the email server supports this port.
53 UDP DNS server Allows hostname resolution.
111 TCP Rubrik cluster Allows access to an NFS datastore for Oracle hosts and SAP
HANA hosts.
123 UDP NTP server Allows access to network time protocol (NTP) servers for time
synchronization.
389 TCP Active Directory server or Permits LDAP communication for SMB security and LDAP
LDAP server servers.
443 TCP a. proxy.rubrik.com Required for:
b. logs.rubrik.com a. Rubrik Support tunnel and Rubrik cluster statistics.
c. s3.amazonaws.com b. Required for error log upload.
d. ESXi host c. Uploading support bundles.
e. Archival location URL d. File level restore.
f. VMware vCenter e. Transmitting data to the archival location.
Server f. Information queries about virtual machines.
g. Pure Storage array g. Invoking Pure Storage REST APIs for snapshots and
h. ESXi host queries about volumes.
i. NetApp h. Enables secure communication for pre- and post-scripts on
protected vSphere virtual machines. Note that this port
assignment applies only to Rubrik CDM version 5.0.0, and
not to any subsequent release.
i. Allows communication for NAS vendor API integration.
445 TCP Active Directory server Required for NTLM authentication.
636 TCP Active Directory server or Permits secure LDAP (LDAPS) communication for SMB
LDAP server security and LDAP servers.
902 TCP VMware ESXi hosts Permits network block device (NBD) data transfers.
Rubrik cluster outbound ports 676

Ports
Table 148 Rubrik cluster outbound ports (page 2 of 2)

2074 TCP Nutanix cluster Permits secure communication between the Rubrik cluster and
the Nutanix Guest Agent (NGA). The NGA publishes
information such as guest OS type, status of VM mobility and
VSS services, and more.
2200 TCP Rubrik node Allows node to node SSH communication during upgrade.
3260 TCP iSCSI targets Permits iSCSI data transfers.
3268 TCP Active Directory Global Permits LDAP communication for SMB security and LDAP
Catalog server servers.
3269 TCP Active Directory Global Permits secure LDAP (LDAPS) communication for SMB
Catalog server security and LDAP servers.
7784 TCP Rubrik node Allows TLS over TCP communication between nodes within a
Rubrik cluster.
8080 TCP Isilon Allows communication for NAS vendor API integration.
9440 TCP Nutanix cluster Permits communication between Nutanix cluster and the
Rubrik cluster
12800 TCP a. Physical Linux or Unix a. Permits contact with the Rubrik Backup Service software on
host the Linux or Unix host.
b. Windows Server host b. Permits contact with the Rubrik Backup Service software on
c. Hyper-V host the Windows Server host.
c. Permits contact with the Rubrik Backup Service software on
the Hyper-V host.
12801 TCP a. Physical Linux or Unix a. Permits contact with the Rubrik Backup Service software on
host the Linux or Unix host.
b. Windows Server host b. Permits contact with the Rubrik Backup Service software on
c. Hyper-V host the Windows Server host.
c. Permits contact with the Rubrik Backup Service software on
the Hyper-V host.
18082 QStar host Required for archiving to QStar tape archive. Remote Admin
TCP (C:\qstar\bin\admin.exe) listens on the QStar host.
Rubrik cluster outbound ports 677

Ports
Ports used for communication between nodes in a cluster

The nodes of a Rubrik cluster communicate using the ports listed in Table 149.
Table 149 Rubrik cluster node to node ports
123 UDP Rubrik nodes Facilitates time synchronization among Rubrik peer
nodes.
2013 TCP Carbon Relay Line Receiver Allows sharing of statistics between the nodes of a
Rubrik cluster.
2014 TCP Carbon Relay Pickle Receiver Allows sharing of statistics between the nodes of a
Rubrik cluster.
2200 TCP SSH Allows node to node SSH communication during
upgrade.
5353 Rubrik nodes Allows zeroconf node discovery.
7000 TCP Cassandra Allows process arbitration between the nodes of a Rubrik
cluster.
7781 TCP Cluster Configuration Permits the Rubrik cluster to load basic software and
configuration information (bootstrap) during cluster
configuration.
8081 TCP Graphite Allows node to node communication to the Graphite web
server.
10000 TCP SDFS Allows sharing of SDFS data between the nodes of a
Rubrik cluster.
Archiving ports
For archiving, the Rubrik cluster uses the outbound ports that are listed in Table 150.
Table 150 Archiving ports
443 TCP Amazon S3 URL Required for transmitting data to the archival location.
Microsoft Azure URL
2049 TCP NFS server Permits communication with a NAS device that is being used as an
archival location.
For archiving to an object storage system, the Rubrik cluster can be configured to use the port
that is specified in the configuration of the object storage system.
Ports used for communication between nodes in a cluster 678

Ports
Cloud ports
The required ports for the Rubrik cloud features CloudOut and CloudOn are determined by the
associated cloud service vendor.
Table 151 describes the port requirements for the Microsoft Azure cloud.
Table 151 Azure port requirements
Feature Port Source Destination Description
Support 443 TCP Rubrik cluster logs.rubrik.com Used by the log collection
service.
Support 443 TCP Rubrik cluster proxy.rubrik.com Provides the Rubrik Support
tunnel.
CloudOut 443 TCP Rubrik cluster <blob-acct>.blob.core.windows.net Replace <blob-acct> with
the Azure archive blob
storage account name.
CloudOn 443 TCP Rubrik cluster <Bolt-subnet> Replace <Bolt-subnet> with
the CIDR range of the
network subnet used by
Bolt.
Bolt. Only required when
troubleshooting.
Bolt.
troubleshooting over SSH.
CloudOn 443 TCP Rubrik cluster <gp-acct>.blob.core.windows.net Replace <gp-acct> with the
name of a GPv1 or GPv2
storage account. The
account cannot be a blob
storage account.
CloudOn 443 TCP Rubrik Bolt <blob-acct>.blob.core.windows.net Replace <blob-acct> with
the Azure archive blob
storage account name.
Cloud ports 679

Ports
Table 152 describes the port requirements for the Amazon Web Services cloud.
Table 152 AWS port requirements
Feature Port Source Destination Description
Support 443 TCP Rubrik cluster logs.rubrik.com Used by the log collection
service.
Support 443 TCP Rubrik cluster proxy.rubrik.com Provides the Rubrik Support
tunnel.
CloudOut 443 TCP Rubrik cluster s3.<region>.amazonaws.com Replace <region> with an
AWS region name. For
example: us-west-1
CloudOut 443 TCP Rubrik cluster kms.<region>.amazonaws.com Replace <region> with an
example: us-west-1
Required only when AWS
KMS encryption keys are
used with the archive.
CloudOn 443 TCP Rubrik cluster ec2.<region>.amazonaws.com Replace <region> with an
example: us-west-1
troubleshooting.
Bolt.
troubleshooting over SSH.
CloudOn 443 TCP Rubrik Bolt s3.<region>.amazonaws.com Replace <region> with an
example: us-west-1
CloudOn 443 TCP Rubrik Bolt kms.<region>.amazonaws.com Replace <region> with an
example: us-west-1
Required only when AWS
KMS encryption keys are
used with the archive.
Cloud ports 680

Ports
Replication port
For replication, the source Rubrik cluster and the target Rubrik cluster use the single, bidirectional,
port listed in Table 153.
Table 153 Replication ports
7785 TCP a. Replication source a. Spray server on the a. Required for secure
Rubrik cluster replication target communication between
b. Replication source Rubrik cluster replication source and
Rubrik cluster b. Remote cluster service high-performance HTTP server on
c. Replication target on the replication target target.
Rubrik cluster Rubrik cluster b. Replication data transmission.
d. Replication target c. Remote cluster service c. Replication data transmission.
Rubrik cluster on the replication d. Permits replication data
source Rubrik cluster transmission.
d. Snapshot server on the
replication source
Rubrik cluster
Replication port 681

Appendix B
Minimum vCenter Server Privileges
This appendix describes the minimum vCenter Server privileges required by the Rubrik cluster in
the following section:
 Minimum required privileges .................................................................................... 683
Minimum vCenter Server Privileges 682

Minimum required privileges

The vCenter Server role that is assigned to a Rubrik cluster must provide specific privileges on the
vCenter Server.
For information about how to assign the minimum privileges to the Rubrik cluster, contact Rubrik
Support and request the most recent revision of the Rubrik Technical Note vSphere Privilege
Requirements.
Note: The minimum vCenter account privileges also protect vCloud Director accounts. A vCloud
Director account, however, must be a System Administrator account, because vCloud Director runs
on top of vCenters, and accesses certain additional operations that require the System
Administrator role. Adding a vCloud Director instance describes how to add a vCloud Director
instance.
Table 154 describes the minimum privileges on the vCenter Server that are required by the
vCenter Server role that is assigned to the Rubrik cluster. The table uses an asterisk (*) to indicate
a privilege that Rubrik does not require in the current release but anticipates requiring in a later
release.
Table 154 Minimum vCenter Server privileges required by Rubrik (page 1 of 5)
Privilege category Privilege Description
Datastore Allocate space Used by Rubrik to create virtual machines for export. Also
used by Rubrik to provide space for delta files on the
datastore when creating a snapshot.
Datastore Browse datastore Permits Rubrik to find and download the vmware.log file for
a virtual machine after a failed snapshot and to send the
vmware.log file out for support.
Datastore Configure datastore Allows Rubrik to connect the datastore on a Rubrik cluster
to the vCenter Server for Live Mount and Instant Recovery.
Datastore Low level file operations Permits Rubrik to ingest and to export the contents of
snapshot VMDKs.
Datastore Move datastore* Allows Rubrik to place a Live Mount datastore into a
vCenter Server folder to enhance manageability.
Datastore Remove datastore Used by Rubrik to detach a Live Mount datastore that is no
longer in use.
Globala Disable methods When configured to connect to vCenter server extensions,
this privilege allows Rubrik for vCenter server extensions
to disable certain operations and objects managed by
vCenter Server.
Global Enable methods When configured to connect to vCenter server extensions,
this privilege allows Rubrik to enable certain operations
and objects managed by vCenter Server.
Minimum required privileges 683


Global Licenses Permits the Rubrik cluster to view installed license and add
or remove licenses.
Host Configuration: Configuration privileges:
a. Storage partition a. Used by Rubrik for storage partition configuration when
configuration attaching Live Mount datastores to ESXi hosts.
Network Assign network Permits Rubrik to connect Instant Recovery virtual
machines to a network when powering on the virtual
machines.
Resource a. Assign virtual a. Allows Rubrik to allocate resources on an ESXi host for
machine to resource powering on virtual machines that are created through
pool the Export, Live Mount, and Instant Recovery features.
b. Relocate b. Permits a Rubrik cluster to initiate the Storage vMotion
operation that is required for instant recovery of vCloud
Director vApps.b
Sessions Validate session Used by Rubrik to discover, cache, and reuse previous
vCenter Server sessions.
Sessions View and stop sessions Used by Rubrik to discover, cache, and reuse previous
vCenter Server sessions.


Virtual machine Configuration: Configuration privileges:
a. Add existing disk a. Used by Rubrik when creating virtual machines through
b. Add new disk the Export, Live Mount, and Instant Recovery features.
c. Advanced b. Used by Rubrik when creating virtual machines for the
d. Change resource Export, Live Mount, and Instant Recovery features.
e. Disk change tracking c. Required for Live Mount, Instant Recovery, and Export.
f. Disk lease Also permits creation of the proxy virtual machine that is
g. Rename* required for storage array integration.
h. Settings d. Permits Rubrik to configure virtual machine resources
that are created in resource pools.
i. Swapfile placement
e. Used by Rubrik to enable incremental snapshots, and to
j. Remove disk
reset CBT when requiredc.
f. Allows Rubrik to acquire leases to permit using VADP
for transferring VMDK contents.
g. Permits Rubrik to rename the Live Mount datastore to
enhance manageability.
h. Used by Rubrik to configure virtual machines that are
created through the Export, Live Mount, and Instant
Recovery features.
i. Allows Rubrik to power on virtual machines that are
created through the Export, Live Mount, and Instant
Recovery features.
j. Used by a Rubrik cluster to unmount virtual disks that
were mounted during a Live Mount operation.
Virtual machine Guest Operations: Guest Operations privileges:
a. Guest Operation a. Permits Rubrik to deploy the Rubrik VSS agent into
Modifications guest operating systems when creating application
b. Guest Operation consistent snapshots.
Program Execution b. Permits Rubrik to start the Rubrik VSS agent on guest
c. Guest Operation operating systems when creating application consistent
Queries snapshots.
c. Allows Rubrik to monitor and manage the Rubrik VSS
agent while the agent is running on guest operating
systems.


Virtual machine Interaction: Interaction privileges:
a. Answer question* a. Permits Rubrik to automatically handle situations where
b. Backup operation on a virtual machine is in a stuck state waiting for a
virtual machine question to be answered.
c. Device connection b. Used by Rubrik to perform backup operations on virtual
d. Guest operating machines.
system management c. Used by Rubrik to connect and disconnect devices
by VIX API which are attached to virtual machines that are created
e. Power Off through the Export, Live Mount, and Instant Recovery
f. Power On features.
g. Reset* d. Permits Rubrik to manage a guest operating system
h. Suspend* along with the Rubrik VSS agent when creating
application consistent snapshots.
i. VMware Tools
install* e. Allows Rubrik to power off Live Mount virtual machines
and Instant Recovery virtual machines before deleting
the virtual machine.
f. Allows Rubrik to power on Export virtual machines, Live
Mount virtual machines and Instant Recovery virtual
machines after creating the virtual machine.
g. Permits Rubrik to manage Export virtual machines, Live
h. Permits Rubrik to manage Export virtual machines, Live
i. Allows Rubrik to upgrade VMware Tools on a guest OS
as needed to prevent the guest OS from hanging or
crashing when quiescing for a snapshot.


Virtual machine Inventory: Inventory privileges:
a. Create new a. Used by Rubrik to create Export virtual machines, Live
b. Move Mount virtual machines and Instant Recovery virtual
c. Register machines.
d. Remove b. Permits Rubrik to move an original virtual machine into a
e. Unregister “deprecated” folder before replacing the original with an
Instant Recovery virtual machine.
c. Used by Rubrik to create Export virtual machines, Live
machines.
d. Allows Rubrik to remove Export virtual machines, Live
machines.
e. Allows Rubrik to remove Export virtual machines, Live
machines.
Virtual machine Provisioning: Provisioning privileges:
a. Allow disk access a. Permits Rubrik to write the VMDK contents of Export
b. Allow read-only disk virtual machines, Live Mount virtual machines and
access Instant Recovery virtual machines.
c. Allow virtual machine b. Permits Rubrik to read the VMDK contents of Export
download virtual machines, Live Mount virtual machines and
d. Allow virtual machine Instant Recovery virtual machines when backing up the
files upload virtual machines.
c. Allows Rubrik to download the non-VMDK files of
protected source virtual machines, including
configuration files and support logs.
d. Allows Rubrik to upload non-VMDK files of Export virtual
machines, Live Mount virtual machines and Instant
Recovery virtual machines, when creating and
configuring the virtual machines.
Virtual machine Snapshot management: Snapshot management privileges:
a. Create snapshot a. Permits Rubrik to create temporary snapshots of virtual
b. Remove snapshot machines for ingest into Rubrik cluster storage.
c. Rename snapshot* b. Permits Rubrik to remove temporary snapshots of virtual
d. Revert to snapshot machines that were created for ingest into Rubrik cluster
storage.
c. Allows Rubrik to manage the temporary snapshots of
virtual machines that were created for ingest into Rubrik
cluster storage.
d. Used by Rubrik to prepare an Export virtual machine
with data from a Rubrik snapshot.

a. The Global privileges Disable methods, Enable methods, and Licenses, are only required for VDDK 5.1
and VDDK 5.5. Upgrading to vSphere 5.1 U3 eliminates the requirement. Refer to the VMware Knowledgebase
article: Restoring or backing up virtual machines using VDDK API fails with the error: Not licensed to use this
function. Error 16064 at 2357 (2063054).
b. This privilege is only required for vCenter servers that are connected for vCloud Director vApp protection.
c. Resetting CBT is required when a known VMware issue occurs that results in vSphere failing to maintain the
setting.

Appendix C
Archive Preparation
This appendix provides supplemental information about the initial preparation required to use
specific types of archival locations.
 Generating an RSA key ........................................................................................... 690
 Preparing to use Amazon S3 as an archival location .................................................. 690
 Preparing to use Amazon Glacier as an archival location ............................................ 694
 Preparing to use GCP as an archival location............................................................. 698
 Preparing Microsoft Azure as an archival location ...................................................... 699
 Preparing Cleversafe as an archival location.............................................................. 700
 Preparing Scality as an archival location ................................................................... 703
 Preparing to use an NFS share as an archival location ............................................... 704
 Preparing an Isilon NFS share as an archival location ................................................ 705
 Preparing a QStar Integral Volume as an archival location ......................................... 706
Archive Preparation 689

Archive Preparation
Generating an RSA key

Several of the supported archival locations require an RSA key for encrypting archival data.
Generate an RSA key on a secure computer.
1. On a secure computer, start a shell session or open a terminal window.
The computer must have the OpenSSL toolkit installed. For most Linux and Unix distributions,
the standard operating system packages include the OpenSSL toolkit. The OpenSSL toolkit can
also be downloaded and installed on Windows computers.
2. At a command prompt, type:
openssl genrsa -out rubrik_encryption_key.pem 2048
The openssl command creates an RSA key in the current working directory.
Use the contents of the RSA key file in the RSA Key field when configuring an archival location in
the web UI.
Preparing to use Amazon S3 as an archival location

Prepare to use Amazon Simple Storage Service (S3) object storage as an archival location.
When adding an Amazon S3 archival location on a Rubrik cluster, if the specified bucket does not
exist, Rubrik attempts to create the bucket. Users must have the permissions to create a new
bucket when Rubrik prompts for the user credentials provided to Rubrik have the permissions to
create a new bucket.
To prepare an Amazon S3 archival location, use the AWS Management Console as the root user
and complete these tasks in the specified order:
1. Create an S3 bucket.
2. Create a security policy for the bucket.
3. Create a user account with access to the bucket.
Creating an S3 bucket
Create an Amazon S3 bucket to use as the archival target when archiving to Amazon S3. Isolating
permissions at the bucket level provides additional security for the archived data.
1. In the AWS Services list, in the Storage section, select S3.
The Amazon S3 page appears.
2. Click + Create bucket.
Generating an RSA key 690

Archive Preparation
3. In Bucket name, type a name for the new bucket.

Click the information icon next to the Bucket name field to see the requirements for a bucket
name.
4. In Region, select the region in which the bucket should be created.
Verify that Rubrik supports the selected region.
5. Click Create.
AWS creates the new bucket, and the bucket appears in the list.
6. Select the new bucket.
A page for the bucket appears. The page has tabs for Properties, Permissions, and
Management.
7. Click Copy Bucket ARN.
8. Paste the Bucket ARN into a plain text scratch file.
9. Close the dialog box.
Creating a security policy for the bucket

Create a security policy for the bucket.
 Create a security policy with a pre-existing bucket.
You can create IAM roles to delegate access to AWS resources in a pre-existing bucket. Make
sure that the following permission set is granted to this IAM role:
{
“Version”:“2012-10-17",
“Statement”:[
{
“Effect”:“Allow”,
“Action”:[
“s3:CreateBucket”,
“s3:ListAllMyBuckets”
],
“Resource”:“arn:aws:s3:::*”
},
{
“Action”:[
“s3:ListBucket”,
Preparing to use Amazon S3 as an archival location 691

Archive Preparation
“s3:GetBucketLocation”
],
“Resource”:“arn:aws:s3:::<bucket-name>”
},
{
“Action”:[
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”,
“s3:AbortMultipartUpload”,
“s3:ListMultipartUploadParts”,
“s3:RestoreObject”
],
“Resource”:“arn:aws:s3:::<bucket-name>/*”
}
]
}
 Create a security policy with all buckets in the account
You can create IAM roles to delegate access to AWS resources in all buckets in the account.
Make sure that the following permission set is granted to this IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:HeadBucket",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Resource": "*"

Archive Preparation
}
]
}
With this permission set, the IAM user can create a new bucket, list all buckets in the account and
work with all objects in all buckets in the account.
4. From Service, click Choose a service.
5. Select S3.
6. From Actions, click Select actions.
7. Check the box for All S3 actions (s3:)*.
This gives all permissions to the user for this bucket.
Alternatively, you can give permissions to the user for all the buckets in the account, as
described in Create a security policy with all buckets in the account.
8. From Resources section, to the right of bucket, click Add ARN.
9. In the Specify ARN for bucket field, remove the placeholder arn:aws:3::: and paste the
bucket ARN copied in step 7 in the previous section with /* at the end.
10.Click Add.
11.At the bottom of the page, click Review policy.
12.In the Name field, provide a policy name (for example, RubrikS3Policy).
13.At the bottom of the page, click Create policy.
AWS creates the bucket policy and returns to the policy list page.
Creating a user account with access to the bucket

Create an IAM user account with policy-based access to the bucket.
3. The list of users appears.

Archive Preparation
4. Click Add user.

The user account will be used by the Rubrik cluster to access the bucket.
account.
9. Select the policy created for the bucket, and click Next: Review.
The file can be renamed. The file contains the Access key ID and Secret access key for the user
account and should be securely stored. Use these values when configuring the Rubrik cluster to
use this AWS bucket as an archival location.
Preparing to use Amazon Glacier as an archival location

Prepare to use Amazon Glacier object storage as an archival location.
When adding an Amazon Glacier archival location on a Rubrik cluster, if the specified vault does
not exist, Rubrik attempts to create the vault. Users must have the permissions to create a new
vault when Rubrik prompts for the user credentials provided to Rubrik have the permissions to
create a new bucket.
To prepare an Amazon Glacier archival location, use the AWS Management Console as the root
user and complete these tasks in the specified order:
1. Create a Glacier vault.
2. Create a security policy for the vault.
Preparing to use Amazon Glacier as an archival location 694

Archive Preparation
3. Create a user account with access to the vault.
Creating a Glacier vault

Create an Amazon Glacier vault to use as the archival target when archiving to Amazon Glacier.
Isolating permissions at the vault level provides additional security for the archived data.
1. In the AWS Services list, in the Storage section, select Glacier.
The Amazon Glacier page appears.
2. Click + Create Vault.
3. In Vault name, type a name for the new vault.
Click the information icon next to the vault name field to see the requirements for a vault
name.
4. In Region, select the region in which the vault should be created.
Verify that Rubrik supports the selected region.
5. Click Next Step.
AWS creates the new vault, and the vault appears in the list.
6. Select Do not enable notifications.
When certain Amazon Glacier jobs complete, AWS will not send notifications to you or your
application.
7. Click Next Step.
8. Check the region and vault name, and click Submit.
AWS creates the vault, and the vault appears in the list.
9. Select the new vault.
A page for the bucket appears. The page has tabs for Properties, Permissions, and
Management.
10.Click Copy Vault ARN.
11.Paste the Bucket ARN into a plain text scratch file.
12.Close the dialog box.

Archive Preparation
Creating a security policy for the vault

Create a security policy for the vault.
 Create a security policy with a pre-existing vault.
You can create IAM roles to delegate access to AWS resources in a pre-existing vault. Make
sure that the following permission set is granted to this IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glacier:CreateVault",
"glacier:DeleteVault",
"glacier:DescribeVault",
"glacier:ListVaults"
],
"Resource": "arn:aws:glacier:::*"
},
{
"Effect": "Allow",
"Action": [
"glacier:AddTagsToVault",
"glacier:ListTagsForVault",
"glacier:RemoveTagsFromVault",
"glacier:InitiateJob",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"glacier:UploadArchive",
"glacier:InitiateMultipartUpload",
"glacier:UplaoadMultipartPart",
"glacier:CompleteMultipartUpload",
"glacier:DeleteArchive",
"glacier:GetVaultLock",
"glacier:InitiateVaultLock",
"glacier:CompleteVaultLock",
"glacier:AbortVaultLock"
],
"Resource": "<vault-arn>"

Archive Preparation
}
]
}
4. From Service, click Choose a service.
5. Select Glacier.
6. From Actions, click Select actions.
7. Check the box for All Glacier actions (glacier:)*.
This gives all permissions to the user for this vault.
Alternatively, you can give permissions to the user for all the vaults in the account, as described
in Create a security policy with a pre-existing vault.
8. From Resources section, to the right of vault, click Add ARN.
9. In the Specify ARN for bucket field, remove the placeholder arn:aws:glacier::: and paste the
bucket ARN copied in step 10 in the previous section.
10.Click Add.
11.At the bottom of the page, click Review policy.
12.In the Name field, provide a policy name (for example, RubrikGlacierPolicy).
13.At the bottom of the page, click Create policy.
AWS creates the bucket policy and returns to the policy list page.
Creating a user account with access to the vault

Create an IAM user account with policy-based access to the vault.
The list of users appears.
3. Click Add user.

Archive Preparation
The user account will be used by the Rubrik cluster to access the vault.
account.
8. Select the policy created for the bucket, and click Next: Review.
9. Click Create user.
The file can be renamed. The file contains the Access key ID and Secret access key for the user
account and should be securely stored. Use these values when configuring the Rubrik cluster to
use this AWS bucket as an archival location.
Preparing to use GCP as an archival location

Prepare to use Google Cloud Platform as an archival location.
1. In a web browser, access the Google Cloud Platform portal at:
https://console.cloud.google.com/
2. Log in with a Google account username and password.
The Google Cloud Platform page appears.
3. From the left side of the pane, select IAM & admin.
The IAM & admin page appears.
4. From the left side of the pane, select Service accounts, then click Create Service Account.
The Create service account page appears.
5. In Service account name, specify the service account name.
Preparing to use GCP as an archival location 698

Archive Preparation
6. In Role, specify Storage > Storage Admin.

7. In Furnish a new private key, check the box and click Key type JSON.
8. Click Create.
The JSON for the service account’s Private Key will be downloaded.
Preparing Microsoft Azure as an archival location

Prepare to use Microsoft Azure object storage as an archival location.
1. In a web browser, access the Microsoft Azure portal at:
https://portal.azure.com/
2. Log in with a Microsoft account username and password.
The Dashboard page appears.
3. On the left-side menu, click Storage accounts.
The Storage accounts page appears.
4. On the Storage accounts pane click +Add.
The Create a storage account pane appears.
5. In Name, type a name for the storage account.
Use this name in the Account Name field when configuring the archival location in the web UI.
6. In Deployment model, select Resource manager.
The Classic model does not support blob storage and cannot be used as an archival location for
a Rubrik cluster.
7. In Account kind, select Blob storage.
8. In Performance, select Standard.
9. In Replication, select the desired redundancy option.
10.In Access tier, select the appropriate access tier.
Rubrik only supports Hot and Cool tiers.
Choose the access tier that best meets your business requirements. Consult the Azure
documentation for information about tiers.
11.In Storage service encryption, select Disabled.
The Rubrik cluster encrypts all data before transferring the data to a Microsoft Azure archival
location.
Preparing Microsoft Azure as an archival location 699

Archive Preparation
12.In Subscription, select the subscription account to use.

13.In Resource group, select an existing resource group or create a new group.
14.In Location, select the geographic location for the storage.
15.Click Create.
The Azure portal creates the storage account and lists the new account on the Storage
accounts pane.
16.Select the storage account, and click +Container.
17.In Name, enter a name for the container.
18.In Access type, select Private.
19.Click Create.
The Azure portal creates the creates the container and adds the new container to the selected
Storage account.
20.In the Settings section of the Storage account menu, click Access keys.
The Access keys pane opens with the selected Storage account shown in Storage account
name.
21.In the Key field, select and copy one of the pre-defined keys.
Save the key in a secure file.
Use the key in the Account Key field when configuring the archival location in the web UI.
22.Log out of the Microsoft Azure portal.
23.Generate an RSA key as described in Generating an RSA key.
Use the contents of the RSA key file in the RSA Key field when configuring a Microsoft Azure
archival location in the web UI.
Preparing Cleversafe as an archival location

Before using a Cleversafe object store as an archival location, create a vault template and a user
account to be used by the Rubrik cluster.
The result of this task is a vault template with the following required characteristics:
 Name Index Enabled is selected
 READ/WRITE is enabled for an account created for the Rubrik cluster
 An Access Pool with Cloud Storage Object as the Protocol Type
Preparing Cleversafe as an archival location 700

Archive Preparation
! IMPORTANT
The vault template must have Name Index Enabled selected. This option enables the Rubrik
cluster to perform the archival file and directory listings that are required for upgrade and
disaster recovery.
The result of this task is also a new account with the following required characteristics:
 The Role of Vault Provisioner
 READ/WRITE access to the vault created for the Rubrik cluster
 Generated and retained access key and secret key
Note: The instructions provide by this section use Cleversafe version 3.6.6.2. The general
requirements described by this section apply to all versions of Cleversafe. Refer to the Cleversafe
documentation for the most up-to-date instructions for a specific Cleversafe version.
1. Using a web browser, access the Cleversafe dsNet Manager UI and log in using an account with
administrator privileges on the Cleversafe system.
2. On the top menu bar, select Administration.
The Administration page appears.
3. In the Provisioning API Configuration section, click Configure.
The Provisioning API Configuration page appears.
4. Select Create and Delete, and click Update.
5. On the top menu bar, select Configure.
The Configure page appears.
6. In the left-side hierarchical tree, under Access Pools, select an Access Pool.
The page for the selected Access Pool appears.
7. Click Change.
The Editing page appears.
8. On the Editing page, in API Type, select Cloud Storage Object.
9. Click Update.
10.In the left-side hierarchical tree, under Storage Pools, select a Storage Pool.
The page for the selected Storage Pool appears.
11.In Vault Templates, click Create Vault Template.

Archive Preparation
The Create New Vault Template page appears.

12.In the General section, type a name and description for the Vault Template.
! IMPORTANT
Do not type a value in the Provisioning Code field. The Rubrik cluster does not support
provisioning codes.
13.In the Configuration section, select a Width and Threshold.

14.(Optional) In the Configuration section, set a Write Threshold and Alert Level.
15.(Optional) In the Options section, select Enable SecureSlice Technology.
16.In the Options section, clear Enable Versioning and clear Delete Restricted.
17.(Optional) in Quotas, set a Soft Quota and a Hard Quota.
18.In Advanced Index Settings, select Name Index Enabled.
19.In Advanced Index Settings, clear Recovery Listing Enabled.
Clear this setting to prevent it from overriding the selection of Name Index Enabled.
20.In Deployment, select an Access Pool that has Cloud Storage Object enabled in Protocol
Type.
21.Click Save.
The Cleversafe system creates the new Vault Template and a description of the settings of the
new Vault Template appears.
22.On the top menu bar, select Configure.
The Configure page appears.
23.In the Default Vault Template Configuration section, click Configure.
The Default Vault Template page appears.
24.Select the Vault Template that was created in the previous steps, and click Update.
25.On the top menu bar, click Security.
The Security page appears.
26.In the Accounts and Groups section, click Create Account.
The Create New Account section appears.
27.In Name, type a name for the new account.
28.(Optional) In Email, type an email address for the new account.

Archive Preparation
29.Clear Allow Authentication with a Username and Password.

The Rubrik cluster uses a private key and secret key for authentication.
30.In Roles, select Vault Provisioner.
31.Click Save.
The Accounts and Groups section appears.
32.In the Accounts and Groups section, select the account that was created for the Rubrik
cluster.
The Account page for the new account appears.
33.In Access Key Authentication, click Change Keys.
The Edit Access Keys for Account section appears.
34.Click Generate New Access Key.
The Cleversafe system generates a new access key and secret key.
35.Click the button labeled Click to Show Secret Access Key.
The secret key appears.
36.Copy and retain the access key and the secret key.
Use these values when configuring the Cleversafe object store as a Rubrik cluster archival
location.
37.Click Sign Out to log off the dsNet Manager UI.
Preparing Scality as an archival location

Before using a Scality object storage system as an archival location, obtain an access key and a
secret key for the Scality object storage system.
Preparing Scality as an archival location 703

Archive Preparation
Preparing to use an NFS share as an archival location

Prepare the settings of an NFS share before using the NFS share as an archival location for a
Rubrik cluster.
1. Ensure that /etc/exports listing for the exported file system has the minimum required
settings described in Table 155.
For best results use the recommended settings.
Table 155 Recommended and required export settings
Setting Required Description
rw Yes Permits read and write access to the exported file system.
secure No Requires that requests originate on a port within the 1024 registered
ports range.
root_squash No Maps requests from uid/gid 0 to the anonymous uid/gid (anonuid and
anongid).
no_subtree_check No Disables subtree checking.
The following is an example of the recommended settings in /etc/exports:

/expath rsub(rw,secure,root_squash,no_subtree_check)
where: /expath is the is the export point and rsub is the Rubrik cluster subnet, using Classless
Inter-Domain Routing (CIDR) notation, e.g. 192.168.2.0/24 for IPv4, or 2001:db8::/32
for IPv6.
2. Set the export point ownership to the anonymous uid/gid of the operating system and
permissions to 755, as follows:
chown anonuid:anongid /expath
chmod 755 /expath
where: anonuid:anongid is the anonymous user ID and group ID of the operating system and
/expath is the export point.
3. (Optional) To use NFS with Kerberos, add the Rubrik cluster to the Active Directory domain.
! IMPORTANT
Add a Rubrik cluster that uses an NFS archival location with Kerberos to only one Active
Directory domain. Multiple Active Directory domains are not supported with an NFS archival
location when using Kerberos.
Preparing to use an NFS share as an archival location 704

Archive Preparation
Preparing an Isilon NFS share as an archival location

Prepare an NFS share folder on an EMC Isilon before configuring the Rubrik cluster to use the NFS
share as an archival location.
1. Join the Isilon to the Active Directory domain, as follows:
a. In the OneFS UI, select the Access tab and select Authentication Providers.
b. Create an Active Directory provider and select Enable Secure NFS.
Selecting Enable Secure NFS sets the service principal names for the account. This
enables mutual authentication and is required.
2. Set the EMC Isilon SmartConnect zone to the FQDN of the Isilon.
For example:
isilon.mycompany.com
3. Set up DNS to provide both forward, address (A), resolution and reverse, pointer record (PTR),
resolution of the FQDN of the Isilon SmartConnect zone.
Kerberos requires both A and PTR resolution of the FQDN.
4. On the OneFS UI, use the Add an NFS share screen to set up an NFS mount point.
5. Select Enable mount access to subdirectories.
6. (Optional) For Security Type(s), select Use Custom and set the Kerberos levels.
7. Add the IP address range of the Rubrik cluster to Clients and to Always Read-Write Clients
for the NFS mount point.
8. Configure the Map Root User setting to a user with read/write permissions for the exported
directory (e.g., nobody, or a new user named rubrik).
9. Add the Rubrik cluster to the Active Directory domain.
! IMPORTANT
Kerberos authentication can optionally be enabled. When Kerberos is enabled, add a Rubrik
cluster that uses an NFS archival location to only one Active Directory domain. Multiple
Active Directory domains are not supported with an NFS archival location when using
Kerberos.
Preparing an Isilon NFS share as an archival location 705

Archive Preparation
Preparing a QStar Integral Volume as an archival location

Prepare a QStar Integral Volume set to use as a tape archival location.
To prepare a QStar Integral Volume as a tape archival location, complete these tasks in the
specified order:
1. Determine the appropriate cache size.
2. Meet the initial requirements.
3. Set up the QStar Integral Volume.
Determine the cache size

Determining the cache size for a tape archival location involves several factors.
Table 156 describes the factors that should be taken into consideration when determine a cache
size for a tape archival location.
Table 156 Cache size factors
Factor Description
Full snapshots The sequential read characteristic of tape requires writing full snapshots sequentially on
a tape. The archival snapshots transmitted to the QStar cache are full not incremental.
QStar migration The QStar Archive Manager migration policy assigned to the Integral Volume set
policy determines how long a snapshot remains in cache and when the snapshot is written to
tape.
Tape write The tape write process requires sufficient free space in the cache to permit optimal write
performance performance.
Shared cache The Integral Volume set can be configured with multiple buckets. Each bucket can be
set up as a separate tape archival location on the Rubrik cluster. These tape archival
location will share the same cache, multiplying the size requirements for that cache.
Staging For data retrieval operations from the tape archive, the QStar Archival Manager will pull
the data from cache when it exists in cache. Otherwise, the QStar Archival Manager
reads the data from tape into the cache before satisfying the retrieval request.
Archive If more than one archive jobs are sending data to a QStar integral volume, then the
concurrency cache must be large enough to support the incoming data from all jobs.
Preparing a QStar Integral Volume as an archival location 706

Archive Preparation
Initial requirements
Before setting up a QStar Integral Volume as an archival location, ensure that the initial
requirements have been met.
Table 157 describes the Rubrik cluster requirements for using a QStar Manager instance as an
archival location.
Table 157 Rubrik requirements for a QStar tape archival location
QStar Host OS Windows Server 2012 or newer
QStar software QStar Archive Manager version 6 for Windows Server
Disk Sufficient free disk space on a dedicated volume to use for QStar caching.
Tape library Any tape library that is support by the QStar Archive Manager. The tape library must
be visible to the Windows Server and available to the QStar Archive Manager
instance. The tape library must have at least two tape drives in order to support
concurrent archive and retrieval operations of different snapshots.
Setting up the QStar Integral Volume set

Configure a QStar Integral Volume set to use as a tape archival location.
1. As an administrator, open the QStar Archive Manager application.
2. On the left-side menu, select Server.
The server screen appears. The QStar Server Status field displays the status of the server. The
status must be Installed - Running.
3. (If the server is not running) Click Start.
4. On the server screen, start all other services.
5. On the server screen, start QWSD.
6. On the left-side menu, under Media, select Online Media.
The online media view appears.
7. In Library Name, select the library that will be used for the archival location.
8. In Characteristics, select a slot that will be assigned to the archival location.
! IMPORTANT
The slot must have the value ‘Tape’ in the Type column and have no value in the Set
Name column. Tape indicates that the media in the slot is a tape. An empty value in the
Set Name column indicates that the slot is not assigned to an Integral Volume set.

Archive Preparation
9. Click Erase.
The QStar Archive Manager erases and initializes the tape.
10.Repeat step 8 and step 9 for each slot that will be assigned to the archival location.
11.On the left-side menu, under Integral Volumes, select Volume Management.
12.Click Create New Integral Volume.
The New Integral Volume Parameters dialog box appears.
13.Configure the new Integral Volume.
Perform the actions specified in Table 158.
Table 158 Actions on the New Integral Volume Parameters dialog
Field Action
Integral Volume Name Type a name for the Integral Volume set.
File System Type Select TDO.
Mount As Select any unused drive letter.
Share drive Select Enable.
Real Media Type Select Tape.
Simulated Media Type Select none.
Rewritable/WORM Select Any.
Location Type the full local path to a folder with sufficient space for the cache. Or click
Browse to find and select an existing folder.
Cache Size Type the cache size, and select the associated unit size.
Page Size Select 1024.
14.Click Create.
The QStar Archive Manager creates the new Integral Volume set using the specified
parameters.
15.On the left-side menu, under Integral Volumes, select Media Management.
The add/remove media lists appears.
16.In Integral Volume Name, select the name of the Integral Volume set.
17.In Library, select the library.

Archive Preparation
18.For each tape slot being added to the Integral Volume set, select the tape slot from the
right-side list and click the button to move it to the left-side list.
The QStar Archive Manager assigns the tape slots in the left-side list to the Integral Volume
set.
19.On the left-side menu, under Integral Volumes, select Volume Management.
20.In Integral Volume Name, select the name of the Integral Volume set.
21.Click Mount.
The QStar Archive Manager mounts the Integral Volume set, and makes the Integral Volume
set available for the Rubrik cluster to use as a tape archival location.
22.Click Properties.
The Properties dialog box appears.
23.(Recommended) In HPC, set the slider to 85%.
This sets the high water mark for the cache to 85%.
24.(Recommended) In LPC, set the slider to 10%.
This sets the low water mark for the cache to 10%.
25.Click OK.
26.(Optional) On the left-side menu, under Integral Volumes, select Migration View.
The tasks in step 27 through step 30 are part of this optional configuration task.
27.Select Delayed Archiving.
The Delayed Archiving dialog box appears.
28.Select Enabled.
29.In Age Time, specify values in Days, Hours, and Minutes.
The resulting combination of days, hours, and minutes sets the maximum time that data can
reside in the cache before being written to tape.
30.Click OK.

Appendix D
Active Directory Account
This appendix describes an alternate method of creating and initializing the Active Directory
computer account that the Rubrik cluster uses, in the following sections:
 Overview ............................................................................................................... 711
 Permissions required for the initialization account ..................................................... 711
 Delegating the permissions to the initialization account ............................................. 712
 Confirming the delegation of permissions ................................................................. 713
Active Directory Account 710

Overview
A Rubrik cluster requires a temporary and limited set of permissions to create and initialize a
read-only Active Directory computer account that the Rubrik cluster uses for Active Directory
authentication. Creating this computer account requires the use of an initialization account with
broader permissions. The initialization account connects to a given Active Directory domain only
once.
Permissions required for the initialization account

To authenticate users through an Active Directory domain, a Rubrik cluster requires a read-only
computer account with a small set of Active Directory permissions. To ensure that all of the
settings for the computer account are correctly configured, create a single-use initialization
account.
The Rubrik cluster uses the initialization account only to create and initialize the required computer
account. After the computer account is created and initialized, delete or disable the initialization
account.
Ports 53, 88, and 389 must be open to enable communication to LDAP and Kerberos resources.
See the Ports appendix for details. Table 159 describes the minimum Active Directory permissions
required by the single-use initialization account.
Table 159 Permissions for the single-use initialization account
Access Applies to
Change password Descendant Computer objects
Reset password Descendant Computer objects
Create Computer objects Rubrik account object and Descendant Computer objects
Special > List contents Descendant Computer objects
Special > Read all properties Descendant Computer objects
Special > Write all properties Descendant Computer objects
Special > Read permissions Descendant Computer objects
Overview 711
Delegating the permissions to the initialization account

Use the Delegation of Control wizard in the Active Directory Users and Computers MMC snap-in to
create a user account. Use this user account as the initialization account that creates and initializes
the Rubrik cluster computer account.
1. Open the Active Directory Users and Computers MMC snap-in.
2. In the left-side hierarchy, right-click a folder for the new user account.
3. Click New > User.
4. Configure a user account by filling in the fields.
5. Click Next.
6. Type a password and confirm the password.
7. Select User cannot change password and Password never expires.
8. Click Next.
9. Click Finish.
The Active Directory Users and Computers MMC creates the new user account.
10.In the left-side hierarchy, right-click Computers.
11.On the context menu, click Delegate Control.
The Delegation of Control Wizard appears.
12.Click Next.
13.On the Users or Groups pane, click Add.
14.Type the name of the user account.
15.Click Check Names.
The wizard finds the user account.
16.Click OK.
17.Select the name of the user account, and click Next.
18.Select Create a custom task to delegate, and click Next.
19.In Delegate control of, select Only the following objects in the folder.
20.In the selection window, select Computer objects.
21.Select Create selected objects in this folder, and click Next.
22.On the Permissions pane, select General and Property-specific.
Delegating the permissions to the initialization account 712

23.In the selection window, select each of the following permissions:

• Read
• Write
• Read All Properties
• Write All Properties
• Change Password
• Reset Password
24.Click Next.
25.Click Finish.
The Delegation of Control wizard delegates the selected permissions to the initialization account.
Confirming the delegation of permissions

Confirm that the correct permissions are delegated to the initialization account.
1. Open the Active Directory Users and Computers MMC snap-in.
2. Select View > Advanced Features.
3. In the left-side hierarchy, right-click Computers.
4. On the context menu, select Properties.
The Computers Properties dialog box appears.
5. Select the Security tab.
6. In Group or user names, select the name of the user account.
7. Use the Permissions for selection window to view the permissions that are assigned to the
user account.
Confirming the delegation of permissions 713

Rubrik CDM v5.0 User Guide 755-0086-01 Reva6 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Rubrik CDM v5.0 User Guide 755-0086-01 Reva6 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Rubrik CDM User Guide

Rubrik Headquarters: Palo Alto, California 94304

Registered in the U.S. Trademark Office

Rubrik CDM Version 5.0 User Guide 2

Rubrik CDM Version 5.0 User Guide 3

Rubrik CDM Version 5.0 User Guide 4

Chapter 2 VLAN Tagging 89

Rubrik CDM Version 5.0 User Guide 5

Chapter 3 User Accounts 98

Rubrik CDM Version 5.0 User Guide 6

Chapter 4 Multitenant Organizations 125

Chapter 5 Protection Policies 137

Rubrik CDM Version 5.0 User Guide 7

Chapter 6 Replication 158

Rubrik CDM Version 5.0 User Guide 8

Rubrik CDM Version 5.0 User Guide 9

Rubrik CDM Version 5.0 User Guide 10

Rubrik CDM Version 5.0 User Guide 11

Chapter 8 Hyper-V Virtual Machines 246

Rubrik CDM Version 5.0 User Guide 12

Rubrik CDM Version 5.0 User Guide 13

Rubrik CDM Version 5.0 User Guide 14

Chapter 9 AHV Virtual Machines 291

Rubrik CDM Version 5.0 User Guide 15

Rubrik CDM Version 5.0 User Guide 16

Chapter 10 vSphere Virtual Machines 328

Rubrik CDM Version 5.0 User Guide 17

Rubrik CDM Version 5.0 User Guide 18

Rubrik CDM Version 5.0 User Guide 19

Chapter 11 vCloud Director vApps 390

Rubrik CDM Version 5.0 User Guide 20

Chapter 12 CloudOn for AWS 416

Rubrik CDM Version 5.0 User Guide 21

Chapter 13 CloudOn for Azure 439

Rubrik CDM Version 5.0 User Guide 22

Chapter 14 Amazon EC2 Instance Backup 464

Chapter 15 File Systems 477

Rubrik CDM Version 5.0 User Guide 23

Rubrik CDM Version 5.0 User Guide 24

Chapter 16 Oracle Databases 529

Rubrik CDM Version 5.0 User Guide 25

Chapter 17 SQL Server Databases 553

Rubrik CDM Version 5.0 User Guide 26

Rubrik CDM Version 5.0 User Guide 27

Chapter 18 SAP HANA Databases 590

Chapter 19 Managed Volumes 605

Rubrik CDM Version 5.0 User Guide 28

Chapter 20 Retention Management 620

Chapter 21 Reports 632

Rubrik CDM Version 5.0 User Guide 29

Chapter 22 System and Task Information 654

Rubrik CDM Version 5.0 User Guide 30

Appendix A Ports 668

Appendix B Minimum vCenter Server Privileges 682

Appendix C Archive Preparation 689

Rubrik CDM Version 5.0 User Guide 31

Appendix D Active Directory Account 710

Rubrik CDM Version 5.0 User Guide 32

Documentation revision history ................................................................................ 40

Rubrik CDM Version 5.0 User Guide 33

Rubrik CDM Version 5.0 User Guide 34

Rubrik CDM Version 5.0 User Guide 35

Rubrik CDM Version 5.0 User Guide 36